Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
g0dvHLi4bP

Overview

General Information

Sample Name:g0dvHLi4bP (renamed file extension from none to exe)
Analysis ID:620365
MD5:4c414b473bccbbce2c7cde00248ea1a1
SHA1:77bf848d5a1d4d0fdc252aa170e7b8af19bcc012
SHA256:7bb212946fdeb406c7aa8f691405d185065514d5dc1f269f8e409762ff9f6915
Tags:32exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • g0dvHLi4bP.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\g0dvHLi4bP.exe" MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
    • powershell.exe (PID: 5868 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5864 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • g0dvHLi4bP.exe (PID: 5432 cmdline: C:\Users\user\Desktop\g0dvHLi4bP.exe MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
  • AheGmkp.exe (PID: 6920 cmdline: "C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe" MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
    • powershell.exe (PID: 7028 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4952 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmp972C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AheGmkp.exe (PID: 6104 cmdline: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
    • AheGmkp.exe (PID: 5944 cmdline: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
    • AheGmkp.exe (PID: 7068 cmdline: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
  • AheGmkp.exe (PID: 6188 cmdline: "C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe" MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "Az@gcmce.com", "Password": "   DANIEL3116", "Host": "us2.smtp.mailhostbox.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            24.0.AheGmkp.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              24.0.AheGmkp.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                24.0.AheGmkp.exe.400000.12.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32a97:$s10: logins
                • 0x324fe:$s11: credential
                • 0x2eb12:$g1: get_Clipboard
                • 0x2eb20:$g2: get_Keyboard
                • 0x2eb2d:$g3: get_Password
                • 0x2fe0c:$g4: get_CtrlKeyDown
                • 0x2fe1c:$g5: get_ShiftKeyDown
                • 0x2fe2d:$g6: get_AltKeyDown
                0.2.g0dvHLi4bP.exe.3b7d998.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.g0dvHLi4bP.exe.3b7d998.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 69 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "Az@gcmce.com", "Password": " DANIEL3116", "Host": "us2.smtp.mailhostbox.com"}
                    Multi AV Scanner detection for submitted file
                    Source: g0dvHLi4bP.exeReversingLabs: Detection: 30%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeReversingLabs: Detection: 30%
                    Source: C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeReversingLabs: Detection: 30%
                    Machine Learning detection for sample
                    Source: g0dvHLi4bP.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJoe Sandbox ML: detected
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.0.AheGmkp.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.0.AheGmkp.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.0.AheGmkp.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.2.AheGmkp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.0.AheGmkp.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.g0dvHLi4bP.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.g0dvHLi4bP.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.0.AheGmkp.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.2.g0dvHLi4bP.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: g0dvHLi4bP.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: g0dvHLi4bP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: global trafficTCP traffic: 192.168.2.5:49782 -> 162.222.225.16:587
                    Source: global trafficTCP traffic: 192.168.2.5:49799 -> 162.222.225.29:587
                    Source: global trafficTCP traffic: 192.168.2.5:49782 -> 162.222.225.16:587
                    Source: global trafficTCP traffic: 192.168.2.5:49799 -> 162.222.225.29:587
                    Source: g0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://KMYoUX.com
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.710089577.0000000006A74000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.usertr
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: g0dvHLi4bP.exe, 00000000.00000003.434389436.0000000005986000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
                    Source: g0dvHLi4bP.exe, 00000000.00000003.433882247.00000000059A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wikipediaN
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                    Source: g0dvHLi4bP.exe, 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com5
                    Source: g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comTTF
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
                    Source: g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come.com
                    Source: g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlicF
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comt
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.437408108.0000000005987000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436963733.0000000005987000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.437207014.0000000005988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: g0dvHLi4bP.exe, 00000000.00000003.437408108.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn;
                    Source: g0dvHLi4bP.exe, 00000000.00000003.437207014.0000000005988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnese
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0r
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/V
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/d
                    Source: g0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: g0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434167177.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
                    Source: g0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439167968.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comivd
                    Source: g0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439167968.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comk-s
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: AheGmkp.exe, 00000018.00000002.706330970.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706504468.0000000003412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://Iq79XHPURIYANir.org
                    Source: g0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: g0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 24.0.AheGmkp.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 24.0.AheGmkp.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 24.0.AheGmkp.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 24.2.AheGmkp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d4d998.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d19378.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 24.0.AheGmkp.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 8.0.g0dvHLi4bP.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.g0dvHLi4bP.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 24.0.AheGmkp.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 8.2.g0dvHLi4bP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 15.2.AheGmkp.exe.32428cc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: 8.0.g0dvHLi4bP.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: 8.0.g0dvHLi4bP.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: 8.2.g0dvHLi4bP.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: g0dvHLi4bP.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 24.0.AheGmkp.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 24.0.AheGmkp.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 24.0.AheGmkp.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 24.2.AheGmkp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3d4d998.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3d19378.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 24.0.AheGmkp.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 8.0.g0dvHLi4bP.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.g0dvHLi4bP.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 24.0.AheGmkp.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 8.2.g0dvHLi4bP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 15.2.AheGmkp.exe.32428cc.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 0_2_00FCC3440_2_00FCC344
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 0_2_00FCE7700_2_00FCE770
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 0_2_00FCE7600_2_00FCE760
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 0_2_0701F7880_2_0701F788
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_0158F0808_2_0158F080
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_0158F3C88_2_0158F3C8
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_015861208_2_01586120
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_0637BE388_2_0637BE38
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_06371FF88_2_06371FF8
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_0637CB888_2_0637CB88
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_063700408_2_06370040
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_067E1D408_2_067E1D40
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_00FEC34412_2_00FEC344
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_00FEE77012_2_00FEE770
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_00FEE76012_2_00FEE760
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05556D1012_2_05556D10
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05556D2012_2_05556D20
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05556FA712_2_05556FA7
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_055586F012_2_055586F0
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_055586E012_2_055586E0
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_0555004012_2_05550040
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_0555000612_2_05550006
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05552B3012_2_05552B30
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1062812_2_06E10628
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1533812_2_06E15338
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1004012_2_06E10040
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E15E1012_2_06E15E10
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1ACE812_2_06E1ACE8
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1532A12_2_06E1532A
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E14CE712_2_06E14CE7
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E14CF812_2_06E14CF8
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1ACD812_2_06E1ACD8
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1A8C012_2_06E1A8C0
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1A8B012_2_06E1A8B0
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05556FB812_2_05556FB8
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 15_2_0157C34415_2_0157C344
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 15_2_0157E77015_2_0157E770
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 15_2_0157E76015_2_0157E760
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 15_2_0764004015_2_07640040
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 15_2_0764000615_2_07640006
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: String function: 06375A58 appears 54 times
                    Source: g0dvHLi4bP.exe, 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWMEDMOaagJLPDneJpcUggQefG.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000000.00000000.429966155.00000000006A6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePolicyExcept.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000000.00000002.509064718.0000000007290000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWMEDMOaagJLPDneJpcUggQefG.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000000.00000002.508641286.0000000006FF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePoolWait.dll" vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000008.00000000.487866911.0000000000C56000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePolicyExcept.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000008.00000000.488270274.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWMEDMOaagJLPDneJpcUggQefG.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000008.00000002.697117063.0000000000DE9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exeBinary or memory string: OriginalFilenamePolicyExcept.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: lyfhOEwABQlG.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: AheGmkp.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: g0dvHLi4bP.exeReversingLabs: Detection: 30%
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile read: C:\Users\user\Desktop\g0dvHLi4bP.exeJump to behavior
                    Source: g0dvHLi4bP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\g0dvHLi4bP.exe "C:\Users\user\Desktop\g0dvHLi4bP.exe"
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Users\user\Desktop\g0dvHLi4bP.exe C:\Users\user\Desktop\g0dvHLi4bP.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe "C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe "C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe"
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmp972C.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmpJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Users\user\Desktop\g0dvHLi4bP.exe C:\Users\user\Desktop\g0dvHLi4bP.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmp972C.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile created: C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF6C5.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/15@2/3
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_01
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeMutant created: \Sessions\1\BaseNamedObjects\btLgVXXoNVGzXvelqauFUkXSa
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_01
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: g0dvHLi4bP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: g0dvHLi4bP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: g0dvHLi4bP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: g0dvHLi4bP.exe, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: lyfhOEwABQlG.exe.0.dr, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: AheGmkp.exe.8.dr, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: g0dvHLi4bP.exe, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "54657874526561", "31567373", "Client" } }, null, null)
                    Source: lyfhOEwABQlG.exe.0.dr, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "54657874526561", "31567373", "Client" } }, null, null)
                    Source: AheGmkp.exe.8.dr, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "54657874526561", "31567373", "Client" } }, null, null)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_0637BD83 push es; ret 8_2_0637BD90
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_06373139 push es; iretd 8_2_0637313C
                    Source: g0dvHLi4bP.exeStatic PE information: 0xD8BB75AE [Fri Mar 23 05:33:34 2085 UTC]
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.97222784974
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.97222784974
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.97222784974
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeJump to dropped file
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile created: C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AheGmkpJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AheGmkpJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile opened: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 15.2.AheGmkp.exe.32428cc.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 7044, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 6920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 6188, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: g0dvHLi4bP.exe, 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: g0dvHLi4bP.exe, 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 7048Thread sleep time: -45733s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 7080Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 6344Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4968Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6404Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 7024Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 1500Thread sleep count: 5232 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 1500Thread sleep count: 3710 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 6924Thread sleep time: -45733s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 5556Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 6160Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 3976Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4612Thread sleep time: -10145709240540247s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4912Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 3448Thread sleep time: -21213755684765971s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 4468Thread sleep count: 6053 > 30
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 4468Thread sleep count: 2689 > 30
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5926Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 496Jump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWindow / User API: threadDelayed 5232Jump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWindow / User API: threadDelayed 3710Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3847
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWindow / User API: threadDelayed 6053
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWindow / User API: threadDelayed 2689
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 45733Jump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 45733Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477
                    Source: AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: g0dvHLi4bP.exe, 00000000.00000002.510129659.00000000075EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53
                    Source: AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeMemory written: C:\Users\user\Desktop\g0dvHLi4bP.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeMemory written: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe base: 400000 value starts with: 4D5AJump to behavior
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmpJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Users\user\Desktop\g0dvHLi4bP.exe C:\Users\user\Desktop\g0dvHLi4bP.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmp972C.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Users\user\Desktop\g0dvHLi4bP.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Users\user\Desktop\g0dvHLi4bP.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_06374EBC GetUserNameW,8_2_06374EBC

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b7d998.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.AheGmkp.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d4d998.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d19378.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b49378.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.g0dvHLi4bP.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.596964511.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.487111726.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.488270274.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.487666234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.489038629.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.696078477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.606786408.0000000003CE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.595144687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.696067771.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 7044, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 5432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 6920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 7068, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: Yara matchFile source: 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 5432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 7068, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b7d998.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.AheGmkp.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d4d998.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d19378.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b49378.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.g0dvHLi4bP.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.596964511.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.487111726.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.488270274.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.487666234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.489038629.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.696078477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.606786408.0000000003CE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.595144687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.696067771.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 7044, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 5432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 6920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 7068, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    Account Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scheduled Task/Job                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		11
                    Deobfuscate/Decode Files or Information                    		1
                    Credentials in Registry                    		1
                    File and Directory Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		3
                    Obfuscated Files or Information                    		Security Account Manager114
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)23
                    Software Packing                    		NTDS1
                    Query Registry                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets311
                    Security Software Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Masquerading                    		Cached Domain Credentials1
                    Process Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                    Virtualization/Sandbox Evasion                    		DCSync131
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc Filesystem1
                    Application Window Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                    Remote System Discovery                    		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 620365 Sample: g0dvHLi4bP Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 9 other signatures 2->74 7 g0dvHLi4bP.exe 7 2->7         started        11 AheGmkp.exe 4 2->11         started        13 AheGmkp.exe 2->13         started        process3 file4 44 C:\Users\user\AppData\...\lyfhOEwABQlG.exe, PE32 7->44 dropped 46 C:\Users\...\lyfhOEwABQlG.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmpF6C5.tmp, XML 7->48 dropped 50 C:\Users\user\AppData\...\g0dvHLi4bP.exe.log, ASCII 7->50 dropped 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->76 78 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 7->80 82 Injects a PE file into a foreign processes 7->82 15 g0dvHLi4bP.exe 2 5 7->15         started        20 powershell.exe 25 7->20         started        22 schtasks.exe 1 7->22         started        84 Multi AV Scanner detection for dropped file 11->84 86 Machine Learning detection for dropped file 11->86 88 Adds a directory exclusion to Windows Defender 11->88 24 AheGmkp.exe 11->24         started        26 powershell.exe 11->26         started        28 schtasks.exe 11->28         started        30 2 other processes 11->30 signatures5 process6 dnsIp7 52 us2.smtp.mailhostbox.com 162.222.225.16, 49782, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->52 54 192.168.2.1 unknown unknown 15->54 40 C:\Users\user\AppData\Roaming\...\AheGmkp.exe, PE32 15->40 dropped 42 C:\Users\user\...\AheGmkp.exe:Zone.Identifier, ASCII 15->42 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->58 60 Tries to steal Mail credentials (via file / registry access) 15->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->62 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        56 162.222.225.29, 49799, 587 PUBLIC-DOMAIN-REGISTRYUS United States 24->56 64 Tries to harvest and steal ftp login credentials 24->64 66 Tries to harvest and steal browser information (history, passwords, etc) 24->66 36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        file8 signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    g0dvHLi4bP.exe31%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    g0dvHLi4bP.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe31%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe31%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    8.0.g0dvHLi4bP.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    24.0.AheGmkp.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    24.0.AheGmkp.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    24.0.AheGmkp.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    24.2.AheGmkp.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.g0dvHLi4bP.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    24.0.AheGmkp.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.g0dvHLi4bP.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.g0dvHLi4bP.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.g0dvHLi4bP.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    24.0.AheGmkp.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    8.2.g0dvHLi4bP.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://Iq79XHPURIYANir.org0%Avira URL Cloudsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://crl.usertr0%Avira URL Cloudsafe
                    http://www.sajatypeworks.comivd0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnese0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn;0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y0r0%Avira URL Cloudsafe
                    http://www.fontbureau.comTTF0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                    http://en.wikipediaN0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/d0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.comgrito0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.fontbureau.com50%Avira URL Cloudsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/V0%URL Reputationsafe
                    http://www.sajatypeworks.come0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://www.fontbureau.comlicF0%URL Reputationsafe
                    http://www.sajatypeworks.comk-s0%Avira URL Cloudsafe
                    http://www.fontbureau.comF0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    https://api.ipify.org%appdata0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.come.com0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://KMYoUX.com0%Avira URL Cloudsafe
                    http://www.fontbureau.comt0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://ocsp.sectigo.com0A0%URL Reputationsafe
                    http://www.fontbureau.comalic0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/_0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		162.222.225.16
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://Iq79XHPURIYANir.orgAheGmkp.exe, 00000018.00000002.706330970.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706504468.0000000003412000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://127.0.0.1:HTTP/1.1g0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://us2.smtp.mailhostbox.comg0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers?g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.usertrAheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comivdg0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439167968.000000000599B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cneseg0dvHLi4bP.exe, 00000000.00000003.437207014.0000000005988000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn;g0dvHLi4bP.exe, 00000000.00000003.437408108.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/Y0rg0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comTTFg0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.goodfont.co.krg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comg0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/:g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://en.wikipediaNg0dvHLi4bP.exe, 00000000.00000003.433882247.00000000059A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/jp/dg0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://DynDns.comDynDNSnamejidpasswordPsi/PsiAheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comgritog0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com5g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cng0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/Vg0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameg0dvHLi4bP.exe, 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sajatypeworks.comeg0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434167177.000000000599B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.comg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.org%g0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		low
                                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comlicFg0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comk-sg0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439167968.000000000599B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.comg0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comFg0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://sectigo.com/CPS0g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.org%appdataAheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwg0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/jp/g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comag0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.come.comg0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://en.wg0dvHLi4bP.exe, 00000000.00000003.434389436.0000000005986000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cng0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.437408108.0000000005987000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436963733.0000000005987000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.437207014.0000000005988000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://KMYoUX.comAheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comtg0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ocsp.sectigo.com0Ag0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comalicg0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/_g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              162.222.225.29
                                              		unknownUnited States
                                              		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                              162.222.225.16
                                              		us2.smtp.mailhostbox.comUnited States
                                              		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                              Private

                                              IP
                                              192.168.2.1

                                              General Information

                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                              Analysis ID:620365
                                              Start date and time: 04/05/202216:58:272022-05-04 16:58:27 +02:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 13m 48s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:g0dvHLi4bP (renamed file extension from none to exe)
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:29
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@23/15@2/3
                                              EGA Information:
                                              • Successful, ratio: 80%
                                              HDC Information:
                                              • Successful, ratio: 0.3% (good quality ratio 0.2%)
                                              • Quality average: 66.5%
                                              • Quality standard deviation: 39.8%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 174
                                              • Number of non-executed functions: 4
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI

                                              Warnings

                                              • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 52.152.110.14, 52.242.101.226, 20.223.24.244
                                              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                              • Execution Graph export aborted for target AheGmkp.exe, PID 6104 because there are no executed function
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • VT rate limit hit for: g0dvHLi4bP.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              16:59:56API Interceptor551x Sleep call for process: g0dvHLi4bP.exe modified
                                              17:00:03API Interceptor54x Sleep call for process: powershell.exe modified
                                              17:00:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AheGmkp C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              17:00:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AheGmkp C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              17:00:33API Interceptor263x Sleep call for process: AheGmkp.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AheGmkp.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                              MD5:69206D3AF7D6EFD08F4B4726998856D3
                                              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g0dvHLi4bP.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):1308
                                              Entropy (8bit):5.345811588615766
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
                                              MD5:EA78C102145ED608EF0E407B978AF339
                                              SHA1:66C9179ED9675B9271A97AB1FC878077E09AB731
                                              SHA-256:8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
                                              SHA-512:8C04139A1FC3C3BDACB680EC443615A43EB18E73B5A0CFCA644CB4A5E71746B275B3E238DD1A5A205405313E457BB75F9BBB93277C67AFA5D78DCFA30E5DA02B
                                              Malicious:true
                                              Reputation:unknown
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):22136
                                              Entropy (8bit):5.597822703095696
                                              Encrypted:false
                                              SSDEEP:384:rtCDXq0+++NURn/Jvbc1S0ncjultIUMptQCvjg3hInUML+mfmAV7edMDS5ZQvnI2:Hen/F+TcCltn0K066fK6pk7+1
                                              MD5:B70ECAE7C579586D29CC3A2E7A951E8D
                                              SHA1:2E80B12AD6A3815720063BE0596D7E767BC5DC71
                                              SHA-256:D0057D879F3C464632DA27A3CF4052068A35D5CB2EC249C904850291C72E37F2
                                              SHA-512:9F8E625D2BB43EBC607F0CC460A6DC195DA0604A7A56D63788FD04BDB18EF36CCBADBB7B442F4C193FF5373FE5C40C185510101A07578DE64D6C6FE60297A278
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:@...e...........W.......{.s.........n...&.\..........@..........H...............<@.^.L."My...:B..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbaicfx1.xuw.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_up2wzwhf.0gz.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2bqczrd.h4q.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlxjtc3d.5pt.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\tmp972C.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1603
                                              Entropy (8bit):5.134080332336202
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTdv
                                              MD5:904679853A08670AB337ACD5326AE5EC
                                              SHA1:42D1F905EA56C74288A9B79BAE92980F032E52BF
                                              SHA-256:67CA6167D39906C125752E95BACF21D6173A4FEBF2242130733391BB51124B86
                                              SHA-512:274D3DF62321515C671D9C3C2F3F20E59ABB36042A423126890C8929F0096FB0E3EA037DDA57713B0E9BAC5511D0B2F9441A09F187B7B7F678D726638AA491D5
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                              C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1603
                                              Entropy (8bit):5.134080332336202
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTdv
                                              MD5:904679853A08670AB337ACD5326AE5EC
                                              SHA1:42D1F905EA56C74288A9B79BAE92980F032E52BF
                                              SHA-256:67CA6167D39906C125752E95BACF21D6173A4FEBF2242130733391BB51124B86
                                              SHA-512:274D3DF62321515C671D9C3C2F3F20E59ABB36042A423126890C8929F0096FB0E3EA037DDA57713B0E9BAC5511D0B2F9441A09F187B7B7F678D726638AA491D5
                                              Malicious:true
                                              Reputation:unknown
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                              C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):536064
                                              Entropy (8bit):7.963464056116047
                                              Encrypted:false
                                              SSDEEP:12288:P2L2I3WfZbHLfAFrv3fjx5u45RXKmMPA6KAzVb9Dg+qyx2H:P25I17A1vtg43KpPA6Nb98+qyx2H
                                              MD5:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              SHA1:77BF848D5A1D4D0FDC252AA170E7B8AF19BCC012
                                              SHA-256:7BB212946FDEB406C7AA8F691405D185065514D5DC1F269F8E409762FF9F6915
                                              SHA-512:0FA66C53045E9E74D294420D66DEADCAD7EE56D13E33DD90E73B0DE1E6958CD3B5C347E13E85797895BBAC5F23B3CC3926D6B9A75F242EF2379D93230C7B0F9B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 31%
                                              Reputation:unknown
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u................0.."..........Z@... ...`....@.. ....................................@..................................@..O....`..<............................?............................................... ............... ..H............text...` ... ...".................. ..`.rsrc...<....`.......$..............@..@.reloc...............,..............@..B................<@......H.......<H...0...........x.. ............................................0............}.....(.......(.....~....t2.....3...%.r...p.%.~.....%.r...p.%.~.....%.r...p.%.~.....%.r...p.(....o.......r...p......%.......%.r)..p.%.rG..p.%.rY..p....(.....*...{....rg..p%.-...o..... .........*.0.............{....o.....0...(.........,..r{..p(....&....r...p..r...p(......,..r...p(....&.v.r...p(........,..r...p(....&s........o......H.(....&...9...%..:.o.......1.....2...s......o.............o

                                              C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Reputation:unknown
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):536064
                                              Entropy (8bit):7.963464056116047
                                              Encrypted:false
                                              SSDEEP:12288:P2L2I3WfZbHLfAFrv3fjx5u45RXKmMPA6KAzVb9Dg+qyx2H:P25I17A1vtg43KpPA6Nb98+qyx2H
                                              MD5:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              SHA1:77BF848D5A1D4D0FDC252AA170E7B8AF19BCC012
                                              SHA-256:7BB212946FDEB406C7AA8F691405D185065514D5DC1F269F8E409762FF9F6915
                                              SHA-512:0FA66C53045E9E74D294420D66DEADCAD7EE56D13E33DD90E73B0DE1E6958CD3B5C347E13E85797895BBAC5F23B3CC3926D6B9A75F242EF2379D93230C7B0F9B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 31%
                                              Reputation:unknown
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u................0.."..........Z@... ...`....@.. ....................................@..................................@..O....`..<............................?............................................... ............... ..H............text...` ... ...".................. ..`.rsrc...<....`.......$..............@..@.reloc...............,..............@..B................<@......H.......<H...0...........x.. ............................................0............}.....(.......(.....~....t2.....3...%.r...p.%.~.....%.r...p.%.~.....%.r...p.%.~.....%.r...p.(....o.......r...p......%.......%.r)..p.%.rG..p.%.rY..p....(.....*...{....rg..p%.-...o..... .........*.0.............{....o.....0...(.........,..r{..p(....&....r...p..r...p(......,..r...p(....&.v.r...p(........,..r...p(....&s........o......H.(....&...9...%..:.o.......1.....2...s......o.............o

                                              C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Reputation:unknown
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\Documents\20220504\PowerShell_transcript.302494.9BrDU9eF.20220504170044.txt

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):5807
                                              Entropy (8bit):5.392757491075899
                                              Encrypted:false
                                              SSDEEP:96:BZp/AZNsqDo1ZSZ3/AZNsqDo1ZR5PhjZ4/AZNsqDo1ZacRRDZw:k
                                              MD5:32E8DB16DD68F89E485E50B09244EC15
                                              SHA1:9D9603BDC78658E9E4224DDFBE085827D4CA5A7E
                                              SHA-256:987995A1AB28758D3AF5782BEE36DA9657011669D31200ED43EC2B7FDC146757
                                              SHA-512:6DB9F4B1090662FF98CD6246F1E737F90C46FCFE5D0D0B4697792A661F7E6DF83F01A69DE738DBA7FEA5B183E509098A81B493554DB0179330C83A562DD0928A
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:.**********************..Windows PowerShell transcript start..Start time: 20220504170046..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe..Process ID: 7028..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220504170046..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe..**********************..Windows PowerShell transcript start..Start time: 20220504170310..Username: computer\user..RunAs User: DESKTOP-716

                                              C:\Users\user\Documents\20220504\PowerShell_transcript.302494.Si+7UG0m.20220504170002.txt

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):5807
                                              Entropy (8bit):5.3977275389029815
                                              Encrypted:false
                                              SSDEEP:96:BZS/AZNGqDo1Z3ZB/AZNGqDo1Zi5PhjZa/AZNGqDo1Z3cRRoZT:S
                                              MD5:6B817459B04BE9489F42E626B6DC8A60
                                              SHA1:92EB9952E3D42C49FF1617E2D30515F574E608C2
                                              SHA-256:52D51ABABD9EA021CB841743B99361348CE4FD47A25C17C2000CAC813F8F7789
                                              SHA-512:3A0E1748F60B6FA3A885B610CF803F5F9BD9B2DE6C86BFD42894B959FC0BE09DCFBAC166634F79109A67E6DD9A6A871FBD67E9F24640694BA2A6024ED92BA029
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:.**********************..Windows PowerShell transcript start..Start time: 20220504170003..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe..Process ID: 5868..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220504170003..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe..**********************..Windows PowerShell transcript start..Start time: 20220504170356..Username: computer\user..RunAs User: DESKTOP-716

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.963464056116047
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:g0dvHLi4bP.exe
                                              File size:536064
                                              MD5:4c414b473bccbbce2c7cde00248ea1a1
                                              SHA1:77bf848d5a1d4d0fdc252aa170e7b8af19bcc012
                                              SHA256:7bb212946fdeb406c7aa8f691405d185065514d5dc1f269f8e409762ff9f6915
                                              SHA512:0fa66c53045e9e74d294420d66deadcad7ee56d13e33dd90e73b0de1e6958cd3b5c347e13e85797895bbac5f23b3cc3926d6b9a75f242ef2379d93230c7b0f9b
                                              SSDEEP:12288:P2L2I3WfZbHLfAFrv3fjx5u45RXKmMPA6KAzVb9Dg+qyx2H:P25I17A1vtg43KpPA6Nb98+qyx2H
                                              TLSH:8CB4120462F38336FBB972F26A6453C123753A4DB026F6A82C9093EE9CC1B5B5554F53
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u................0.."..........Z@... ...`....@.. ....................................@................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x48405a
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0xD8BB75AE [Fri Mar 23 05:33:34 2085 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x840080x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x63c.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x83fec0x1c.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x820600x82200False0.956357693924data7.97222784974IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0x860000x63c0x800False0.35009765625data3.50595023872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x880000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0x860900x3acdata
                                              RT_MANIFEST0x8644c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright 2020-2021 by David Xanatos (xanasoft.com)
                                              Assembly Version1.0.0.0
                                              InternalNamePolicyExcept.exe
                                              FileVersion1.0.0.0
                                              CompanyNamesandboxie-plus.com
                                              LegalTrademarks
                                              Comments
                                              ProductNameSandboxie
                                              ProductVersion1.0.0.0
                                              FileDescriptionSandboxie Installer
                                              OriginalFilenamePolicyExcept.exe

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 4, 2022 17:00:25.724492073 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:25.921848059 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:25.921967983 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.126470089 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.126799107 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.324078083 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.324179888 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.324503899 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.522455931 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.581762075 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.779381037 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.779432058 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.779459000 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.779479980 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.779582977 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.779632092 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.781455994 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.856467009 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.977020979 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:28.006202936 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:28.204210043 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:28.247243881 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:28.367575884 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:28.565136909 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:28.566299915 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:28.764785051 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:28.767256021 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:28.967353106 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:29.068176985 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.074171066 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.273842096 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:29.292809010 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.502237082 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:29.506899118 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.705562115 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:29.706659079 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.706773043 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.707461119 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.707537889 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.904197931 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:29.904995918 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:30.056780100 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:30.247364998 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:01:17.341106892 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:17.538479090 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:17.538868904 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:18.743863106 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:18.746946096 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:18.944420099 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:18.944461107 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:18.950834990 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.148854017 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.203214884 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.400837898 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.400871038 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.400893927 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.400909901 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.400974989 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.401024103 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.403031111 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.460330009 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.599139929 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.604698896 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.804348946 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.854656935 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.952203035 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:20.149756908 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:20.150518894 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:20.349066019 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:20.349889994 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:20.550350904 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:20.550903082 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:20.750528097 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:20.751018047 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:20.965641022 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:20.966207027 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:21.164452076 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:21.165565968 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:21.165731907 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:21.165860891 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:21.165971041 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:21.362831116 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:21.362926960 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:21.503638983 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:21.663621902 CEST49799587192.168.2.5162.222.225.29

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 4, 2022 17:00:25.672841072 CEST6246653192.168.2.58.8.8.8
                                              May 4, 2022 17:00:25.694880962 CEST53624668.8.8.8192.168.2.5
                                              May 4, 2022 17:01:17.260657072 CEST6324153192.168.2.58.8.8.8
                                              May 4, 2022 17:01:17.281758070 CEST53632418.8.8.8192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              May 4, 2022 17:00:25.672841072 CEST192.168.2.58.8.8.80xcc9cStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                              May 4, 2022 17:01:17.260657072 CEST192.168.2.58.8.8.80xe78bStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              May 4, 2022 17:00:25.694880962 CEST8.8.8.8192.168.2.50xcc9cNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                              May 4, 2022 17:00:25.694880962 CEST8.8.8.8192.168.2.50xcc9cNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                              May 4, 2022 17:00:25.694880962 CEST8.8.8.8192.168.2.50xcc9cNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                              May 4, 2022 17:00:25.694880962 CEST8.8.8.8192.168.2.50xcc9cNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                              May 4, 2022 17:01:17.281758070 CEST8.8.8.8192.168.2.50xe78bNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                              May 4, 2022 17:01:17.281758070 CEST8.8.8.8192.168.2.50xe78bNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                              May 4, 2022 17:01:17.281758070 CEST8.8.8.8192.168.2.50xe78bNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                              May 4, 2022 17:01:17.281758070 CEST8.8.8.8192.168.2.50xe78bNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)

                                              SMTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              May 4, 2022 17:00:27.126470089 CEST58749782162.222.225.16192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                              May 4, 2022 17:00:27.126799107 CEST49782587192.168.2.5162.222.225.16EHLO 302494
                                              May 4, 2022 17:00:27.324179888 CEST58749782162.222.225.16192.168.2.5250-us2.outbound.mailhostbox.com
                                              250-PIPELINING
                                              250-SIZE 41648128
                                              250-VRFY
                                              250-ETRN
                                              250-STARTTLS
                                              250-AUTH PLAIN LOGIN
                                              250-AUTH=PLAIN LOGIN
                                              250-ENHANCEDSTATUSCODES
                                              250-8BITMIME
                                              250-DSN
                                              250 CHUNKING
                                              May 4, 2022 17:00:27.324503899 CEST49782587192.168.2.5162.222.225.16STARTTLS
                                              May 4, 2022 17:00:27.522455931 CEST58749782162.222.225.16192.168.2.5220 2.0.0 Ready to start TLS
                                              May 4, 2022 17:01:18.743863106 CEST58749799162.222.225.29192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                              May 4, 2022 17:01:18.746946096 CEST49799587192.168.2.5162.222.225.29EHLO 302494
                                              May 4, 2022 17:01:18.944461107 CEST58749799162.222.225.29192.168.2.5250-us2.outbound.mailhostbox.com
                                              250-PIPELINING
                                              250-SIZE 41648128
                                              250-VRFY
                                              250-ETRN
                                              250-STARTTLS
                                              250-AUTH PLAIN LOGIN
                                              250-AUTH=PLAIN LOGIN
                                              250-ENHANCEDSTATUSCODES
                                              250-8BITMIME
                                              250-DSN
                                              250 CHUNKING
                                              May 4, 2022 17:01:18.950834990 CEST49799587192.168.2.5162.222.225.29STARTTLS
                                              May 4, 2022 17:01:19.148854017 CEST58749799162.222.225.29192.168.2.5220 2.0.0 Ready to start TLS

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:16:59:39
                                              Start date:04/05/2022
                                              Path:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\g0dvHLi4bP.exe"
                                              Imagebase:0x620000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:4
                                              Start time:17:00:00
                                              Start date:04/05/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                                              Imagebase:0x920000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              General

                                              Target ID:5
                                              Start time:17:00:01
                                              Start date:04/05/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff77f440000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:6
                                              Start time:17:00:01
                                              Start date:04/05/2022
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
                                              Imagebase:0xe30000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:7
                                              Start time:17:00:02
                                              Start date:04/05/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff77f440000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:8
                                              Start time:17:00:04
                                              Start date:04/05/2022
                                              Path:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              Imagebase:0xbd0000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.487111726.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.487111726.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.488270274.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.488270274.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.487666234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.487666234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.489038629.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.489038629.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.696067771.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.696067771.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:12
                                              Start time:17:00:26
                                              Start date:04/05/2022
                                              Path:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe"
                                              Imagebase:0x780000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.606786408.0000000003CE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000002.606786408.0000000003CE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 31%, ReversingLabs
                                              Reputation:low

                                              General

                                              Target ID:15
                                              Start time:17:00:35
                                              Start date:04/05/2022
                                              Path:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe"
                                              Imagebase:0xc50000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:17
                                              Start time:17:00:41
                                              Start date:04/05/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                                              Imagebase:0x920000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              General

                                              Target ID:18
                                              Start time:17:00:42
                                              Start date:04/05/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff77f440000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:19
                                              Start time:17:00:44
                                              Start date:04/05/2022
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmp972C.tmp
                                              Imagebase:0xe30000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:21
                                              Start time:17:00:46
                                              Start date:04/05/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff77f440000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:22
                                              Start time:17:00:52
                                              Start date:04/05/2022
                                              Path:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Imagebase:0x410000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:23
                                              Start time:17:00:54
                                              Start date:04/05/2022
                                              Path:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Imagebase:0x340000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:24
                                              Start time:17:00:55
                                              Start date:04/05/2022
                                              Path:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Imagebase:0xbf0000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000000.596964511.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000018.00000000.596964511.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.696078477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000018.00000002.696078477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000000.595144687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000018.00000000.595144687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:10.7%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:220
                                                Total number of Limit Nodes:14
                                                execution_graph 24163 7014ba0 24164 7014bbf 24163->24164 24167 7014bc9 24163->24167 24171 7014bd8 24163->24171 24168 7014bcc 24167->24168 24175 7014c10 24168->24175 24169 7014c06 24169->24164 24172 7014be1 24171->24172 24174 7014c10 DrawTextExW 24172->24174 24173 7014c06 24173->24164 24174->24173 24176 7014c5b 24175->24176 24177 7014c4a 24175->24177 24178 7014ce9 24176->24178 24181 7014f40 24176->24181 24186 7014f50 24176->24186 24177->24169 24178->24169 24182 7014f4a 24181->24182 24183 701507e 24182->24183 24191 70157d7 24182->24191 24196 70157e8 24182->24196 24183->24177 24187 7014f78 24186->24187 24188 701507e 24187->24188 24189 70157d7 DrawTextExW 24187->24189 24190 70157e8 DrawTextExW 24187->24190 24188->24177 24189->24188 24190->24188 24192 70157fe 24191->24192 24201 7015c41 24192->24201 24205 7015c50 24192->24205 24193 7015874 24193->24183 24197 70157fe 24196->24197 24199 7015c41 DrawTextExW 24197->24199 24200 7015c50 DrawTextExW 24197->24200 24198 7015874 24198->24183 24199->24198 24200->24198 24209 7015c80 24201->24209 24214 7015c90 24201->24214 24202 7015c6e 24202->24193 24206 7015c6e 24205->24206 24207 7015c80 DrawTextExW 24205->24207 24208 7015c90 DrawTextExW 24205->24208 24206->24193 24207->24206 24208->24206 24210 7015cc1 24209->24210 24211 7015cee 24210->24211 24219 7015d01 24210->24219 24224 7015d10 24210->24224 24211->24202 24215 7015cc1 24214->24215 24216 7015cee 24215->24216 24217 7015d01 DrawTextExW 24215->24217 24218 7015d10 DrawTextExW 24215->24218 24216->24202 24217->24216 24218->24216 24221 7015d31 24219->24221 24220 7015d46 24220->24211 24221->24220 24229 70140a0 24221->24229 24223 7015db1 24226 7015d31 24224->24226 24225 7015d46 24225->24211 24226->24225 24227 70140a0 DrawTextExW 24226->24227 24228 7015db1 24227->24228 24231 70140ab 24229->24231 24230 7017d89 24230->24223 24231->24230 24235 7018900 24231->24235 24238 70188f2 24231->24238 24232 7017e9c 24232->24223 24241 70172f4 24235->24241 24239 701891d 24238->24239 24240 70172f4 DrawTextExW 24238->24240 24239->24232 24240->24239 24242 7018938 DrawTextExW 24241->24242 24244 701891d 24242->24244 24244->24232 24441 fc9788 24442 fc97ca 24441->24442 24443 fc97d0 GetModuleHandleW 24441->24443 24442->24443 24444 fc97fd 24443->24444 24245 701e568 24248 701e58e 24245->24248 24247 701e611 24249 7018dd4 24248->24249 24251 7018ddf 24249->24251 24250 701a4b2 24250->24247 24251->24250 24253 7018de4 24251->24253 24254 7018def 24253->24254 24256 701a58c 24254->24256 24260 701ba28 24254->24260 24265 701ba38 24254->24265 24255 701a623 24256->24255 24270 7018e24 24256->24270 24264 701ba38 24260->24264 24261 701ba5e 24261->24256 24263 701bc4e 24264->24261 24277 701b074 24264->24277 24266 701ba5e 24265->24266 24267 701ba90 24265->24267 24266->24256 24268 701b074 LoadLibraryExW 24267->24268 24269 701bc4e 24268->24269 24273 7018e2f 24270->24273 24271 701e3af 24332 7012550 24271->24332 24337 7012542 24271->24337 24272 701e3bb 24272->24256 24273->24271 24274 7018e24 LoadLibraryExW 24273->24274 24274->24273 24278 701b07f 24277->24278 24279 701bd82 24278->24279 24282 701be50 24278->24282 24286 701be55 24278->24286 24283 701be87 24282->24283 24290 701bf48 24283->24290 24284 701beb0 24284->24284 24287 701be87 24286->24287 24289 701bf48 LoadLibraryExW 24287->24289 24288 701beb0 24288->24288 24289->24288 24291 701bf6b 24290->24291 24295 701bfd3 24291->24295 24301 701bfd8 24291->24301 24292 701bfb8 24292->24284 24296 701bfd8 24295->24296 24297 701c002 24296->24297 24306 fc9479 24296->24306 24310 701db35 24297->24310 24298 701c0d2 24298->24292 24302 701c002 24301->24302 24304 fc9479 LoadLibraryExW 24301->24304 24305 701db35 LoadLibraryExW 24302->24305 24303 701c0d2 24303->24292 24304->24302 24305->24303 24315 fc94af 24306->24315 24318 fc94b0 24306->24318 24307 fc948e 24307->24297 24311 701db40 24310->24311 24325 701db90 24311->24325 24329 701dba0 24311->24329 24312 701db84 24312->24298 24316 fc94bf 24315->24316 24321 fc95a8 24315->24321 24316->24307 24320 fc95a8 LoadLibraryExW 24318->24320 24319 fc94bf 24319->24307 24320->24319 24322 fc95bb 24321->24322 24323 fc95cb 24322->24323 24324 fc9830 LoadLibraryExW 24322->24324 24323->24316 24324->24323 24326 701dba0 24325->24326 24328 fc9479 LoadLibraryExW 24326->24328 24327 701dbd3 24327->24312 24328->24327 24331 fc9479 LoadLibraryExW 24329->24331 24330 701dbd3 24330->24312 24331->24330 24333 701257f 24332->24333 24334 7012598 24332->24334 24333->24334 24335 7018dd4 LoadLibraryExW 24333->24335 24342 701a478 24333->24342 24334->24272 24335->24334 24338 7012550 24337->24338 24339 7012598 24338->24339 24340 7018dd4 LoadLibraryExW 24338->24340 24341 701a478 LoadLibraryExW 24338->24341 24339->24272 24340->24339 24341->24339 24343 701a488 24342->24343 24344 701a4b2 24343->24344 24345 7018de4 LoadLibraryExW 24343->24345 24344->24334 24345->24344 24346 fc40d0 24347 fc40e2 24346->24347 24348 fc40ee 24347->24348 24353 fc41e0 24347->24353 24358 fc41ef 24347->24358 24363 fc3868 24348->24363 24350 fc410d 24354 fc41eb 24353->24354 24367 fc42df 24354->24367 24371 fc42e0 24354->24371 24359 fc4205 24358->24359 24361 fc42df CreateActCtxA 24359->24361 24362 fc42e0 CreateActCtxA 24359->24362 24360 fc420f 24360->24348 24361->24360 24362->24360 24364 fc3873 24363->24364 24379 fc586c 24364->24379 24366 fc6a31 24366->24350 24369 fc4307 24367->24369 24368 fc43e4 24368->24368 24369->24368 24375 fc38a8 24369->24375 24373 fc4307 24371->24373 24372 fc43e4 24372->24372 24373->24372 24374 fc38a8 CreateActCtxA 24373->24374 24374->24372 24376 fc5370 CreateActCtxA 24375->24376 24378 fc5433 24376->24378 24380 fc5877 24379->24380 24383 fc588c 24380->24383 24382 fc6c5d 24382->24366 24384 fc5897 24383->24384 24387 fc58bc 24384->24387 24386 fc6d3a 24386->24382 24388 fc58c7 24387->24388 24391 fc58ec 24388->24391 24390 fc6e2a 24390->24386 24392 fc58f7 24391->24392 24394 fc753e 24392->24394 24396 fc9479 LoadLibraryExW 24392->24396 24393 fc757c 24393->24390 24394->24393 24397 fcb5c8 24394->24397 24396->24394 24398 fcb5e9 24397->24398 24399 fcb60d 24398->24399 24401 fcb778 24398->24401 24399->24393 24402 fcb785 24401->24402 24403 fcb7bf 24402->24403 24405 fca25c 24402->24405 24403->24399 24407 fca267 24405->24407 24406 fcc4b8 24407->24406 24409 fcc078 24407->24409 24410 fcc083 24409->24410 24411 fc58ec LoadLibraryExW 24410->24411 24412 fcc527 24411->24412 24416 fce290 24412->24416 24421 fce2a8 24412->24421 24413 fcc560 24413->24406 24417 fce2a8 24416->24417 24418 fce2e5 24417->24418 24419 fce728 LoadLibraryExW 24417->24419 24420 fce717 LoadLibraryExW 24417->24420 24418->24413 24419->24418 24420->24418 24423 fce325 24421->24423 24424 fce2d9 24421->24424 24422 fce2e5 24422->24413 24423->24413 24424->24422 24425 fce728 LoadLibraryExW 24424->24425 24426 fce717 LoadLibraryExW 24424->24426 24425->24423 24426->24423 24427 fcb890 24428 fcb8f6 24427->24428 24429 fcb9a5 24428->24429 24432 fcba50 24428->24432 24435 fcba40 24428->24435 24438 fca2e4 24432->24438 24436 fcba7e 24435->24436 24437 fca2e4 DuplicateHandle 24435->24437 24436->24429 24437->24436 24439 fcbab8 DuplicateHandle 24438->24439 24440 fcba7e 24439->24440 24440->24429

                                                Executed Functions

                                                Function 0701F788 Relevance: 4.4, Strings: 3, Instructions: 696COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 701f788-701f7be 1 701f7c4-701f7d2 0->1 2 701fd89-701fdd6 0->2 5 701f800-701f811 1->5 6 701f7d4-701f7e5 1->6 9 701fdde-701fde4 2->9 7 701f813-701f817 5->7 8 701f882-701f896 5->8 6->5 20 701f7e7-701f7f3 6->20 10 701f832-701f83b 7->10 11 701f819-701f825 7->11 142 701f899 call 701f788 8->142 143 701f899 call 701f77a 8->143 13 701fe34-701fe38 9->13 14 701fde6-701fdea 9->14 21 701f841-701f844 10->21 22 701fb44 10->22 18 701fbb3-701fbfe 11->18 19 701f82b-701f82d 11->19 16 701fe3a-701fe49 13->16 17 701fe4f-701fe63 13->17 23 701fdf9-701fe00 14->23 24 701fdec-701fdf1 14->24 15 701f89f-701f8a5 27 701f8a7-701f8a9 15->27 28 701f8ae-701f8b5 15->28 29 701fe75-701fe7f 16->29 30 701fe4b-701fe4d 16->30 36 701fe6b-701fe72 17->36 97 701fc05-701fc84 18->97 31 701fb3a-701fb41 19->31 32 701fb49-701fbac 20->32 33 701f7f9-701f7fb 20->33 21->22 34 701f84a-701f869 21->34 22->32 25 701fed6-701fedc 23->25 26 701fe06-701fe0d 23->26 24->23 26->13 35 701fe0f-701fe13 26->35 27->31 40 701f9a3-701f9b4 28->40 41 701f8bb-701f8c8 28->41 37 701fe81-701fe87 29->37 38 701fe89-701fe8d 29->38 30->36 32->18 33->31 34->22 59 701f86f-701f875 34->59 46 701fe22-701fe29 35->46 47 701fe15-701fe1a 35->47 42 701fe95-701fecf 37->42 38->42 44 701fe8f 38->44 56 701f9b6-701f9c3 40->56 57 701f9de-701f9e4 40->57 52 701f8d0-701f8d2 41->52 42->25 44->42 46->25 49 701fe2f-701fe32 46->49 47->46 49->36 52->40 58 701f8d8-701f8e4 52->58 62 701f9ff-701fa05 56->62 75 701f9c5-701f9d1 56->75 61 701f9e6-701f9f2 57->61 57->62 63 701f8ea-701f956 58->63 64 701f99c-701f99e 58->64 59->2 66 701f87b-701f87f 59->66 69 701f9f8-701f9fa 61->69 70 701fc9b-701fcfe 61->70 71 701fb37 62->71 72 701fa0b-701fa28 62->72 99 701f984-701f999 63->99 100 701f958-701f982 63->100 64->31 66->8 69->31 122 701fd05-701fd84 70->122 71->31 72->22 89 701fa2e-701fa31 72->89 79 701f9d7-701f9d9 75->79 80 701fc89-701fc94 75->80 79->31 80->70 89->2 92 701fa37-701fa5d 89->92 92->71 103 701fa63-701fa6f 92->103 99->64 100->99 106 701fb33-701fb35 103->106 107 701fa75-701faed 103->107 106->31 125 701fb1b-701fb30 107->125 126 701faef-701fb19 107->126 125->106 126->125 142->15 143->15
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.508747778.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7010000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: D0/m$D0/m$D0/m
                                                • API String ID: 0-2548761135
                                                • Opcode ID: d71f76ca0723baf48a2f75bc72a4d790557f71d27c7535d5eb29571686d8f3ed
                                                • Instruction ID: 8b30ef67071870be6b99f9122e3f23f9492bb5110ee4d38a75e429ea1bfbc012
                                                • Opcode Fuzzy Hash: d71f76ca0723baf48a2f75bc72a4d790557f71d27c7535d5eb29571686d8f3ed
                                                • Instruction Fuzzy Hash: 522280B0B0011A9FDB14DFA4C854AAEBBF6BF88304F148569E906DB355DB34ED42CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FC38A8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 144 fc38a8-fc5431 CreateActCtxA 147 fc543a-fc5494 144->147 148 fc5433-fc5439 144->148 155 fc5496-fc5499 147->155 156 fc54a3-fc54a7 147->156 148->147 155->156 157 fc54b8 156->157 158 fc54a9-fc54b5 156->158 160 fc54b9 157->160 158->157 160->160
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00FC5421
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.501660199.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fc0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 9dc4a596a644d06c9f1e4b72ca86d3e6faec4cd5dda9d3a5c6bfb67cf6baef62
                                                • Instruction ID: 428b6a4859d4ff5a08b4389169ba4a2e6a451baa41bb18e4f9bee1854c36456f
                                                • Opcode Fuzzy Hash: 9dc4a596a644d06c9f1e4b72ca86d3e6faec4cd5dda9d3a5c6bfb67cf6baef62
                                                • Instruction Fuzzy Hash: 9A413470C0061DCBDB24CFA9C985BDDBBB6FF48308F208469D409AB241D7B1A986CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FC536C Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 161 fc536c-fc5431 CreateActCtxA 163 fc543a-fc5494 161->163 164 fc5433-fc5439 161->164 171 fc5496-fc5499 163->171 172 fc54a3-fc54a7 163->172 164->163 171->172 173 fc54b8 172->173 174 fc54a9-fc54b5 172->174 176 fc54b9 173->176 174->173 176->176
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00FC5421
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.501660199.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fc0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 52ce98c4a9dc3def72dda03f7083e7c76e7fa627edfd6676a431fe28a45c23b8
                                                • Instruction ID: 860cdae4490eef38743c8c68e15e5e5f90424f6ce9a707aece5983adbe305227
                                                • Opcode Fuzzy Hash: 52ce98c4a9dc3def72dda03f7083e7c76e7fa627edfd6676a431fe28a45c23b8
                                                • Instruction Fuzzy Hash: 3F410270C0061DCBDB24CFA9C985BDDBBB6FF49308F248469D449AB251D7B16986CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07018930 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 177 7018930-7018931 178 7018933-7018956 177->178 179 7018957-7018984 177->179 178->179 181 7018986-701898c 179->181 182 701898f-701899e 179->182 181->182 183 70189a0 182->183 184 70189a3-70189dc DrawTextExW 182->184 183->184 185 70189e5-7018a02 184->185 186 70189de-70189e4 184->186 186->185
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0701891D,?,?), ref: 070189CF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.508747778.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7010000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: 17c42a557540dadc348c004f1bc322ac30ef2e4c5ecb8c7eeffad6ec0f433cef
                                                • Instruction ID: a766d404a7dedb5eb40e8bcc3830ca3e7c88add95e6a23f2fee8a988ad20a45c
                                                • Opcode Fuzzy Hash: 17c42a557540dadc348c004f1bc322ac30ef2e4c5ecb8c7eeffad6ec0f433cef
                                                • Instruction Fuzzy Hash: EB3112B5D002099FCB00CF9AD8806EEFBF5FB48324F18842AE815A3310D374AA44CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070172F4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 189 70172f4-7018984 192 7018986-701898c 189->192 193 701898f-701899e 189->193 192->193 194 70189a0 193->194 195 70189a3-70189dc DrawTextExW 193->195 194->195 196 70189e5-7018a02 195->196 197 70189de-70189e4 195->197 197->196
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0701891D,?,?), ref: 070189CF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.508747778.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7010000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: 0c8edaa933d72ce762eaf88c68a22d10ec3a65b18eb1ed09b2f8018562225eaf
                                                • Instruction ID: 4412733cb53c5f24d2c3648a1c5bb9355cb5838d6e8143ff990a6234eaf05c04
                                                • Opcode Fuzzy Hash: 0c8edaa933d72ce762eaf88c68a22d10ec3a65b18eb1ed09b2f8018562225eaf
                                                • Instruction Fuzzy Hash: BE31E3B5D002099FDB10CF9AD8846EEFBF5FB48320F18852AE915A7250D374AA44CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FCBAB0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 200 fcbab0-fcbb4c DuplicateHandle 201 fcbb4e-fcbb54 200->201 202 fcbb55-fcbb72 200->202 201->202
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FCBA7E,?,?,?,?,?), ref: 00FCBB3F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.501660199.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fc0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 5f662b9bfc2c29903a3bb039f7cd62e7c7a0bea6290ea483da27dac12fab8cac
                                                • Instruction ID: 93f81c221d72df2d4737efe534be36df1d3dab301a79f223cebbb4431648919c
                                                • Opcode Fuzzy Hash: 5f662b9bfc2c29903a3bb039f7cd62e7c7a0bea6290ea483da27dac12fab8cac
                                                • Instruction Fuzzy Hash: CA21F2B5D002089FDB10CF9AD585AEEBFF9FB48320F14841AE918A3210D379A945DFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FCA2E4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 205 fca2e4-fcbb4c DuplicateHandle 207 fcbb4e-fcbb54 205->207 208 fcbb55-fcbb72 205->208 207->208
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FCBA7E,?,?,?,?,?), ref: 00FCBB3F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.501660199.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fc0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: f57efed9cd86b24d95189744573ecf9275eb5165aede429d233b7fc6fd5393e1
                                                • Instruction ID: 33a758e9a09d57a1a0d77a0535cdf6f117d257fcd3533883961a814b958bae9b
                                                • Opcode Fuzzy Hash: f57efed9cd86b24d95189744573ecf9275eb5165aede429d233b7fc6fd5393e1
                                                • Instruction Fuzzy Hash: C02103B5D00209AFDB10CF9AD585BEEBBF9FB48324F14841AE914A7310D374A954DFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FC88D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 211 fc88d8-fc9a50 213 fc9a58-fc9a87 LoadLibraryExW 211->213 214 fc9a52-fc9a55 211->214 215 fc9a89-fc9a8f 213->215 216 fc9a90-fc9aad 213->216 214->213 215->216
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FC9869,00000800,00000000,00000000), ref: 00FC9A7A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.501660199.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fc0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: cb025289dc304c995ab96ff0851cdebf2f5cf73097f9e23e0ae67e308d8f90ac
                                                • Instruction ID: a814df79b4b45d4fd92f65a73b0a2aa513ad71e7cdc875bf9ce7129c89d609ac
                                                • Opcode Fuzzy Hash: cb025289dc304c995ab96ff0851cdebf2f5cf73097f9e23e0ae67e308d8f90ac
                                                • Instruction Fuzzy Hash: 521124B6D042099BDB10CF9AC448BEEBBF4AB48324F10842ED419A7200C3B9A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FC9788 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 219 fc9788-fc97c8 220 fc97ca-fc97cd 219->220 221 fc97d0-fc97fb GetModuleHandleW 219->221 220->221 222 fc97fd-fc9803 221->222 223 fc9804-fc9818 221->223 222->223
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00FC97EE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.501660199.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fc0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 298a3935072226bbbf82d3e3cc1cdefa19b5bfad1f53de80bc45a941d7a85741
                                                • Instruction ID: 671874c1097daa34951919ed30e2ac902c5549d6c22e4c5532b367ab35e40c02
                                                • Opcode Fuzzy Hash: 298a3935072226bbbf82d3e3cc1cdefa19b5bfad1f53de80bc45a941d7a85741
                                                • Instruction Fuzzy Hash: A611E0B6C006498FDB10CF9AD548BDEFBF5EF88324F14856AD819A7600D3B4A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00FCE770 Relevance: .3, Instructions: 315COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.501660199.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fc0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be4be565b26eecfb30237f030c22a79a3bc03dd7fd038bc153f93224ea0aa64e
                                                • Instruction ID: dea751029db962ae3432ec42378c7817296816b9ed4486f1ca2de85e9cf1190f
                                                • Opcode Fuzzy Hash: be4be565b26eecfb30237f030c22a79a3bc03dd7fd038bc153f93224ea0aa64e
                                                • Instruction Fuzzy Hash: 8E12D7F9C917468FE312CF65E8981893BE1B741328BD84A08D2611BAE5D7BC117ECF48
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FCC344 Relevance: .3, Instructions: 265COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.501660199.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fc0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8fe33568ef622bc9032e806997cf376e137145cc69387cc75341d3595744b129
                                                • Instruction ID: 830c322aa7f7f18eaf9127f7567ba20118fe6177fee4ded4a244acb821c253ae
                                                • Opcode Fuzzy Hash: 8fe33568ef622bc9032e806997cf376e137145cc69387cc75341d3595744b129
                                                • Instruction Fuzzy Hash: 19A18E36E0020A8FCF05DFA5D945ADEB7B2FF84300B15857AE805BB261EB75AD15DB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FCE760 Relevance: .2, Instructions: 225COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.501660199.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fc0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d875d3e72cf0f60aab7cbcd33bde57c2ab7aa9fd921063d447ffd3c5459e34d9
                                                • Instruction ID: 9110558affd1f62375e4aa2ce1cb6682935f60947d6ca0130497af0652ee5f6e
                                                • Opcode Fuzzy Hash: d875d3e72cf0f60aab7cbcd33bde57c2ab7aa9fd921063d447ffd3c5459e34d9
                                                • Instruction Fuzzy Hash: A3C13BF9C917468FE712CF65E8981893BA1BB45328FD94B08D2612B6D4D7BC107ACF48
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:23.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0.6%
                                                Total number of Nodes:480
                                                Total number of Limit Nodes:15
                                                execution_graph 29245 67e3c68 29247 67e3c99 29245->29247 29249 67e3d8a 29245->29249 29246 67e3ca5 29247->29246 29253 67e3ed0 29247->29253 29256 67e3ec0 29247->29256 29248 67e3ce5 29260 67e51c0 29248->29260 29264 67e3f13 29253->29264 29254 67e3eda 29254->29248 29257 67e3ed0 29256->29257 29259 67e3f13 2 API calls 29257->29259 29258 67e3eda 29258->29248 29259->29258 29261 67e51ea 29260->29261 29262 67e5291 29261->29262 29279 67e6368 29261->29279 29265 67e3f33 29264->29265 29266 67e3f4b 29265->29266 29271 67e41a8 29265->29271 29266->29254 29267 67e3f43 29267->29266 29268 67e4148 GetModuleHandleW 29267->29268 29269 67e4175 29268->29269 29269->29254 29272 67e41bc 29271->29272 29273 67e41e1 29272->29273 29275 67e2f08 29272->29275 29273->29267 29276 67e4368 LoadLibraryExW 29275->29276 29278 67e43e1 29276->29278 29278->29273 29282 67e58b4 29279->29282 29283 67e63b8 CreateWindowExW 29282->29283 29285 67e64dc 29283->29285 28705 158add0 28706 158adee 28705->28706 28709 1589dc0 28706->28709 28708 158ae25 28710 158c8f0 LoadLibraryA 28709->28710 28712 158c9cc 28710->28712 28713 1580850 28714 158085d 28713->28714 28721 1581bf0 28714->28721 28729 1581ca4 28714->28729 28715 1580869 28735 6376038 28715->28735 28743 6376048 28715->28743 28716 158086f 28722 1581c0b 28721->28722 28751 6375321 28722->28751 28756 6375330 28722->28756 28724 1581c93 28724->28715 28730 1581cb2 28729->28730 28731 1581c62 28729->28731 28732 1581c93 28731->28732 28733 6375657 GetUserNameW 28731->28733 28734 6375668 GetUserNameW 28731->28734 28732->28715 28733->28732 28734->28732 28736 6376048 28735->28736 28779 637646a 28736->28779 28784 63764a9 28736->28784 28789 63762c8 28736->28789 28737 63760cf 28794 637695b 28737->28794 28744 6376068 28743->28744 28747 637646a DeleteFileW 28744->28747 28748 63764a9 DeleteFileW 28744->28748 28749 63762c8 DeleteFileW 28744->28749 28745 63760cf 28750 637695b 104 API calls 28745->28750 28746 63760db 28746->28716 28747->28745 28748->28745 28749->28745 28750->28746 28752 6375330 28751->28752 28754 63753a7 28752->28754 28773 6374ebc 28752->28773 28757 6375348 28756->28757 28758 63753a7 28757->28758 28759 6374ebc GetUserNameW 28757->28759 28760 1581c5f 28759->28760 28760->28724 28761 6375657 28760->28761 28767 6375668 28760->28767 28762 6375676 28761->28762 28763 6375699 28761->28763 28762->28724 28766 6375726 28763->28766 28777 6374ed4 GetUserNameW 28763->28777 28768 6375676 28767->28768 28769 6375699 28767->28769 28768->28724 28772 6375726 28769->28772 28778 6374ed4 GetUserNameW 28769->28778 28775 6375468 GetUserNameW 28773->28775 28776 63755b5 28775->28776 28781 6376471 28779->28781 28780 63765ce 28780->28737 28800 63765d9 28781->28800 28804 63765e8 28781->28804 28786 63764b0 28784->28786 28785 63765ce 28785->28737 28787 63765d9 DeleteFileW 28786->28787 28788 63765e8 DeleteFileW 28786->28788 28787->28785 28788->28785 28790 63765ce 28789->28790 28791 63762fc 28789->28791 28790->28737 28791->28790 28792 63765d9 DeleteFileW 28791->28792 28793 63765e8 DeleteFileW 28791->28793 28792->28790 28793->28790 28795 6376971 28794->28795 28796 63760db 28795->28796 28813 6376c8f 28795->28813 28820 6376a68 28795->28820 28870 6376a78 28795->28870 28796->28716 28802 63765e8 28800->28802 28801 63765f6 28801->28780 28802->28801 28809 6375cfc 28802->28809 28805 63765f6 28804->28805 28806 6376619 28804->28806 28805->28780 28807 637663e 28806->28807 28808 6375cfc DeleteFileW 28806->28808 28807->28780 28808->28807 28810 63767b8 DeleteFileW 28809->28810 28812 6376837 28810->28812 28812->28801 28814 6376c48 28813->28814 28815 6376c51 28814->28815 28816 6376ca5 28814->28816 28818 6376dac 28814->28818 28815->28795 28817 6375668 GetUserNameW 28816->28817 28817->28815 28818->28815 28819 6375668 GetUserNameW 28818->28819 28819->28815 28821 6376a78 28820->28821 28822 6376abf 28821->28822 28920 6377943 28821->28920 28928 6377d45 28821->28928 28936 6377ad8 28821->28936 28944 637805b 28821->28944 28948 63783df 28821->28948 28952 6377e50 28821->28952 28960 63777d2 28821->28960 28968 6377a57 28821->28968 28976 63780eb 28821->28976 28980 6377bec 28821->28980 28988 637816f 28821->28988 28992 6377b62 28821->28992 29000 637787d 28821->29000 29008 63778fe 28821->29008 29016 63781ff 28821->29016 29020 6377ef3 28821->29020 29026 63777f3 28821->29026 29034 6377c76 28821->29034 29042 6377988 28821->29042 29050 6377d8a 28821->29050 29058 6377e0b 28821->29058 29066 6377d00 28821->29066 29074 6377f83 28821->29074 29078 6378283 28821->29078 29082 6378307 28821->29082 29086 6377b1d 28821->29086 29094 6377a12 28821->29094 29102 6378013 28821->29102 29106 6377a93 28821->29106 29114 6377e95 28821->29114 29122 6378397 28821->29122 29126 63780a3 28821->29126 29130 6378427 28821->29130 29134 6377ba7 28821->29134 29142 6377838 28821->29142 29150 6377f3b 28821->29150 29156 637823b 28821->29156 29160 6377cbb 28821->29160 29168 63782bf 28821->29168 29172 6377c31 28821->29172 29180 6378133 28821->29180 29184 63781b7 28821->29184 29188 6377fcb 28821->29188 29192 63779cd 28821->29192 29200 637834f 28821->29200 29204 6377dcf 28821->29204 29212 63778c2 28821->29212 28871 6376a97 28870->28871 28872 6376abf 28871->28872 28873 63781b7 KiUserExceptionDispatcher 28871->28873 28874 6378133 KiUserExceptionDispatcher 28871->28874 28875 6377c31 3 API calls 28871->28875 28876 63782bf KiUserExceptionDispatcher 28871->28876 28877 6377cbb 3 API calls 28871->28877 28878 637823b KiUserExceptionDispatcher 28871->28878 28879 6377f3b 2 API calls 28871->28879 28880 6377838 3 API calls 28871->28880 28881 6377ba7 3 API calls 28871->28881 28882 6378427 KiUserExceptionDispatcher 28871->28882 28883 63780a3 KiUserExceptionDispatcher 28871->28883 28884 6378397 KiUserExceptionDispatcher 28871->28884 28885 6377e95 3 API calls 28871->28885 28886 6377a93 3 API calls 28871->28886 28887 6378013 KiUserExceptionDispatcher 28871->28887 28888 6377a12 3 API calls 28871->28888 28889 6377b1d 3 API calls 28871->28889 28890 6378307 KiUserExceptionDispatcher 28871->28890 28891 6378283 KiUserExceptionDispatcher 28871->28891 28892 6377f83 KiUserExceptionDispatcher 28871->28892 28893 6377d00 3 API calls 28871->28893 28894 6377e0b 3 API calls 28871->28894 28895 6377d8a 3 API calls 28871->28895 28896 6377988 3 API calls 28871->28896 28897 6377c76 3 API calls 28871->28897 28898 63777f3 3 API calls 28871->28898 28899 6377ef3 2 API calls 28871->28899 28900 63781ff KiUserExceptionDispatcher 28871->28900 28901 63778fe 3 API calls 28871->28901 28902 637787d 3 API calls 28871->28902 28903 6377b62 3 API calls 28871->28903 28904 637816f KiUserExceptionDispatcher 28871->28904 28905 6377bec 3 API calls 28871->28905 28906 63780eb KiUserExceptionDispatcher 28871->28906 28907 6377a57 3 API calls 28871->28907 28908 63777d2 3 API calls 28871->28908 28909 6377e50 3 API calls 28871->28909 28910 63783df KiUserExceptionDispatcher 28871->28910 28911 637805b KiUserExceptionDispatcher 28871->28911 28912 6377ad8 3 API calls 28871->28912 28913 6377d45 3 API calls 28871->28913 28914 6377943 3 API calls 28871->28914 28915 63778c2 3 API calls 28871->28915 28916 6377dcf 3 API calls 28871->28916 28917 637834f KiUserExceptionDispatcher 28871->28917 28918 63779cd 3 API calls 28871->28918 28919 6377fcb KiUserExceptionDispatcher 28871->28919 28873->28872 28874->28872 28875->28872 28876->28872 28877->28872 28878->28872 28879->28872 28880->28872 28881->28872 28882->28872 28883->28872 28884->28872 28885->28872 28886->28872 28887->28872 28888->28872 28889->28872 28890->28872 28891->28872 28892->28872 28893->28872 28894->28872 28895->28872 28896->28872 28897->28872 28898->28872 28899->28872 28900->28872 28901->28872 28902->28872 28903->28872 28904->28872 28905->28872 28906->28872 28907->28872 28908->28872 28909->28872 28910->28872 28911->28872 28912->28872 28913->28872 28914->28872 28915->28872 28916->28872 28917->28872 28918->28872 28919->28872 28921 6377954 28920->28921 28922 6377ebc KiUserExceptionDispatcher 28921->28922 28923 6377ed8 KiUserExceptionDispatcher 28922->28923 28925 6377f81 KiUserExceptionDispatcher 28923->28925 28927 637846d 28925->28927 28927->28822 28929 6377d56 28928->28929 28930 6377ebc KiUserExceptionDispatcher 28929->28930 28931 6377ed8 KiUserExceptionDispatcher 28930->28931 28933 6377f81 KiUserExceptionDispatcher 28931->28933 28935 637846d 28933->28935 28935->28822 28937 6377ae9 28936->28937 28938 6377ebc KiUserExceptionDispatcher 28937->28938 28939 6377ed8 KiUserExceptionDispatcher 28938->28939 28941 6377f81 KiUserExceptionDispatcher 28939->28941 28943 637846d 28941->28943 28943->28822 28945 637806c 28944->28945 28946 637844e KiUserExceptionDispatcher 28945->28946 28947 637846d 28946->28947 28947->28822 28949 63783f0 28948->28949 28950 637844e KiUserExceptionDispatcher 28949->28950 28951 637846d 28950->28951 28951->28822 28953 6377e61 28952->28953 28954 6377ebc KiUserExceptionDispatcher 28953->28954 28955 6377ed8 KiUserExceptionDispatcher 28954->28955 28957 6377f81 KiUserExceptionDispatcher 28955->28957 28959 637846d 28957->28959 28959->28822 28961 63777d8 KiUserExceptionDispatcher 28960->28961 28963 6377ed8 KiUserExceptionDispatcher 28961->28963 28965 6377f81 KiUserExceptionDispatcher 28963->28965 28967 637846d 28965->28967 28967->28822 28969 6377a68 28968->28969 28970 6377ebc KiUserExceptionDispatcher 28969->28970 28971 6377ed8 KiUserExceptionDispatcher 28970->28971 28973 6377f81 KiUserExceptionDispatcher 28971->28973 28975 637846d 28973->28975 28975->28822 28977 63780fc 28976->28977 28978 637844e KiUserExceptionDispatcher 28977->28978 28979 637846d 28978->28979 28979->28822 28981 6377bfd 28980->28981 28982 6377ebc KiUserExceptionDispatcher 28981->28982 28983 6377ed8 KiUserExceptionDispatcher 28982->28983 28985 6377f81 KiUserExceptionDispatcher 28983->28985 28987 637846d 28985->28987 28987->28822 28989 6378180 28988->28989 28990 637844e KiUserExceptionDispatcher 28989->28990 28991 637846d 28990->28991 28991->28822 28993 6377b73 28992->28993 28994 6377ebc KiUserExceptionDispatcher 28993->28994 28995 6377ed8 KiUserExceptionDispatcher 28994->28995 28997 6377f81 KiUserExceptionDispatcher 28995->28997 28999 637846d 28997->28999 28999->28822 29001 637788e 29000->29001 29002 6377ebc KiUserExceptionDispatcher 29001->29002 29003 6377ed8 KiUserExceptionDispatcher 29002->29003 29005 6377f81 KiUserExceptionDispatcher 29003->29005 29007 637846d 29005->29007 29007->28822 29009 637790f 29008->29009 29010 6377ebc KiUserExceptionDispatcher 29009->29010 29011 6377ed8 KiUserExceptionDispatcher 29010->29011 29013 6377f81 KiUserExceptionDispatcher 29011->29013 29015 637846d 29013->29015 29015->28822 29017 6378210 29016->29017 29018 637844e KiUserExceptionDispatcher 29017->29018 29019 637846d 29018->29019 29019->28822 29021 6377f04 29020->29021 29022 6377f62 KiUserExceptionDispatcher 29021->29022 29023 6377f81 KiUserExceptionDispatcher 29022->29023 29025 637846d 29023->29025 29025->28822 29027 6377804 29026->29027 29028 6377ebc KiUserExceptionDispatcher 29027->29028 29029 6377ed8 KiUserExceptionDispatcher 29028->29029 29031 6377f81 KiUserExceptionDispatcher 29029->29031 29033 637846d 29031->29033 29033->28822 29035 6377c87 29034->29035 29036 6377ebc KiUserExceptionDispatcher 29035->29036 29037 6377ed8 KiUserExceptionDispatcher 29036->29037 29039 6377f81 KiUserExceptionDispatcher 29037->29039 29041 637846d 29039->29041 29041->28822 29043 6377999 29042->29043 29044 6377ebc KiUserExceptionDispatcher 29043->29044 29045 6377ed8 KiUserExceptionDispatcher 29044->29045 29047 6377f81 KiUserExceptionDispatcher 29045->29047 29049 637846d 29047->29049 29049->28822 29051 6377d9b 29050->29051 29052 6377ebc KiUserExceptionDispatcher 29051->29052 29053 6377ed8 KiUserExceptionDispatcher 29052->29053 29055 6377f81 KiUserExceptionDispatcher 29053->29055 29057 637846d 29055->29057 29057->28822 29059 6377e1c 29058->29059 29060 6377ebc KiUserExceptionDispatcher 29059->29060 29061 6377ed8 KiUserExceptionDispatcher 29060->29061 29063 6377f81 KiUserExceptionDispatcher 29061->29063 29065 637846d 29063->29065 29065->28822 29067 6377d11 29066->29067 29068 6377ebc KiUserExceptionDispatcher 29067->29068 29069 6377ed8 KiUserExceptionDispatcher 29068->29069 29071 6377f81 KiUserExceptionDispatcher 29069->29071 29073 637846d 29071->29073 29073->28822 29075 6377f94 29074->29075 29076 637844e KiUserExceptionDispatcher 29075->29076 29077 637846d 29076->29077 29077->28822 29079 6378294 29078->29079 29080 637844e KiUserExceptionDispatcher 29079->29080 29081 637846d 29080->29081 29081->28822 29083 6378318 29082->29083 29084 637844e KiUserExceptionDispatcher 29083->29084 29085 637846d 29084->29085 29085->28822 29087 6377b2e 29086->29087 29088 6377ebc KiUserExceptionDispatcher 29087->29088 29089 6377ed8 KiUserExceptionDispatcher 29088->29089 29091 6377f81 KiUserExceptionDispatcher 29089->29091 29093 637846d 29091->29093 29093->28822 29095 6377a23 29094->29095 29096 6377ebc KiUserExceptionDispatcher 29095->29096 29097 6377ed8 KiUserExceptionDispatcher 29096->29097 29099 6377f81 KiUserExceptionDispatcher 29097->29099 29101 637846d 29099->29101 29101->28822 29103 6378024 29102->29103 29104 637844e KiUserExceptionDispatcher 29103->29104 29105 637846d 29104->29105 29105->28822 29107 6377aa4 29106->29107 29108 6377ebc KiUserExceptionDispatcher 29107->29108 29109 6377ed8 KiUserExceptionDispatcher 29108->29109 29111 6377f81 KiUserExceptionDispatcher 29109->29111 29113 637846d 29111->29113 29113->28822 29115 6377ea6 29114->29115 29116 6377ebc KiUserExceptionDispatcher 29115->29116 29117 6377ed8 KiUserExceptionDispatcher 29116->29117 29119 6377f81 KiUserExceptionDispatcher 29117->29119 29121 637846d 29119->29121 29121->28822 29123 63783a8 29122->29123 29124 637844e KiUserExceptionDispatcher 29123->29124 29125 637846d 29124->29125 29125->28822 29127 63780b4 29126->29127 29128 637844e KiUserExceptionDispatcher 29127->29128 29129 637846d 29128->29129 29129->28822 29131 6378438 29130->29131 29132 637844e KiUserExceptionDispatcher 29131->29132 29133 637846d 29132->29133 29133->28822 29135 6377bb8 29134->29135 29136 6377ebc KiUserExceptionDispatcher 29135->29136 29137 6377ed8 KiUserExceptionDispatcher 29136->29137 29139 6377f81 KiUserExceptionDispatcher 29137->29139 29141 637846d 29139->29141 29141->28822 29143 6377849 29142->29143 29144 6377ebc KiUserExceptionDispatcher 29143->29144 29145 6377ed8 KiUserExceptionDispatcher 29144->29145 29147 6377f81 KiUserExceptionDispatcher 29145->29147 29149 637846d 29147->29149 29149->28822 29151 6377f4c 29150->29151 29152 6377f62 KiUserExceptionDispatcher 29151->29152 29153 6377f81 KiUserExceptionDispatcher 29152->29153 29155 637846d 29153->29155 29155->28822 29157 637824c 29156->29157 29158 637844e KiUserExceptionDispatcher 29157->29158 29159 637846d 29158->29159 29159->28822 29161 6377ccc 29160->29161 29162 6377ebc KiUserExceptionDispatcher 29161->29162 29163 6377ed8 KiUserExceptionDispatcher 29162->29163 29165 6377f81 KiUserExceptionDispatcher 29163->29165 29167 637846d 29165->29167 29167->28822 29169 63782d0 29168->29169 29170 637844e KiUserExceptionDispatcher 29169->29170 29171 637846d 29170->29171 29171->28822 29173 6377c42 29172->29173 29174 6377ebc KiUserExceptionDispatcher 29173->29174 29175 6377ed8 KiUserExceptionDispatcher 29174->29175 29177 6377f81 KiUserExceptionDispatcher 29175->29177 29179 637846d 29177->29179 29179->28822 29181 6378144 29180->29181 29182 637844e KiUserExceptionDispatcher 29181->29182 29183 637846d 29182->29183 29183->28822 29185 63781c8 29184->29185 29186 637844e KiUserExceptionDispatcher 29185->29186 29187 637846d 29186->29187 29187->28822 29189 6377fdc 29188->29189 29190 637844e KiUserExceptionDispatcher 29189->29190 29191 637846d 29190->29191 29191->28822 29193 63779de 29192->29193 29194 6377ebc KiUserExceptionDispatcher 29193->29194 29195 6377ed8 KiUserExceptionDispatcher 29194->29195 29197 6377f81 KiUserExceptionDispatcher 29195->29197 29199 637846d 29197->29199 29199->28822 29201 6378360 29200->29201 29202 637844e KiUserExceptionDispatcher 29201->29202 29203 637846d 29202->29203 29203->28822 29205 6377de0 29204->29205 29206 6377ebc KiUserExceptionDispatcher 29205->29206 29207 6377ed8 KiUserExceptionDispatcher 29206->29207 29209 6377f81 KiUserExceptionDispatcher 29207->29209 29211 637846d 29209->29211 29211->28822 29213 63778d3 29212->29213 29214 6377ebc KiUserExceptionDispatcher 29213->29214 29215 6377ed8 KiUserExceptionDispatcher 29214->29215 29217 6377f81 KiUserExceptionDispatcher 29215->29217 29219 637846d 29217->29219 29219->28822 29286 1584540 29287 1584554 29286->29287 29290 158478a 29287->29290 29288 158455d 29291 1584793 29290->29291 29296 158496c 29290->29296 29301 1584986 29290->29301 29306 1584870 29290->29306 29311 158485f 29290->29311 29291->29288 29297 158491f 29296->29297 29297->29296 29298 15849ab 29297->29298 29316 1584c78 29297->29316 29321 1584c67 29297->29321 29302 1584999 29301->29302 29303 15849ab 29301->29303 29304 1584c78 2 API calls 29302->29304 29305 1584c67 2 API calls 29302->29305 29304->29303 29305->29303 29307 15848b4 29306->29307 29308 15849ab 29307->29308 29309 1584c78 2 API calls 29307->29309 29310 1584c67 2 API calls 29307->29310 29309->29308 29310->29308 29312 1584870 29311->29312 29313 15849ab 29312->29313 29314 1584c78 2 API calls 29312->29314 29315 1584c67 2 API calls 29312->29315 29314->29313 29315->29313 29317 1584c86 29316->29317 29326 1584cc8 29317->29326 29330 1584cb9 29317->29330 29318 1584c96 29318->29298 29322 1584c86 29321->29322 29324 1584cc8 RtlEncodePointer 29322->29324 29325 1584cb9 RtlEncodePointer 29322->29325 29323 1584c96 29323->29298 29324->29323 29325->29323 29327 1584d02 29326->29327 29328 1584d2c RtlEncodePointer 29327->29328 29329 1584d55 29327->29329 29328->29329 29329->29318 29331 1584d02 29330->29331 29332 1584d2c RtlEncodePointer 29331->29332 29333 1584d55 29331->29333 29332->29333 29333->29318 29220 67e6570 29221 67e6596 29220->29221 29224 67e58dc 29221->29224 29225 67e58e7 29224->29225 29226 67e72b9 29225->29226 29228 67e72a9 29225->29228 29235 67e5a04 29226->29235 29231 67e73e0 29228->29231 29229 67e72b7 29232 67e73f4 29231->29232 29239 67e7498 29232->29239 29233 67e7480 29233->29229 29236 67e5a0f 29235->29236 29237 67e89fa CallWindowProcW 29236->29237 29238 67e89a9 29236->29238 29237->29238 29238->29229 29240 67e74a9 29239->29240 29242 67e891e 29239->29242 29240->29233 29243 67e5a04 CallWindowProcW 29242->29243 29244 67e894a 29243->29244 29244->29240 29334 67ea5a0 29335 67ea8a8 29334->29335 29336 67ea5c8 29334->29336 29337 67ea5d1 29336->29337 29340 67e99dc 29336->29340 29339 67ea5f4 29341 67e99e7 29340->29341 29342 67ea8eb 29341->29342 29344 67e99f8 29341->29344 29342->29339 29345 67ea920 OleInitialize 29344->29345 29346 67ea984 29345->29346 29346->29342

                                                Executed Functions

                                                Function 06374EBC Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 063755A3
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: NameUser
                                                • String ID:
                                                • API String ID: 2645101109-0
                                                • Opcode ID: 07e7b90daa4a850d4fbc5b1f20362ec8bd6d9bd98f6702659f49864467c038a2
                                                • Instruction ID: cfc506d088a55338d821ccbea4c1e4cf12cac4c4ae176fc942263b189878f144
                                                • Opcode Fuzzy Hash: 07e7b90daa4a850d4fbc5b1f20362ec8bd6d9bd98f6702659f49864467c038a2
                                                • Instruction Fuzzy Hash: 42512870D102188FDB58CFA9D894B9EBBF2BF48324F158519E816BB350DB789845CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 063777F3 Relevance: 4.8, APIs: 3, Instructions: 347COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 8c91d19328d61565dfe94f2790e9f75d29e5b1eda64d4725d16e85ae3379698a
                                                • Instruction ID: 0269ceb8064061391eafdc532ce46283e22b72de9cd12d688ea13c11f7c497dc
                                                • Opcode Fuzzy Hash: 8c91d19328d61565dfe94f2790e9f75d29e5b1eda64d4725d16e85ae3379698a
                                                • Instruction Fuzzy Hash: 5302F938905298CFCBA5DF60D9886A9B7B6FF49306F1081E9D50E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 063777D2 Relevance: 4.8, APIs: 3, Instructions: 347COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 98 63777d2-6378496 KiUserExceptionDispatcher * 3 238 637849c-63784df 98->238
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: e8283b7095ab8edfdc03befe7fa337c1afe5522c9f18f9fea4708493bdfbafd1
                                                • Instruction ID: 09b37138bf43f91884f7999fbb174105b2030600d155998d5118d6509e19d5bf
                                                • Opcode Fuzzy Hash: e8283b7095ab8edfdc03befe7fa337c1afe5522c9f18f9fea4708493bdfbafd1
                                                • Instruction Fuzzy Hash: AB02FA38905398CFCB65DF60D9886A9B7B6FF49306F1081E9D60E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377838 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 9b7ac19296a588538357c50de01c37521fe5ca67c771747408f58e2cf566eee4
                                                • Instruction ID: 09534d396849e877d412e4b2d375c5a474badd7e087c08808dadb859f3157706
                                                • Opcode Fuzzy Hash: 9b7ac19296a588538357c50de01c37521fe5ca67c771747408f58e2cf566eee4
                                                • Instruction Fuzzy Hash: 0D02FA38905298CFCBA5DF70D9886A9B7B6FF49306F1081E9D50E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0637787D Relevance: 4.8, APIs: 3, Instructions: 333COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 15c053dfc08a10d7325e97763ca1e1ff8fe8e58ca5b31fd51185d8ab80302ae1
                                                • Instruction ID: 3aa64b093278f6e07f243661331c3239e29f0281f5b7b17dbe04addb5aea3372
                                                • Opcode Fuzzy Hash: 15c053dfc08a10d7325e97763ca1e1ff8fe8e58ca5b31fd51185d8ab80302ae1
                                                • Instruction Fuzzy Hash: 25020938905398CFCBA5DF60D9886A9B7B6FF49306F1081E9D60E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 063778C2 Relevance: 4.8, APIs: 3, Instructions: 324COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: b53563bd771eb4ac8e3c51c3641ff1d578927bdd2c6772cf7dc1327756990ba5
                                                • Instruction ID: 867730ffa566e48c3ce6ebec11974c26d72cd73c1754b6b68e7547eb24d6ad22
                                                • Opcode Fuzzy Hash: b53563bd771eb4ac8e3c51c3641ff1d578927bdd2c6772cf7dc1327756990ba5
                                                • Instruction Fuzzy Hash: E6F10938905398CFCBA5DF60D9886A9B7B6FF49306F1081E9D60E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 063778FE Relevance: 4.8, APIs: 3, Instructions: 319COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: b4edcd28435f0c788d05ab862be7571c14cb748d7bceec540a61d57442cf1c03
                                                • Instruction ID: 9aad052a428a07b28dd34e5bc6cb60d6d93e5a181595eb6878d037a96a1b1dc6
                                                • Opcode Fuzzy Hash: b4edcd28435f0c788d05ab862be7571c14cb748d7bceec540a61d57442cf1c03
                                                • Instruction Fuzzy Hash: 80F10938905398CFCBA5DF60D9886A9B7B6FF49306F1081E9D60E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377943 Relevance: 4.8, APIs: 3, Instructions: 312COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 578ae68a7d4d031a1750e6d3339db05a37b6ef2d452a6bc71450c6ca23246988
                                                • Instruction ID: 748525951d26a1a0a94496c2e68c874a322e7f2420c0c15914cbbf899022facf
                                                • Opcode Fuzzy Hash: 578ae68a7d4d031a1750e6d3339db05a37b6ef2d452a6bc71450c6ca23246988
                                                • Instruction Fuzzy Hash: 10F11938905298CFCBA5DF60D988699B7B6FF49306F1081E9D50E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377988 Relevance: 4.8, APIs: 3, Instructions: 305COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 6cb44ccc90a08b84fb67b9b342bde3d646f6cbd70886a548315176711399fda4
                                                • Instruction ID: 657cc645ca953d16b9d24d9ba273b286985868f41dd1060988b1606adc78451f
                                                • Opcode Fuzzy Hash: 6cb44ccc90a08b84fb67b9b342bde3d646f6cbd70886a548315176711399fda4
                                                • Instruction Fuzzy Hash: FEF11938905298CFCBA9DF70D9886A9B7B6FF49306F1081E9D50E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 063779CD Relevance: 4.8, APIs: 3, Instructions: 298COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: df40ea393c6f9672c25b678e32d4c949c1e8165f9c727485b3684263cf65e10f
                                                • Instruction ID: d569db3e73b3605aa5005920c58d3d1b35569ed399deaa320aed19add55c970a
                                                • Opcode Fuzzy Hash: df40ea393c6f9672c25b678e32d4c949c1e8165f9c727485b3684263cf65e10f
                                                • Instruction Fuzzy Hash: C0F10938905298CFCBA9DF70D9886A9B7B6FF49306F1081E9D50E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377A12 Relevance: 4.8, APIs: 3, Instructions: 291COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: e690cd7ff0847c11d5b9b0cbe7c115330e93d6fe40575182473ad7ba35bd632a
                                                • Instruction ID: 803b2b662e632cd37474f0f7f5483e8d335bd7dcbf303b31692fefe0eb835b61
                                                • Opcode Fuzzy Hash: e690cd7ff0847c11d5b9b0cbe7c115330e93d6fe40575182473ad7ba35bd632a
                                                • Instruction Fuzzy Hash: F8E11938905298CFCBA9DF70D9886A9B7B6FF49306F1041E9D50EA2344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377A57 Relevance: 4.8, APIs: 3, Instructions: 282COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 47db322eb42de78b2bf4da6700fe7210fad5741ff068df4580d5276abc2c308d
                                                • Instruction ID: dfa0601ad7e3633f694292bc3cdfa14296361da04bac97f6baf109724e0c1e46
                                                • Opcode Fuzzy Hash: 47db322eb42de78b2bf4da6700fe7210fad5741ff068df4580d5276abc2c308d
                                                • Instruction Fuzzy Hash: 52E11938905298CFCBA9DF70D9886A9B7B6FF49306F1081E9D50E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377A93 Relevance: 4.8, APIs: 3, Instructions: 277COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 3bb4527fc3e8e3f849b8d51bbfb5cb0f03d4695ae6ba8df266c310864e6acdff
                                                • Instruction ID: 645ff3f63ada8b2c84a9043ccf2c35ea26e3f99e229437441b3eb0eb9204db47
                                                • Opcode Fuzzy Hash: 3bb4527fc3e8e3f849b8d51bbfb5cb0f03d4695ae6ba8df266c310864e6acdff
                                                • Instruction Fuzzy Hash: 20E11A38905298CFCBA9DF70D9886A9B7B6FF49306F1081E9D50E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377AD8 Relevance: 4.8, APIs: 3, Instructions: 270COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 2a80206f82f1dffd30b8ec96bc7bedcb7fc46062bb89c749be4503fcac5f4528
                                                • Instruction ID: 61f3c97ebd4194bc21f3faf104e40a151990a0b6e947c70f276e58449816a422
                                                • Opcode Fuzzy Hash: 2a80206f82f1dffd30b8ec96bc7bedcb7fc46062bb89c749be4503fcac5f4528
                                                • Instruction Fuzzy Hash: ADE10A38905298CFCBA5DF70D9886A9B7B6FF49306F1081E9D60E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377B1D Relevance: 4.8, APIs: 3, Instructions: 263COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: a80b03c233621c98bcbb634877f4831333226ee12b600076afef55df54a97d23
                                                • Instruction ID: fe76bcf9b8b7568e57c0da76e47905b6805ba6f7a218228641fbbe19cabbe5bf
                                                • Opcode Fuzzy Hash: a80b03c233621c98bcbb634877f4831333226ee12b600076afef55df54a97d23
                                                • Instruction Fuzzy Hash: D5D10A38905298CFCBA5DF70D9886A9B7B6FF49306F1081E9D60E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377B62 Relevance: 4.8, APIs: 3, Instructions: 256COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: e6528677c61e67a1460a30dc47a939f00a42d1fd0b95ae9b613f4f17e906815b
                                                • Instruction ID: d7394a715ec05ba0edcbc2b086c5ae4d217bda4b70bf5e8e43163e69d58056e2
                                                • Opcode Fuzzy Hash: e6528677c61e67a1460a30dc47a939f00a42d1fd0b95ae9b613f4f17e906815b
                                                • Instruction Fuzzy Hash: 49D10A38905298CFCBA5DF70D9886A9B7B6FF49306F1081E9D50E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377BA7 Relevance: 4.7, APIs: 3, Instructions: 249COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 4fc2eab2619357ef62aaaa6fe615cf9c39c724899520ad72881e3bdc1652bb25
                                                • Instruction ID: 4b76866a0327c19a8245eed38d35f48828cf95498119d13dcafda1f5b991f795
                                                • Opcode Fuzzy Hash: 4fc2eab2619357ef62aaaa6fe615cf9c39c724899520ad72881e3bdc1652bb25
                                                • Instruction Fuzzy Hash: 20D10A38905298CFCBA5DF70D9886A9B7B6FF49306F1081E9D50E62344DB359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377BEC Relevance: 4.7, APIs: 3, Instructions: 242COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 5e5976efb2d05f498910f146ce27a499312016ada5effc7dd90e7f99c08bf771
                                                • Instruction ID: f018fe54ba2e1578355ab959e620ab638b3e85d3bae8a94bad6b4314d1280a45
                                                • Opcode Fuzzy Hash: 5e5976efb2d05f498910f146ce27a499312016ada5effc7dd90e7f99c08bf771
                                                • Instruction Fuzzy Hash: 80C10A38905298CFCBA9DF70D9886A9B7B6FF49306F1081E9D50E62344DB355E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377C31 Relevance: 4.7, APIs: 3, Instructions: 235COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 73193bf05debb1d17cb0e318cc4dd4d1b9669cc18ba10c9c63451122afa88dec
                                                • Instruction ID: cde40d1d4edf986d779b11feaab45586286a03082053a915fc13b7c7fe0d6e51
                                                • Opcode Fuzzy Hash: 73193bf05debb1d17cb0e318cc4dd4d1b9669cc18ba10c9c63451122afa88dec
                                                • Instruction Fuzzy Hash: 08C11A38905298CFCBA5DF70D9886A9B7B6FF49306F1081E9D50E62344DB355E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377C76 Relevance: 4.7, APIs: 3, Instructions: 228COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 41bdec675428c3cb2446efca52bd8de13fa8d6c39ebdabd79aadacf12664e029
                                                • Instruction ID: 0dc75f2004fe7a0f22a60b8a5bfcc74bbd4dcb9d007ba973e341c2fb11f8712d
                                                • Opcode Fuzzy Hash: 41bdec675428c3cb2446efca52bd8de13fa8d6c39ebdabd79aadacf12664e029
                                                • Instruction Fuzzy Hash: FCC10A38905298CFCBA5DF70D9886A9B7B6FF49306F1081E9D50E62344DB355E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377CBB Relevance: 4.7, APIs: 3, Instructions: 221COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: a3bf492d9972cd09cdd0505228c0a2a103303c982cccf9a367fb43e1ea0e55df
                                                • Instruction ID: 3d4e0f69aad9bf7be9e5f75685ffe39ed60851a5c5852cc0ccc8089593ddf0d8
                                                • Opcode Fuzzy Hash: a3bf492d9972cd09cdd0505228c0a2a103303c982cccf9a367fb43e1ea0e55df
                                                • Instruction Fuzzy Hash: 59B10A38905298CFCBA5DF70D9886A9B7B6FF49306F1081E9D50E62344DB355E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377D00 Relevance: 4.7, APIs: 3, Instructions: 214COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: f9c333939f44be3b4091c6826958fe3c38748ca4ee4b5dba11c5f7427cb8111e
                                                • Instruction ID: d360054a146c285114a6af32c7ee2d09ef2bef32ddfff226f774109c820404fa
                                                • Opcode Fuzzy Hash: f9c333939f44be3b4091c6826958fe3c38748ca4ee4b5dba11c5f7427cb8111e
                                                • Instruction Fuzzy Hash: A7B1F938905298CFCBA9DF70D9886A9B7B6FF49306F1081E9D50EA2344DB359D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377D45 Relevance: 4.7, APIs: 3, Instructions: 207COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 4959531eff7e0b0ae4b0aa29c226c8ba99cad50e4ec78397d474220715ae6fb6
                                                • Instruction ID: f2894b244ffd60deb51222a35a86eb0c7acc3c82061949f5a5bb568e0ee2723d
                                                • Opcode Fuzzy Hash: 4959531eff7e0b0ae4b0aa29c226c8ba99cad50e4ec78397d474220715ae6fb6
                                                • Instruction Fuzzy Hash: DAB1F738905298CFCBA9DF70D98C6A9B7B6BF49306F1081E9D50EA2344DB359D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377D8A Relevance: 4.7, APIs: 3, Instructions: 200COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: b74045811e7baa850990248810f8d8c3379207a219a552e1c186ffc6ff5e429c
                                                • Instruction ID: 366a4164a67486ed157db21d39e9ad796e1e5816108572f67f4736f783837dbc
                                                • Opcode Fuzzy Hash: b74045811e7baa850990248810f8d8c3379207a219a552e1c186ffc6ff5e429c
                                                • Instruction Fuzzy Hash: 44A10838905298CFCBA9DF70D988699B7B6BF49306F1081E9D50EA2344DB359D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377DCF Relevance: 4.7, APIs: 3, Instructions: 191COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: d681ddb24caf365055fbe286ff044665b5b9218d8c60681733a2764b8887ded9
                                                • Instruction ID: 8bf2d2a1e009cdd9b7780e384371dc0ae2d9e3bdf2aeff92be61d68f39e65752
                                                • Opcode Fuzzy Hash: d681ddb24caf365055fbe286ff044665b5b9218d8c60681733a2764b8887ded9
                                                • Instruction Fuzzy Hash: 56A118389052A8CFCBA9DF70D98C699B7B6BF49306F1081E9D50EA2344DB359D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377E0B Relevance: 4.7, APIs: 3, Instructions: 186COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 9564a64422b20022b1fde60827777f21c62a0a7e28912b0762ac6de2eebf5e10
                                                • Instruction ID: 9a87ffc23b6a29f9248de520753a146ab5bce5ea2b4f3bd257f1c6b700817e11
                                                • Opcode Fuzzy Hash: 9564a64422b20022b1fde60827777f21c62a0a7e28912b0762ac6de2eebf5e10
                                                • Instruction Fuzzy Hash: 9AA1F938905298CFCBA9DF70D98C6A9B7B6BF49306F1081E9D50EA2344DB359D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377E50 Relevance: 4.7, APIs: 3, Instructions: 179COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 235e56e1127cf5fd829e35736b16d0d8c8b97a13fab756bdb23e4d25a4238aca
                                                • Instruction ID: a64381a8bda49fb21c4e0f518a3c6bcf7e9b394b1480774db576e015d3095bfb
                                                • Opcode Fuzzy Hash: 235e56e1127cf5fd829e35736b16d0d8c8b97a13fab756bdb23e4d25a4238aca
                                                • Instruction Fuzzy Hash: 839108389052A8CFCBA9DF70D98C699B7B6BF49306F1081E9D50EA2344DB359D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377E95 Relevance: 4.7, APIs: 3, Instructions: 172COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377EBC
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: ef1cd67df4c1bac5a00545bc8b35e260c07b9adb8a08bfc5870725bf46c4dc4a
                                                • Instruction ID: 8cacb9a2643e9eae6f9801d34f6c371c8760dbbb4a939148b1132c6448aff221
                                                • Opcode Fuzzy Hash: ef1cd67df4c1bac5a00545bc8b35e260c07b9adb8a08bfc5870725bf46c4dc4a
                                                • Instruction Fuzzy Hash: 1A9108389052A8CFCBA9DF70D98C699B7B6BF49306F1081E9D50EA2344DB359D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377EF3 Relevance: 3.2, APIs: 2, Instructions: 161COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: d142db4dd8d703d0990b757e08cd5e1eb5a14e86f9b8d59e01b7226866b35604
                                                • Instruction ID: 79433cc3e797e49b7236a4a44fc7cfa89faa8add7c1fee47197c8c69242bca9d
                                                • Opcode Fuzzy Hash: d142db4dd8d703d0990b757e08cd5e1eb5a14e86f9b8d59e01b7226866b35604
                                                • Instruction Fuzzy Hash: C3810938905258CFCBA9DF70D98C699B7B6BF49306F1081E9D50EA2344DB359D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377F3B Relevance: 3.2, APIs: 2, Instructions: 154COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06377F62
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 92a0f58204b74e1322a4f63d42a741f3b079087d3ed742fc960a2f1f9bb683e6
                                                • Instruction ID: 67199ca33fbf69c4d08087df4d87447dfc7d9c44e0d735d7faaaad6838b2be6c
                                                • Opcode Fuzzy Hash: 92a0f58204b74e1322a4f63d42a741f3b079087d3ed742fc960a2f1f9bb683e6
                                                • Instruction Fuzzy Hash: F7811938905258CFCBA9DF70D98C699B7B6BF49306F1081E9D50EA2344DB359D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 067E3F13 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 067E4166
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708758266.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_67e0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: bf0658cebdeaf77c6eec9550bb10b12d5f9db85b628915a2ea62ad2dcb877140
                                                • Instruction ID: 35906341b5203b3ff4f03ab86bc8fea173069fb6ff662aaaf6d4e3a7bd5d7e6c
                                                • Opcode Fuzzy Hash: bf0658cebdeaf77c6eec9550bb10b12d5f9db85b628915a2ea62ad2dcb877140
                                                • Instruction Fuzzy Hash: B7714870A10B058FDBA4CF6AD4447AABBF5FF88214F00892ED456D7A40DB75E809CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377F83 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 439ed3f27551aff8beee70ba6e7d89c06221f2c98bd0ff01b0afce300e81e950
                                                • Instruction ID: 0b9755b32c568e47da00814b7cfd7c8990a8150e44e9c49fd86d0edd31cacb18
                                                • Opcode Fuzzy Hash: 439ed3f27551aff8beee70ba6e7d89c06221f2c98bd0ff01b0afce300e81e950
                                                • Instruction Fuzzy Hash: 66710838905298CFCBA5DF70D98C699B7B6BF49306F1081E9D50EA2344DB359D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06377FCB Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: e96090285e0fcf66df7622c80b11dcc0dfe98fccf5f6c2754c37cb3a526f1b1a
                                                • Instruction ID: f588dee910576fc78539901dcea5453d414a560044aea32c2aa849d4d781bcae
                                                • Opcode Fuzzy Hash: e96090285e0fcf66df7622c80b11dcc0dfe98fccf5f6c2754c37cb3a526f1b1a
                                                • Instruction Fuzzy Hash: D2711938905298CFCBA9DF70D98C699B7B6BF49306F1081E9D50EA2344DB359D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0637545D Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 063755A3
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: NameUser
                                                • String ID:
                                                • API String ID: 2645101109-0
                                                • Opcode ID: 59d4e817f3c9082d704b36f2530118bef16324823bcd786edfa87d8a48c3019c
                                                • Instruction ID: 0861ec9e6aeca3b5c77b238f96dbf9ee70ed0607104a7495e50e26585b6266d2
                                                • Opcode Fuzzy Hash: 59d4e817f3c9082d704b36f2530118bef16324823bcd786edfa87d8a48c3019c
                                                • Instruction Fuzzy Hash: F1513670D102188FDB68CFA9D885BDEBBB2BF48324F158519E816AB350DB789844CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06374ED4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 063755A3
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: NameUser
                                                • String ID:
                                                • API String ID: 2645101109-0
                                                • Opcode ID: c8df059170fba6191cabdc1fdf7a932e9fc05f0d445e519fc7291969fcc2efd3
                                                • Instruction ID: 8f9967cea0a17b18d11c38a5c9ea32d7a871c11dffcdf035eaef4e4afe757ab5
                                                • Opcode Fuzzy Hash: c8df059170fba6191cabdc1fdf7a932e9fc05f0d445e519fc7291969fcc2efd3
                                                • Instruction Fuzzy Hash: 4F512570D102188FDB68CFA9D884B9DBBF2BF48324F158119E81ABB350DB789844CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06378013 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: de5bcfb3f0394525d48e29f596c9252489f7ec3e24821a85ee1efad1cf14461f
                                                • Instruction ID: c4a6f39d111232d05d9be7ca9faada2ce218a55e4cff3baca7857ab74cb97397
                                                • Opcode Fuzzy Hash: de5bcfb3f0394525d48e29f596c9252489f7ec3e24821a85ee1efad1cf14461f
                                                • Instruction Fuzzy Hash: 1961E938905298CFCBA9DF70D88C699B7B6BF49306F1081E9D50EA2344DB759D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0637805B Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: b6eb2d34ace04f8eaded07bbf1b31fb7a693bd564105fe57a94e23e608b0960e
                                                • Instruction ID: 96e89dc63c6927811673d8de53adc31904b51fd17076194ffd890ead33118751
                                                • Opcode Fuzzy Hash: b6eb2d34ace04f8eaded07bbf1b31fb7a693bd564105fe57a94e23e608b0960e
                                                • Instruction Fuzzy Hash: 585107389052A8CFCBA9DF70D88C699B7B6BF49306F1081E9D50EA2344DB759D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 063780A3 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 379511c7037e5a01fb4a8fe2f91bd94c86cc7f5a0116d0f496a549d7d316ee54
                                                • Instruction ID: 22116d28d1d7d9c292b8247c47c20a27bc85ea7f9493ab5b7bed2aec91e52dae
                                                • Opcode Fuzzy Hash: 379511c7037e5a01fb4a8fe2f91bd94c86cc7f5a0116d0f496a549d7d316ee54
                                                • Instruction Fuzzy Hash: EE5106389052A8CFCBA9DF70D888699B7B6BF49306F1081E9D50EA2244DF759D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 067E58B4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067E64CA
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708758266.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_67e0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 65e17de7eb7dac349d5a6d83de25ac8de5138eae164cc65a13b1e52186557b86
                                                • Instruction ID: 7934b442110b75290f390d939b2340713a9ee9f4c6197e78ab3a61de4b9737e1
                                                • Opcode Fuzzy Hash: 65e17de7eb7dac349d5a6d83de25ac8de5138eae164cc65a13b1e52186557b86
                                                • Instruction Fuzzy Hash: F551B0B1D00309DFDB14CF9AD884ADEBBB5FF58314F24852AE819AB210D7759985CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 063780EB Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 44f44f5d6200d039a41fc031c411393be59bbd9d160653069ca2832702d17719
                                                • Instruction ID: 5120ce9b9002db07a2faf8e633c8e94eaec5ff6d20020f88d6ef82acd6165fab
                                                • Opcode Fuzzy Hash: 44f44f5d6200d039a41fc031c411393be59bbd9d160653069ca2832702d17719
                                                • Instruction Fuzzy Hash: 045106389052A8CFCBA5DF60D888699B7B6BF49306F1081E9D60EA2244DF759D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06378133 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 421c2c92b1d478948cd125296af6991890a0c1e96aae095df7b604f1f5e85629
                                                • Instruction ID: c4f3147b3571b74873babb7900531527fca68ad583d651a6f12d4da6e2b15102
                                                • Opcode Fuzzy Hash: 421c2c92b1d478948cd125296af6991890a0c1e96aae095df7b604f1f5e85629
                                                • Instruction Fuzzy Hash: E3510938905298CFCBA5DF60D88C699B7B6BF49305F1081E9D60EA2344DF759D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0637816F Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 2d72e2c82461d11b4f4067c1024b1db716e7c73c1d692648e6f35b99504ea3ce
                                                • Instruction ID: 498febf2aba08c4f8f0ff7b889ee4aac4c3ff3e1977c5f02882b559b9d56b95e
                                                • Opcode Fuzzy Hash: 2d72e2c82461d11b4f4067c1024b1db716e7c73c1d692648e6f35b99504ea3ce
                                                • Instruction Fuzzy Hash: F341F738905268CFCBA5DF64D888699B7B6BF4A305F1081E9D50EA2344DF359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 067E5A04 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 067E8A21
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708758266.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_67e0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: ba87e6225dc06679b37ac04783865c8d0272c5d42dc9b670f9a4631e855deeea
                                                • Instruction ID: 6d0ab35ee220fc34724879905586395c4b95bb85933808e4c3c8bc315c6ea3bf
                                                • Opcode Fuzzy Hash: ba87e6225dc06679b37ac04783865c8d0272c5d42dc9b670f9a4631e855deeea
                                                • Instruction Fuzzy Hash: 444149B8900209CFDB50CF89C488AAEBBF5FF88314F148859D419AB361D774A845CFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 063781B7 Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 590b616985f6cf3c07c4ae1102e249547f3e70e493bdae3e4c7c434c84ac36e0
                                                • Instruction ID: 091950dfbde0f2374a53ed8eeec9729691885376c6d16124fbe9c5fa7a570bba
                                                • Opcode Fuzzy Hash: 590b616985f6cf3c07c4ae1102e249547f3e70e493bdae3e4c7c434c84ac36e0
                                                • Instruction Fuzzy Hash: CD41F638905268CFCBA5DF64D888699B7B6BF4A305F1080E9E50EA2244DF359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0637675F Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNELBASE(00000000), ref: 06376828
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: d4b560d4d4890bf4bf1e28aaadc2471b5dfcd06e1a7f32a88d84bc9fa23924ee
                                                • Instruction ID: bd6e4dae0b7e53e5bf580120d0713ef539d9a5f11580ac9ac0c7517152c1d939
                                                • Opcode Fuzzy Hash: d4b560d4d4890bf4bf1e28aaadc2471b5dfcd06e1a7f32a88d84bc9fa23924ee
                                                • Instruction Fuzzy Hash: C5318D71D006499FCB10CFAAC8567EEFBF5AF4A320F1485AAD408A7641D7389945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0158C8E4 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNELBASE(?), ref: 0158C9BA
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.702936830.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1580000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 60ee989eceffd76d6c44b690939f290ac4692f670fab2a7da1fa5d2371bf401e
                                                • Instruction ID: 265cd78ca9ca8f7adcc511b69398ab9aa39cdffb34811f3a1f40e743688a207d
                                                • Opcode Fuzzy Hash: 60ee989eceffd76d6c44b690939f290ac4692f670fab2a7da1fa5d2371bf401e
                                                • Instruction Fuzzy Hash: EC3114B0D002499FDB14DFA9D885BEEBBB1BF08314F14856AE815BB280D7B4A445CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01589DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNELBASE(?), ref: 0158C9BA
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.702936830.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1580000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 538e0d6b382893a52fa8eb96d7c89abef18ddb79f94d45fb9aa60e964b4b7cfe
                                                • Instruction ID: aaace32cda7c2db1dcbd8e1103c42d37c06a6d0643a002cc15008ff4cb8c5662
                                                • Opcode Fuzzy Hash: 538e0d6b382893a52fa8eb96d7c89abef18ddb79f94d45fb9aa60e964b4b7cfe
                                                • Instruction Fuzzy Hash: 6B3133B0D002489FDB14DFA9D885BEEBBF1BB08314F14856AE815BB280D7B4A441CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 063781FF Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 8e6445d34b60e9f3702e523e405125b03a2001aecf9e0ccad5a4aec49e86107e
                                                • Instruction ID: 0e07e1ccff188fdc284e50ced82f763a3fa5e8e4c5c234855f0eccca3b3680c4
                                                • Opcode Fuzzy Hash: 8e6445d34b60e9f3702e523e405125b03a2001aecf9e0ccad5a4aec49e86107e
                                                • Instruction Fuzzy Hash: C1412738905268CFCBA5DF64D888699B7BAFF49305F1080E9D60EA2240DF359E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0637823B Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: fb9f132d22c57152e30425f262c9745b9df99b6a0b3d530f914e52baaa98109c
                                                • Instruction ID: 6f0fc218e6cc7db001cb7588f00b5368a1ca7e9bcd3a04b0af89b34edf39b5e0
                                                • Opcode Fuzzy Hash: fb9f132d22c57152e30425f262c9745b9df99b6a0b3d530f914e52baaa98109c
                                                • Instruction Fuzzy Hash: 37410638A052A8CFCB65DF64D888699B7BAFF49305F1041E9D60EA3340DB759E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06378283 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 15b9534edfbfd7035be8db67e9e2db24542b8ac167bf11a9775de7ea4b431936
                                                • Instruction ID: 2af0420535a1562a15422efcb7d9f1b1762a448eeaf5034154a5fb053309964b
                                                • Opcode Fuzzy Hash: 15b9534edfbfd7035be8db67e9e2db24542b8ac167bf11a9775de7ea4b431936
                                                • Instruction Fuzzy Hash: D5311838A05268CFCB65DF64D88869DB7BAFF4A309F1041E9D60EA2240DB759D81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 063782BF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: bb3ce7af4db00d2d6862d05859549c57cbc26c3ac7dff9b9eea4d21463e44057
                                                • Instruction ID: 262075b951ee703b819e7b084bac938a593caf3efdf21240f57dc67d105d1e2e
                                                • Opcode Fuzzy Hash: bb3ce7af4db00d2d6862d05859549c57cbc26c3ac7dff9b9eea4d21463e44057
                                                • Instruction Fuzzy Hash: 15311638A05268CFCBA5DF64D888699B7BAFF49315F1040E9D60EA3240DF759E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06375CFC Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNELBASE(00000000), ref: 06376828
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: 774d942234539d4c11e908fa685a4fbb4ea6c495a36cdebe71ea1fd4a01631bc
                                                • Instruction ID: 2f9b545ea066138b95fb0a0bb590f44452a4b1e97f48ce1e0edf52cb2efd666e
                                                • Opcode Fuzzy Hash: 774d942234539d4c11e908fa685a4fbb4ea6c495a36cdebe71ea1fd4a01631bc
                                                • Instruction Fuzzy Hash: 1A2113B5C00A1A9BCB20CF9AD4457EEFBF5EF49324F04856AD818A7640D778A944CFE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 067E2EFA Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,067E41E1,00000800,00000000,00000000), ref: 067E43D2
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708758266.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_67e0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: ec72a5253e64e6152a28f7017fe502bcde3c5026cc03a052db44f8cc48463fcf
                                                • Instruction ID: 0559b964d0b85b4022b3877d64c5d8cd27ba389d15b40b461b7735933f2873c2
                                                • Opcode Fuzzy Hash: ec72a5253e64e6152a28f7017fe502bcde3c5026cc03a052db44f8cc48463fcf
                                                • Instruction Fuzzy Hash: 992115B6C003089FDB10CFAAD484AEEBBF4EB98310F14846AD915A7600C375A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06378307 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 5bd4dae33fb1b4b6faaba135ceb22ea54b8455a00b4c9a0ec3f67eb4eb17ca2a
                                                • Instruction ID: 18cee0db492d61c74b49d06e56c31a6fd16a925d40b1ca1ef4178bc99edfd084
                                                • Opcode Fuzzy Hash: 5bd4dae33fb1b4b6faaba135ceb22ea54b8455a00b4c9a0ec3f67eb4eb17ca2a
                                                • Instruction Fuzzy Hash: 59210538A04268CFCBA5DF64D888699B7BAFF49305F1040E9D54EA3240DF759E81CF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01584CB9 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlEncodePointer.NTDLL(00000000), ref: 01584D42
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.702936830.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1580000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: EncodePointer
                                                • String ID:
                                                • API String ID: 2118026453-0
                                                • Opcode ID: b97c4329b4908dde223c437de3a498ac37199583923df99094d18c23968a4bc0
                                                • Instruction ID: de2a4a586ac34a85c5d9bccc17350377b061fb21cbdc3c93ccd8f400b4e9998d
                                                • Opcode Fuzzy Hash: b97c4329b4908dde223c437de3a498ac37199583923df99094d18c23968a4bc0
                                                • Instruction Fuzzy Hash: 17219A798013058FDB90EFA9D54979EBBF4FB44318F20882AD908BB600D7396185CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 067E2F08 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,067E41E1,00000800,00000000,00000000), ref: 067E43D2
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708758266.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_67e0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 36c202686b69fa18f1b4e8125053ccd8941b474191adcb57f1dc068d741fc6f1
                                                • Instruction ID: f442c962dfafc8a667afec0c42601b016208117fb2d0cf0594df1c68804871a0
                                                • Opcode Fuzzy Hash: 36c202686b69fa18f1b4e8125053ccd8941b474191adcb57f1dc068d741fc6f1
                                                • Instruction Fuzzy Hash: BE1103B6D003099FDB10CFAAD484AEEFBF5AB98310F14842AE515B7600C375A949CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01584CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlEncodePointer.NTDLL(00000000), ref: 01584D42
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.702936830.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1580000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: EncodePointer
                                                • String ID:
                                                • API String ID: 2118026453-0
                                                • Opcode ID: 2e1eced40843723df79ead8ec2c5de39634c70d291f1d6e7998f79779223c9fa
                                                • Instruction ID: 23ae6eb438271b4aa22d695ae8f23bbef9496ef930286fab3801a7b3fbf08a85
                                                • Opcode Fuzzy Hash: 2e1eced40843723df79ead8ec2c5de39634c70d291f1d6e7998f79779223c9fa
                                                • Instruction Fuzzy Hash: 93119A759013098FDB90EFA9D40879EBBF8FB84314F60892ED908BB600DB796545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0637834F Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 95d04956740dcd6d5604c5c8c5e8db6db285aa418441df2bc663871a7a843691
                                                • Instruction ID: 2c48021f40baff6dd99c4cf0bcf8c5ba522409340e0bf4606b68c06d303b9bee
                                                • Opcode Fuzzy Hash: 95d04956740dcd6d5604c5c8c5e8db6db285aa418441df2bc663871a7a843691
                                                • Instruction Fuzzy Hash: 51210638A04268CFCB65DF64D88869DB7BAFF49305F1041E9D54EA3240DB749E81CF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 067E4100 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 067E4166
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708758266.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_67e0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 8fe44988304595543b01e778b7d7cbbf66c02d780458a0be85b9c4417f7b1907
                                                • Instruction ID: b406d88ba9fba4c67b9cd0ebd3f1a75780f3a75adf8d4a267ccb3ab773cbd019
                                                • Opcode Fuzzy Hash: 8fe44988304595543b01e778b7d7cbbf66c02d780458a0be85b9c4417f7b1907
                                                • Instruction Fuzzy Hash: 7011E0B5C006498FDB10CF9AD844BDFFBF4AF89224F14856AD819B7600D375A549CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 067E99F8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 067EA975
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708758266.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_67e0000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: Initialize
                                                • String ID:
                                                • API String ID: 2538663250-0
                                                • Opcode ID: 40ebac9f1e13530f8f51240a7418ef945680aa7b8dee964f1cde9aef7d0bfbed
                                                • Instruction ID: 784923a7d5f9f0fbd8f36da2cdb00e24d0b8140dae9c4cff4a6acad91b7f0512
                                                • Opcode Fuzzy Hash: 40ebac9f1e13530f8f51240a7418ef945680aa7b8dee964f1cde9aef7d0bfbed
                                                • Instruction Fuzzy Hash: E51115B59003488FCB50CF9AD484BDEFBF8EB48324F148559E519A7600D375A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06378397 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 24abf65a62f40d9b864d91dcdaccf02248ee7c62b80f5566c974bd9217cfd0a6
                                                • Instruction ID: 51ac205b549d41bb1e3844b30ce2c68115b56dc1730456160c50c9e6be6f5ef2
                                                • Opcode Fuzzy Hash: 24abf65a62f40d9b864d91dcdaccf02248ee7c62b80f5566c974bd9217cfd0a6
                                                • Instruction Fuzzy Hash: 4611F834A04268CFCB69DF60D88869DB3B9FF4A305F1040E9D60AA3240DF745E81CF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 063783DF Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: c9932b71023fd35ae50a5a990a4b4fdc519b6d2c967c73567f44bf18caf868e6
                                                • Instruction ID: 1bdd2c666ca18c6c6488f6c928afc4abfb91d7d9e6ef46ef77a35fafd9fcbd0f
                                                • Opcode Fuzzy Hash: c9932b71023fd35ae50a5a990a4b4fdc519b6d2c967c73567f44bf18caf868e6
                                                • Instruction Fuzzy Hash: 2001D734A05268CFCBA8DB64D88969DB3B9FF45315F1040E9D609A3240DF745A81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06378427 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0637844E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.708076665.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6370000_g0dvHLi4bP.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 6e65d4714045e067a2e3ade413383b1fcd2bd9a675a1a2ca68eee83c3624ef10
                                                • Instruction ID: 1856b6a7228e244f58b8722328f4b5b9d84906bdec3dd649454ae2bc50a77f5e
                                                • Opcode Fuzzy Hash: 6e65d4714045e067a2e3ade413383b1fcd2bd9a675a1a2ca68eee83c3624ef10
                                                • Instruction Fuzzy Hash: 6EF0C439A0526CCFCBA8DB64D8896DDB3B9FF45315F1040EAD609A3240DB345A81CFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:8.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:96
                                                Total number of Limit Nodes:9
                                                execution_graph 25617 febab8 DuplicateHandle 25618 febb4e 25617->25618 25619 fe94b0 25623 fe95a8 25619->25623 25631 fe9598 25619->25631 25620 fe94bf 25624 fe95bb 25623->25624 25625 fe95d3 25624->25625 25639 fe9830 25624->25639 25643 fe9820 25624->25643 25625->25620 25626 fe95cb 25626->25625 25627 fe97d0 GetModuleHandleW 25626->25627 25628 fe97fd 25627->25628 25628->25620 25632 fe95bb 25631->25632 25633 fe95d3 25632->25633 25637 fe9830 LoadLibraryExW 25632->25637 25638 fe9820 LoadLibraryExW 25632->25638 25633->25620 25634 fe95cb 25634->25633 25635 fe97d0 GetModuleHandleW 25634->25635 25636 fe97fd 25635->25636 25636->25620 25637->25634 25638->25634 25641 fe9844 25639->25641 25640 fe9869 25640->25626 25641->25640 25647 fe88d8 25641->25647 25645 fe9830 25643->25645 25644 fe9869 25644->25626 25645->25644 25646 fe88d8 LoadLibraryExW 25645->25646 25646->25644 25649 fe9a10 LoadLibraryExW 25647->25649 25650 fe9a89 25649->25650 25650->25640 25651 fe40d0 25652 fe40e2 25651->25652 25653 fe40ee 25652->25653 25657 fe41e0 25652->25657 25662 fe3868 25653->25662 25655 fe410d 25658 fe4205 25657->25658 25666 fe42e0 25658->25666 25670 fe42d0 25658->25670 25663 fe3873 25662->25663 25678 fe586c 25663->25678 25665 fe6a31 25665->25655 25668 fe4307 25666->25668 25667 fe43e4 25668->25667 25674 fe38a8 25668->25674 25672 fe42e0 25670->25672 25671 fe43e4 25672->25671 25673 fe38a8 CreateActCtxA 25672->25673 25673->25671 25675 fe5370 CreateActCtxA 25674->25675 25677 fe5433 25675->25677 25679 fe5877 25678->25679 25682 fe588c 25679->25682 25681 fe6c5d 25681->25665 25683 fe5897 25682->25683 25686 fe58bc 25683->25686 25685 fe6d3a 25685->25681 25687 fe58c7 25686->25687 25690 fe58ec 25687->25690 25689 fe6e2a 25689->25685 25692 fe58f7 25690->25692 25691 fe757c 25691->25689 25692->25691 25694 feb5b9 25692->25694 25695 feb5e9 25694->25695 25696 feb60d 25695->25696 25699 feb778 25695->25699 25703 feb769 25695->25703 25696->25691 25700 feb785 25699->25700 25701 feb7bf 25700->25701 25707 fea25c 25700->25707 25701->25696 25704 feb778 25703->25704 25705 feb7bf 25704->25705 25706 fea25c 2 API calls 25704->25706 25705->25696 25706->25705 25708 fea267 25707->25708 25709 fec4b8 25708->25709 25711 fec078 25708->25711 25712 fec083 25711->25712 25713 fe58ec 2 API calls 25712->25713 25714 fec527 25713->25714 25718 fee290 25714->25718 25723 fee2a8 25714->25723 25715 fec560 25715->25709 25719 fee2a8 25718->25719 25720 fee2e5 25719->25720 25721 fee728 LoadLibraryExW GetModuleHandleW 25719->25721 25722 fee717 LoadLibraryExW GetModuleHandleW 25719->25722 25720->25715 25721->25720 25722->25720 25725 fee2d9 25723->25725 25726 fee325 25723->25726 25724 fee2e5 25724->25715 25725->25724 25727 fee728 LoadLibraryExW GetModuleHandleW 25725->25727 25728 fee717 LoadLibraryExW GetModuleHandleW 25725->25728 25726->25715 25727->25726 25728->25726 25729 feb890 GetCurrentProcess 25730 feb90a GetCurrentThread 25729->25730 25731 feb903 25729->25731 25732 feb947 GetCurrentProcess 25730->25732 25733 feb940 25730->25733 25731->25730 25736 feb97d 25732->25736 25733->25732 25734 feb9a5 GetCurrentThreadId 25735 feb9d6 25734->25735 25736->25734

                                                Executed Functions

                                                Function 06E1ACE8 Relevance: 3.5, Strings: 2, Instructions: 956COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 41 6e1ace8-6e1ad09 42 6e1ad10-6e1ae04 41->42 43 6e1ad0b 41->43 45 6e1ae0a-6e1af61 42->45 46 6e1b50c-6e1b534 42->46 43->42 90 6e1af67-6e1afc2 45->90 91 6e1b4da-6e1b509 45->91 49 6e1bb93-6e1bb9c 46->49 51 6e1b542-6e1b54b 49->51 52 6e1bba2-6e1bbb9 49->52 54 6e1b552-6e1b60c 51->54 55 6e1b54d 51->55 69 6e1b613-6e1b633 54->69 55->54 71 6e1b639-6e1b646 69->71 72 6e1b670 71->72 73 6e1b648-6e1b654 71->73 77 6e1b676-6e1b696 72->77 75 6e1b656-6e1b65c 73->75 76 6e1b65e-6e1b664 73->76 79 6e1b66e 75->79 76->79 82 6e1b6f6-6e1b770 77->82 83 6e1b698-6e1b6f1 77->83 79->77 101 6e1b772-6e1b7c5 82->101 102 6e1b7c7-6e1b80a 82->102 94 6e1bb90 83->94 99 6e1afc4 90->99 100 6e1afc7-6e1afd2 90->100 91->46 94->49 99->100 103 6e1b3ec-6e1b3f2 100->103 130 6e1b815-6e1b81b 101->130 102->130 104 6e1afd7-6e1aff5 103->104 105 6e1b3f8-6e1b475 103->105 109 6e1aff7-6e1affb 104->109 110 6e1b04c-6e1b061 104->110 148 6e1b4c4-6e1b4ca 105->148 109->110 114 6e1affd-6e1b008 109->114 112 6e1b063 110->112 113 6e1b068-6e1b07e 110->113 112->113 116 6e1b080 113->116 117 6e1b085-6e1b09c 113->117 119 6e1b03e-6e1b044 114->119 116->117 123 6e1b0a3-6e1b0b9 117->123 124 6e1b09e 117->124 121 6e1b046-6e1b047 119->121 122 6e1b00a-6e1b00e 119->122 131 6e1b0ca-6e1b2f0 121->131 125 6e1b010 122->125 126 6e1b014-6e1b02c 122->126 128 6e1b0c0-6e1b0c7 123->128 129 6e1b0bb 123->129 124->123 125->126 132 6e1b033-6e1b03b 126->132 133 6e1b02e 126->133 128->131 129->128 135 6e1b872-6e1b87e 130->135 139 6e1b2f2-6e1b2f6 131->139 140 6e1b354-6e1b369 131->140 132->119 133->132 136 6e1b880-6e1b908 135->136 137 6e1b81d-6e1b83f 135->137 172 6e1ba3f-6e1ba48 136->172 142 6e1b841 137->142 143 6e1b846-6e1b86f 137->143 139->140 147 6e1b2f8-6e1b307 139->147 144 6e1b370-6e1b391 140->144 145 6e1b36b 140->145 142->143 143->135 151 6e1b393 144->151 152 6e1b398-6e1b3b7 144->152 145->144 153 6e1b346-6e1b34c 147->153 149 6e1b477-6e1b4c1 148->149 150 6e1b4cc-6e1b4d2 148->150 149->148 150->91 151->152 158 6e1b3b9 152->158 159 6e1b3be-6e1b3de 152->159 155 6e1b309-6e1b30d 153->155 156 6e1b34e-6e1b34f 153->156 161 6e1b317-6e1b338 155->161 162 6e1b30f-6e1b313 155->162 160 6e1b3e9 156->160 158->159 163 6e1b3e0 159->163 164 6e1b3e5 159->164 160->103 168 6e1b33a 161->168 169 6e1b33f-6e1b343 161->169 162->161 163->164 164->160 168->169 169->153 174 6e1b90d-6e1b922 172->174 175 6e1ba4e-6e1ba9a 172->175 176 6e1b924 174->176 177 6e1b92b-6e1ba33 174->177 184 6e1bac2-6e1badd 175->184 185 6e1ba9c-6e1bac0 175->185 176->177 178 6e1b931-6e1b962 176->178 179 6e1b9d0-6e1ba01 176->179 180 6e1b967-6e1b998 176->180 181 6e1b99d-6e1b9ce 176->181 190 6e1ba39 177->190 178->190 179->190 180->190 181->190 186 6e1bae6-6e1bb44 184->186 185->186 193 6e1bb4a-6e1bb6a 186->193 190->172 194 6e1bb71-6e1bb89 193->194 194->94
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: UUUU$kZq5
                                                • API String ID: 0-931032149
                                                • Opcode ID: 1577902463193441f949c8c9eec0ffec183c4ca1123253042630cbb9032b6b70
                                                • Instruction ID: 3b0b6ce8a974aef215a310bb63e8b59737c0f3626fca73692263de685621376f
                                                • Opcode Fuzzy Hash: 1577902463193441f949c8c9eec0ffec183c4ca1123253042630cbb9032b6b70
                                                • Instruction Fuzzy Hash: B2A2A475A00228DFDB64CF69C984AD9BBB2BF89304F1581E9D509AB325DB319E81DF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E10628 Relevance: .9, Instructions: 911COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e2337d73cb32ef9bd121611da554af6bc5939734b6060a22d55cdd85e4628e1
                                                • Instruction ID: 5750476cdbfce40fd4f6d2c8f599e300614a515aa5ae9cf16a85584b953300cd
                                                • Opcode Fuzzy Hash: 4e2337d73cb32ef9bd121611da554af6bc5939734b6060a22d55cdd85e4628e1
                                                • Instruction Fuzzy Hash: 71824B34B00209CFCB54CF68C984AAEBBF2BF88318F159559E5069F265DB30ED85DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E10040 Relevance: .3, Instructions: 329COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c32b9720c66c59c3f6007f76bb1406e975027dfec8cf51b3df2092ed55920a40
                                                • Instruction ID: 8316afb0b895a74204b1136feb1882426c2e3d4e2de400515d438d2819946dd0
                                                • Opcode Fuzzy Hash: c32b9720c66c59c3f6007f76bb1406e975027dfec8cf51b3df2092ed55920a40
                                                • Instruction Fuzzy Hash: 4ED12C70A10219CFDB94CF99C884AADBBF2BF88308F559165E415AF261DB30ED82DF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E15E10 Relevance: .2, Instructions: 220COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5a8a68ef51a90d5aa339a690a02d50dcc823aafebb03eedeb17a06efc81bf9ee
                                                • Instruction ID: 625763eab6410ce0c36f8543337de98d057d43137ae9fa678d74628f3e3656bd
                                                • Opcode Fuzzy Hash: 5a8a68ef51a90d5aa339a690a02d50dcc823aafebb03eedeb17a06efc81bf9ee
                                                • Instruction Fuzzy Hash: 26814770E002198BCB44DBE9C5856EEBBF6AFC8314F24D169E414AB759EB309D41CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E15338 Relevance: .2, Instructions: 215COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 702d0c3449da96e19c0e1afb218d25ad1172389cd05aa27eaedd8508a2c3be80
                                                • Instruction ID: 9863e3c75eec621773e8361910ac158770e9c2f65d21e9a72e9cb1a34e4e7db1
                                                • Opcode Fuzzy Hash: 702d0c3449da96e19c0e1afb218d25ad1172389cd05aa27eaedd8508a2c3be80
                                                • Instruction Fuzzy Hash: 3B9125B1E002198FDB04DFE9C8856DEBBF6EB88314F10C16AE505AB255EB3099469F60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1532A Relevance: .2, Instructions: 151COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bac108fe8ecf22de260447e113546398eb15e85b91ca6dfd9dacecf9825306d3
                                                • Instruction ID: a5342735c6e9b5aef07b09cd34b7ef578dd2ec17957d87daeb99e4d0d4f73850
                                                • Opcode Fuzzy Hash: bac108fe8ecf22de260447e113546398eb15e85b91ca6dfd9dacecf9825306d3
                                                • Instruction Fuzzy Hash: EB5128B1E002198FDB04DFEAC9856DEBBF6EFC8304F24C16AD509AB255EB3059469F50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FEB880 Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00FEB8F0
                                                • GetCurrentThread.KERNEL32 ref: 00FEB92D
                                                • GetCurrentProcess.KERNEL32 ref: 00FEB96A
                                                • GetCurrentThreadId.KERNEL32 ref: 00FEB9C3
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.602921520.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_fe0000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 4569cef9dc53d1dfc93415746b42a03cf8b0216b3dee371b163dea70a5e8070d
                                                • Instruction ID: d849a0797e5878238414f5fc1bd01762665b3aea48c9c1ce6cdeb81f8e6a63a6
                                                • Opcode Fuzzy Hash: 4569cef9dc53d1dfc93415746b42a03cf8b0216b3dee371b163dea70a5e8070d
                                                • Instruction Fuzzy Hash: C05163B0D006498FDB10CFAAD588BEEBBF5FF48318F24899AE019A7251C7749944CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FEB890 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 21 feb890-feb901 GetCurrentProcess 22 feb90a-feb93e GetCurrentThread 21->22 23 feb903-feb909 21->23 24 feb947-feb97b GetCurrentProcess 22->24 25 feb940-feb946 22->25 23->22 27 feb97d-feb983 24->27 28 feb984-feb99c 24->28 25->24 27->28 39 feb99f call feba40 28->39 40 feb99f call febe30 28->40 31 feb9a5-feb9d4 GetCurrentThreadId 32 feb9dd-feba3f 31->32 33 feb9d6-feb9dc 31->33 33->32 39->31 40->31
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00FEB8F0
                                                • GetCurrentThread.KERNEL32 ref: 00FEB92D
                                                • GetCurrentProcess.KERNEL32 ref: 00FEB96A
                                                • GetCurrentThreadId.KERNEL32 ref: 00FEB9C3
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.602921520.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_fe0000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: d60757f1269ddb13d8b1b2dcb84ccee2dbfcbaf921e1529c4df815ee9dd7feca
                                                • Instruction ID: 3b69e792cb9daa31c6b4af750136789d6b918836e336c9a330f5021b4d1df5ee
                                                • Opcode Fuzzy Hash: d60757f1269ddb13d8b1b2dcb84ccee2dbfcbaf921e1529c4df815ee9dd7feca
                                                • Instruction Fuzzy Hash: 8E5163B0D006488FDB10CFAAC548BEEBBF5BF48314F2088AAE019A7351C7749944CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0555F7F0 Relevance: 2.9, Strings: 2, Instructions: 435COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 195 555f7f0-555f807 196 555f823-555f833 call 555f640 195->196 197 555f809-555f821 195->197 202 555f838-555f84b call 555f7f0 196->202 197->202 204 555fad1-555fae4 202->204 205 555f851-555f85f 202->205 210 555fa66-555fa91 204->210 211 555fae6-555faf6 204->211 208 555f8b7-555f8c0 205->208 209 555f861-555f868 205->209 216 555f9f4-555fa20 208->216 217 555f8c6-555f8ca 208->217 212 555f9c1-555f9ed 209->212 213 555f86e-555f873 209->213 243 555fa98-555faca 210->243 214 555fb05-555fb17 211->214 215 555faf8-555fafe 211->215 212->216 220 555f875-555f87b 213->220 221 555f88b-555f899 213->221 228 555fb1d-555fb21 214->228 229 555fbab-555fbaf call 555fd48 214->229 215->214 270 555fa27-555fa63 216->270 218 555f8cc-555f8d5 217->218 219 555f8db-555f900 217->219 218->216 218->219 235 555f902-555f90d 219->235 236 555f91b-555f91f 219->236 224 555f87d 220->224 225 555f87f-555f889 220->225 239 555f8a2-555f8b2 221->239 240 555f89b-555f89d 221->240 224->221 225->221 233 555fb31-555fb3e 228->233 234 555fb23-555fb2f 228->234 246 555fbb5-555fbbb 229->246 259 555fb40-555fb4a 233->259 234->259 333 555f910 call 6e12561 235->333 334 555f910 call 6e12570 235->334 335 555f910 call 6e1273d 235->335 242 555f925-555f929 236->242 236->243 244 555f9b7-555f9be 239->244 240->244 242->243 253 555f92f-555f93a 242->253 243->204 247 555fbc7-555fbce 246->247 248 555fbbd-555fbc3 246->248 256 555fbc5 248->256 257 555fc29-555fc88 248->257 250 555f916 250->244 253->243 267 555f940-555f96d 253->267 256->247 283 555fc8f-555fcb3 257->283 268 555fb77-555fb7b 259->268 269 555fb4c-555fb5b 259->269 267->243 281 555f973-555f98f 267->281 271 555fb87-555fb8b 268->271 272 555fb7d-555fb83 268->272 285 555fb5d-555fb64 269->285 286 555fb6b-555fb75 269->286 270->210 271->247 278 555fb8d-555fb91 271->278 276 555fb85 272->276 277 555fbd1-555fc22 272->277 276->247 277->257 282 555fb97-555fba9 278->282 278->283 281->270 290 555f995-555f9af 281->290 282->247 297 555fcb5-555fcb7 283->297 298 555fcb9-555fcbb 283->298 285->286 286->268 290->243 306 555f9b5 290->306 300 555fd31-555fd34 297->300 301 555fcbd-555fcc1 298->301 302 555fccc-555fcce 298->302 308 555fcc7-555fcca 301->308 309 555fcc3-555fcc5 301->309 310 555fce1-555fce7 302->310 311 555fcd0-555fcd4 302->311 306->244 308->300 309->300 312 555fd12-555fd14 310->312 313 555fce9-555fd10 310->313 314 555fcd6-555fcd8 311->314 315 555fcda-555fcdf 311->315 321 555fd1b-555fd1d 312->321 313->321 314->300 315->300 323 555fd23-555fd25 321->323 324 555fd1f-555fd21 321->324 325 555fd27-555fd2c 323->325 326 555fd2e 323->326 324->300 325->300 326->300 333->250 334->250 335->250
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.611886332.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_5550000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Xc/m$Xc/m
                                                • API String ID: 0-2903440145
                                                • Opcode ID: b92adc5c2439bd66ec5daf4fffba296aa798894d4365076b1c6ac63de643a982
                                                • Instruction ID: 61f079c59bd2ad05e629cfdad7ce6bd344307b1c11c1680b72f51646c8596d22
                                                • Opcode Fuzzy Hash: b92adc5c2439bd66ec5daf4fffba296aa798894d4365076b1c6ac63de643a982
                                                • Instruction Fuzzy Hash: B3E1BA747141159FCB159B64C868B7E7BA7BF88328F14882AF906CB384CF70DC469B92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FE95A8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 338 fe95a8-fe95bd call fe7294 341 fe95bf 338->341 342 fe95d3-fe95d7 338->342 392 fe95c5 call fe9830 341->392 393 fe95c5 call fe9820 341->393 343 fe95eb-fe962c 342->343 344 fe95d9-fe95e3 342->344 349 fe962e-fe9636 343->349 350 fe9639-fe9647 343->350 344->343 345 fe95cb-fe95cd 345->342 346 fe9708-fe97c8 345->346 387 fe97ca-fe97cd 346->387 388 fe97d0-fe97fb GetModuleHandleW 346->388 349->350 352 fe966b-fe966d 350->352 353 fe9649-fe964e 350->353 354 fe9670-fe9677 352->354 355 fe9659 353->355 356 fe9650-fe9657 call fe887c 353->356 358 fe9679-fe9681 354->358 359 fe9684-fe968b 354->359 357 fe965b-fe9669 355->357 356->357 357->354 358->359 362 fe968d-fe9695 359->362 363 fe9698-fe96a1 call fe888c 359->363 362->363 368 fe96ae-fe96b3 363->368 369 fe96a3-fe96ab 363->369 371 fe96b5-fe96bc 368->371 372 fe96d1-fe96de 368->372 369->368 371->372 374 fe96be-fe96ce call fe889c call fe88ac 371->374 378 fe96e0-fe96fe 372->378 379 fe9701-fe9707 372->379 374->372 378->379 387->388 389 fe97fd-fe9803 388->389 390 fe9804-fe9818 388->390 389->390 392->345 393->345
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00FE97EE
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.602921520.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_fe0000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 6489eb177fe9d2ec808460a1394e7380d0eb547ea965ced7cf32b0a49a864bae
                                                • Instruction ID: e3231d97f0888e5fcf0898839d7c7e59955a67c88a59903c0a249daf21ef9a0d
                                                • Opcode Fuzzy Hash: 6489eb177fe9d2ec808460a1394e7380d0eb547ea965ced7cf32b0a49a864bae
                                                • Instruction Fuzzy Hash: 85714570A04B458FDB24DF6AC45179AB7F5BF88314F00892EE44ADBA40DBB5E905CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FE5364 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 394 fe5364-fe5431 CreateActCtxA 396 fe543a-fe5494 394->396 397 fe5433-fe5439 394->397 404 fe5496-fe5499 396->404 405 fe54a3-fe54a7 396->405 397->396 404->405 406 fe54b8 405->406 407 fe54a9-fe54b5 405->407 409 fe54b9 406->409 407->406 409->409
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00FE5421
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.602921520.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_fe0000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: db9532f87ff4e8b2c969816701d4d6d2957e5f419350b5bb89c94f52428f841e
                                                • Instruction ID: 5a4a44d2557eaf78cb60815dc6f543ae22010719fad182aa9e02e07bb83cfa92
                                                • Opcode Fuzzy Hash: db9532f87ff4e8b2c969816701d4d6d2957e5f419350b5bb89c94f52428f841e
                                                • Instruction Fuzzy Hash: E641E271C0065CCFDB24CFAAC844BDEBBB6BF49708F208469D409AB251D7755986DF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FE38A8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 410 fe38a8-fe5431 CreateActCtxA 413 fe543a-fe5494 410->413 414 fe5433-fe5439 410->414 421 fe5496-fe5499 413->421 422 fe54a3-fe54a7 413->422 414->413 421->422 423 fe54b8 422->423 424 fe54a9-fe54b5 422->424 426 fe54b9 423->426 424->423 426->426
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00FE5421
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.602921520.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_fe0000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: d67f05166268d62555f839c203d98a51d630e1d9821e2fcd3c6c10b8815c962e
                                                • Instruction ID: d59d895d20d1e762d4b9857247a3217ad4dd1d1656ffebe13e6df6558c3ffdc9
                                                • Opcode Fuzzy Hash: d67f05166268d62555f839c203d98a51d630e1d9821e2fcd3c6c10b8815c962e
                                                • Instruction Fuzzy Hash: 7141F571C0465CCFDB24CFAAC844BDEBBB5BF48308F208469D409AB251D7B55985DF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FEBAB0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 427 febab0-febab2 428 febab8-febb4c DuplicateHandle 427->428 429 febb4e-febb54 428->429 430 febb55-febb72 428->430 429->430
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FEBB3F
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.602921520.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_fe0000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 3f7ca07471a842f18753abe8d6780c1eb9658f42c4adb24470bb4d9a13724a1b
                                                • Instruction ID: 2117aa5ac7daa240a93568002362d286e15dff59b4e3c98cb77f49997f5eece8
                                                • Opcode Fuzzy Hash: 3f7ca07471a842f18753abe8d6780c1eb9658f42c4adb24470bb4d9a13724a1b
                                                • Instruction Fuzzy Hash: D32105B5D00249AFDB00CF9AD484AEEBFF9FB48324F14841AE914A3210D374A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FEBAB8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 433 febab8-febb4c DuplicateHandle 434 febb4e-febb54 433->434 435 febb55-febb72 433->435 434->435
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FEBB3F
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.602921520.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_fe0000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 41c70a7e352795a0a792ed4158e6c9924fb79aece19a5849bef9762c8f461537
                                                • Instruction ID: b488c9b786222f58d33e0d5c6ddaeb0b9171febcc5388ab925d9afb299570508
                                                • Opcode Fuzzy Hash: 41c70a7e352795a0a792ed4158e6c9924fb79aece19a5849bef9762c8f461537
                                                • Instruction Fuzzy Hash: 6521F5B5D002489FDB10CF9AD484ADEFBF9FB48324F14841AE914A7310D374A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FE88D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 438 fe88d8-fe9a50 440 fe9a58-fe9a87 LoadLibraryExW 438->440 441 fe9a52-fe9a55 438->441 442 fe9a89-fe9a8f 440->442 443 fe9a90-fe9aad 440->443 441->440 442->443
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00FE9869,00000800,00000000,00000000), ref: 00FE9A7A
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.602921520.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_fe0000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 90afc296389e4d38f4868f65a52c2f8af62cd39c89dcc0e2d0c2b1e2606ccd2e
                                                • Instruction ID: 40b5118d4502b1743dfc943f51751a628e135808a896e6310996c71007ea67ae
                                                • Opcode Fuzzy Hash: 90afc296389e4d38f4868f65a52c2f8af62cd39c89dcc0e2d0c2b1e2606ccd2e
                                                • Instruction Fuzzy Hash: 4D1133B6D042498FDB10CF9AD444BDEFBF5AF48720F10842AE419A7200C3B9A944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FE9A08 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 446 fe9a08-fe9a50 448 fe9a58-fe9a87 LoadLibraryExW 446->448 449 fe9a52-fe9a55 446->449 450 fe9a89-fe9a8f 448->450 451 fe9a90-fe9aad 448->451 449->448 450->451
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00FE9869,00000800,00000000,00000000), ref: 00FE9A7A
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.602921520.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_fe0000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: c87f3609424d160d77c32f6c64c5520cd025a059bd5d11c8648b9f517f32e48a
                                                • Instruction ID: b8fbdf7e2427ad4acd0088f26207da9a8a63bc4da4c5cb4014b95779e25e9985
                                                • Opcode Fuzzy Hash: c87f3609424d160d77c32f6c64c5520cd025a059bd5d11c8648b9f517f32e48a
                                                • Instruction Fuzzy Hash: 3C1114B6D002499FDB10CFAAD444ADEFBF9EF48724F14842AD419B7600C3B9A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FE9788 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 454 fe9788-fe97c8 455 fe97ca-fe97cd 454->455 456 fe97d0-fe97fb GetModuleHandleW 454->456 455->456 457 fe97fd-fe9803 456->457 458 fe9804-fe9818 456->458 457->458
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00FE97EE
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.602921520.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_fe0000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 797459a46178e89ecd3230ced2c72b963b308a1b7aeb6da111c23db08c04ba6b
                                                • Instruction ID: 313fb5857096db666ac378e290bdabba0c3fad481134e13e2d5f9b647816c50b
                                                • Opcode Fuzzy Hash: 797459a46178e89ecd3230ced2c72b963b308a1b7aeb6da111c23db08c04ba6b
                                                • Instruction Fuzzy Hash: 5711E0B5D046498FDB10CF9AC444BDEFBF5AF89324F14852AD819B7600D3B4A549CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E13990 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $,/m
                                                • API String ID: 0-509377913
                                                • Opcode ID: 5141a36b5b4783ec823a3c217cc350965a0b5939452531e00c875b65a478d620
                                                • Instruction ID: e046c967c0c5428515ec54ad5c070cc3466e8a568bbb2d8c3bea218ac57f7bdb
                                                • Opcode Fuzzy Hash: 5141a36b5b4783ec823a3c217cc350965a0b5939452531e00c875b65a478d620
                                                • Instruction Fuzzy Hash: E0316D70E14209CFDB44DFA5D9816EEBBF1FB89304F00816AE415AB394DB344A41DF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E139A0 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $,/m
                                                • API String ID: 0-509377913
                                                • Opcode ID: e5183895a82857fbe1e27eeed7bdf85f6c6720825780c69c74d9c3be70e36b71
                                                • Instruction ID: cb3098020a4fdbd76cfab21eee68286f377209932a75727d75180a426c175c46
                                                • Opcode Fuzzy Hash: e5183895a82857fbe1e27eeed7bdf85f6c6720825780c69c74d9c3be70e36b71
                                                • Instruction Fuzzy Hash: 22314B74E10209DFDB48EFA9D9816EEBBF6FB89304F00806AE405A7344DB345A41DF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E12570 Relevance: .2, Instructions: 228COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7397a73125d2e0ff6236ef588f2bc1cb72f9007c2d49a6d8fb5d155ece05eee3
                                                • Instruction ID: c577c6b90f4b4e0cf9514aab8c7459541008c5f7652b01d58d82584e236f149c
                                                • Opcode Fuzzy Hash: 7397a73125d2e0ff6236ef588f2bc1cb72f9007c2d49a6d8fb5d155ece05eee3
                                                • Instruction Fuzzy Hash: 197102347143088FCB599B74DC64AAE7BA6EF85608F14446AE606CF395CF30DD81EB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E113B0 Relevance: .2, Instructions: 208COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 467fdc173a1a5be8c2dd8d8dbbfa89d29cfb17e8ae90914c0ae2559bb0136d2b
                                                • Instruction ID: affb56e8790327d46fad927eb06e8e9536f69aafc500c69970d0b0c080cada84
                                                • Opcode Fuzzy Hash: 467fdc173a1a5be8c2dd8d8dbbfa89d29cfb17e8ae90914c0ae2559bb0136d2b
                                                • Instruction Fuzzy Hash: DE61C3317142158FDB84DF39D884AAA7BE9FF4974870554AAEA06CF361DB30DC01DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E13C68 Relevance: .2, Instructions: 157COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1d25e9a0e3acfc4ef6be24ebbbe3eacce1750314cc78286d868f632f83dd56a4
                                                • Instruction ID: 5dc9ee9ffe7f4b716e247b760d624e87a42e1fe3b8a33d497c07dca883c96c57
                                                • Opcode Fuzzy Hash: 1d25e9a0e3acfc4ef6be24ebbbe3eacce1750314cc78286d868f632f83dd56a4
                                                • Instruction Fuzzy Hash: 2351C035B103058FCB15DBB9D8849AFBBFAEFC53147148929E029DB391DB309D058BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E15E00 Relevance: .2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb6963efebeef7a77ba8f7cb39252300de64d0d6275b0fd9ba74652057367ce0
                                                • Instruction ID: 33837e01c39d3061c85d2510ee3fd518ded4eeb95a4fe4d5a3ab281411d7dd29
                                                • Opcode Fuzzy Hash: fb6963efebeef7a77ba8f7cb39252300de64d0d6275b0fd9ba74652057367ce0
                                                • Instruction Fuzzy Hash: F45178B4E002488FDB04DFE9C5856DEBBF6AF88304F10C165E418AB759EB349E428B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E111B0 Relevance: .1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a5969ed60af3d1226f6c1ae4ba34f436c32174d87d8a2efb509acd9b106d0d3
                                                • Instruction ID: dbedded8657eea2f2465f9cbf7ac546fa5e3c2a09ec79ad454d37a3553a8bfd5
                                                • Opcode Fuzzy Hash: 3a5969ed60af3d1226f6c1ae4ba34f436c32174d87d8a2efb509acd9b106d0d3
                                                • Instruction Fuzzy Hash: 08413A75B002199FCB549F69D948AAE7BB6FF49314F100069FA06DB3A0CB31DC40EB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0555EFB0 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.611886332.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_5550000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 194d92e6a6da21a55697ac741e4089d877bba3b65796befdda7c27371545aac1
                                                • Instruction ID: c2e73c6a5a8211ead1350b002538b9f86092d12057cdcbb872c15e2eb4163025
                                                • Opcode Fuzzy Hash: 194d92e6a6da21a55697ac741e4089d877bba3b65796befdda7c27371545aac1
                                                • Instruction Fuzzy Hash: AC3170353001099BCB159F54D964A6E7BA2FF88328F04842AF90697264CB359D16EF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E115F0 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ee88c7dc33ff755c02e085e05aa9ee166a1b6e62c7463d06aa82c1af09cdf9b
                                                • Instruction ID: 9a9e63b96ff9f54b1657e2530b4e5a6ba741704e1d731e86216973f29f51980e
                                                • Opcode Fuzzy Hash: 4ee88c7dc33ff755c02e085e05aa9ee166a1b6e62c7463d06aa82c1af09cdf9b
                                                • Instruction Fuzzy Hash: 3E21CF347287094BEB645A2584986FA369BAFC564CB1C4039E603CF7A8DE6BCC41E781
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E115E1 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a081e88ee80565330a486686f88a6266156d611cd01b8c98f490992ebb7db68
                                                • Instruction ID: 787859a2183d4256333965e15350464935629635a0a795cdb20ffc64a5a65476
                                                • Opcode Fuzzy Hash: 6a081e88ee80565330a486686f88a6266156d611cd01b8c98f490992ebb7db68
                                                • Instruction Fuzzy Hash: 0521D3347387094F9B64576488986BA369A9FC564C70C4039E707CF3A9EE2BC801B781
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1A0F7 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6456b0d42cb139cbcf2072291c86b070d63567240f5a2206594ce1fd43389e26
                                                • Instruction ID: adf7273634c4b7fb9a21298189b4bab03effe6b0cf6ca94ae7cabaee373763b4
                                                • Opcode Fuzzy Hash: 6456b0d42cb139cbcf2072291c86b070d63567240f5a2206594ce1fd43389e26
                                                • Instruction Fuzzy Hash: 6541E674A04249DFDB44DFA8D5996DDBBF2FB89304F108159E8099B348DE38AE42DF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0555EAA0 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.611886332.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_5550000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 55b50b11846844bf5a1fa8276c0206efad5e699b7dc94f4ea1554a827f5ed80c
                                                • Instruction ID: 6cfab1a636c2ab8e9305b3c86be50bed875c24bb8df99525ee56fd4f85df6204
                                                • Opcode Fuzzy Hash: 55b50b11846844bf5a1fa8276c0206efad5e699b7dc94f4ea1554a827f5ed80c
                                                • Instruction Fuzzy Hash: DD2126343401046FEB2896358C7AF7F295BFBC4365F108426F90ADA6C0CF30AC025794
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E19F52 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ebdd7894b5c0a5a92bfdb7ae3c9540b8a41c04066c48869c2578984861796132
                                                • Instruction ID: 8d47259320fe4fcf97b7fabab6ea60d09fd70a306f18efaa7d4ff4aff518a5b0
                                                • Opcode Fuzzy Hash: ebdd7894b5c0a5a92bfdb7ae3c9540b8a41c04066c48869c2578984861796132
                                                • Instruction Fuzzy Hash: C2415E74A05259CFDB40DF58C6596EEBBF2FB89308F0041A9D509AB358DB349E41DF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E19FC8 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c38b434996d5a794cf5ca6099b7dbc3ea2df134fdb67b175542756744a85b628
                                                • Instruction ID: 5085ae6944c41e893206413bbb1de9a0e15bad374847522f0a80cad38433cfb8
                                                • Opcode Fuzzy Hash: c38b434996d5a794cf5ca6099b7dbc3ea2df134fdb67b175542756744a85b628
                                                • Instruction Fuzzy Hash: 81414C74A05259CFDB40DF18D5596EEBBF2FB89308F1041A5E509AB348DB389E41DF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1A180 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9ec55d52fc31cc0fb669ccad1f283be244201c64caba64a050c3e60762933463
                                                • Instruction ID: 5facfcd2bf451a7764a969b4339c9886ae6b78d3cd874016551d1d6c9d72afa2
                                                • Opcode Fuzzy Hash: 9ec55d52fc31cc0fb669ccad1f283be244201c64caba64a050c3e60762933463
                                                • Instruction Fuzzy Hash: C9310974A04249DFDB44DFA8D5996EDBBB1FB89304F108169E9059B348EF386A42DF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E19F6E Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 74be8b97bc43ea63bcbe06c1e8931b909e0ebecf41159ce0a6708a0760856daa
                                                • Instruction ID: 6eeb73ada9826567872e07337d9616fa9f1a7f184e0d52310e47d6959a154689
                                                • Opcode Fuzzy Hash: 74be8b97bc43ea63bcbe06c1e8931b909e0ebecf41159ce0a6708a0760856daa
                                                • Instruction Fuzzy Hash: 3B311A74A05259CFDB50DF68C6996DEBBF2FB89308F1041A9E509A7348DB34AE41CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0555FD48 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.611886332.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_5550000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f6a445e634ee5f8afcff71a06f2bcbfcaad2f9ef5c325f736440293e03c1cae
                                                • Instruction ID: 30ef3af825252adbbdaca5097d81224fd8cce6463ea6ae52533bae332c2c709a
                                                • Opcode Fuzzy Hash: 2f6a445e634ee5f8afcff71a06f2bcbfcaad2f9ef5c325f736440293e03c1cae
                                                • Instruction Fuzzy Hash: 0A21D2353046118BC7249B29D864A3EBB93BF89769709447AE90BCB354DF30EC058BD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E14770 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 74e9114c13ee557ca1952e5e3c9bc3290b3b504c01bb107b88764c7cf6b59358
                                                • Instruction ID: 6f0f58bbff704f51684b689f9d45244b8193a5054da634012b55510ea858087e
                                                • Opcode Fuzzy Hash: 74e9114c13ee557ca1952e5e3c9bc3290b3b504c01bb107b88764c7cf6b59358
                                                • Instruction Fuzzy Hash: 4021F375A04318DFCB51CB69CC44AAEBBF4EF4A324B148267E015DF3E1D6344A00DBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00CBD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.601067685.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_cbd000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8a426c3e8726bacb0e2403d68e73ca849f94876b573f9c2f8e808377a3980429
                                                • Instruction ID: ea39c12777826d5c88c132e4841f4cf86b2ec66215f5af9ce3ee3a2e42bf739b
                                                • Opcode Fuzzy Hash: 8a426c3e8726bacb0e2403d68e73ca849f94876b573f9c2f8e808377a3980429
                                                • Instruction Fuzzy Hash: 72213775504340DFCB14EF50E4C4BA6BBA5FB84324F24C9A9D80A0B346D33AD807CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00CBD1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.601067685.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_cbd000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 429d9714eb301086274adfd7a90d29663480c6fce0cff7d7bc76fc18abb372eb
                                                • Instruction ID: 4b2c199cc2e1a4c64ea24ebd6de9cf2182378671b1cab21e58cda345443c41f8
                                                • Opcode Fuzzy Hash: 429d9714eb301086274adfd7a90d29663480c6fce0cff7d7bc76fc18abb372eb
                                                • Instruction Fuzzy Hash: F1210775504284EFDB05CF50D5C4BA6BBA5FB84318F24C9ADE84A4B242D336DC46CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E14314 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8317783032f5c6e5d80a517d233a42816b360c618ddf894de43c7a0ea574e2c1
                                                • Instruction ID: b8dd554044f3ffef95dbfeb8b2a92ca5952823cb108e91e356c7104487ac0456
                                                • Opcode Fuzzy Hash: 8317783032f5c6e5d80a517d233a42816b360c618ddf894de43c7a0ea574e2c1
                                                • Instruction Fuzzy Hash: D831E0B5C01318DFDB50CF99C589BDEBBF5AB08318F24851AE404BB680C7B5594ADF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E13E08 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 107ce52e653eab58c3d5c2d5c84059c9fe778c64fa1cc705593e64855dbce559
                                                • Instruction ID: 7eef79414b0f0a991bb2bfca9f14683809c4fa1113af02f00748aa1ed71d86ef
                                                • Opcode Fuzzy Hash: 107ce52e653eab58c3d5c2d5c84059c9fe778c64fa1cc705593e64855dbce559
                                                • Instruction Fuzzy Hash: 7B31E0B0D01308DFDB60CF99D588BDEBBF5AB48318F64842AE404BB380C7B55846CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00CBD005 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.601067685.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_cbd000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d52b18771e257cd87a3b8fa832675c4b5be42f423228b880401c861ec5d40921
                                                • Instruction ID: 2241fa5dd8bc20b2bf735b934fb0b8ce4567de20b76b116cb5f5a588a92004b2
                                                • Opcode Fuzzy Hash: d52b18771e257cd87a3b8fa832675c4b5be42f423228b880401c861ec5d40921
                                                • Instruction Fuzzy Hash: 05218B755097C08FCB02CF20D994B55BF71EB46314F28C5EAD8498B6A7C33A980ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E13C5F Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 484846fae889f535ad2affba9c5e62f07712017a40680f50749f03d2260cca2a
                                                • Instruction ID: 70c658531491099903082d141025a0701f8b23ec2f679dac73ad386e72b97432
                                                • Opcode Fuzzy Hash: 484846fae889f535ad2affba9c5e62f07712017a40680f50749f03d2260cca2a
                                                • Instruction Fuzzy Hash: A511BFB5A003098F8B51DB699C445BFBBFBFBC43147144929E424D7340EF309E0597A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1415F Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70d1932955700afb6f400dc1d6a66127bfa7ea10aee9e695f59a6b6b491d71c7
                                                • Instruction ID: 49e14779238405aedbd6c822b3d446b20f26d78c9e7d44e1ce5644e9938303df
                                                • Opcode Fuzzy Hash: 70d1932955700afb6f400dc1d6a66127bfa7ea10aee9e695f59a6b6b491d71c7
                                                • Instruction Fuzzy Hash: 4B11A079B003064F8B51DB799C445BFBBFAEBC92607254529E429DB380EF308E069B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E14090 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d01ad8c84019f7d4290e4c7bb7f31f7bf74209b7b0e5de26efe18bb2d55d1413
                                                • Instruction ID: acf3e07f999e69617b0c051b9dc83fa73c9dfefb9179d23cb1e395b9b97959ef
                                                • Opcode Fuzzy Hash: d01ad8c84019f7d4290e4c7bb7f31f7bf74209b7b0e5de26efe18bb2d55d1413
                                                • Instruction Fuzzy Hash: 82114831F00219CBCB94EBA8D8115EEB6F6AF99398B14007AC504AF384EB718D55CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00CBD1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.601067685.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_cbd000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 745646faa56d91e977d29689b6d10c55204c06f7873250d23cc20a5c136cfe80
                                                • Instruction ID: b19727a9b72fe75e689d821559f52cbf85d3a9d1181bd8f5d9d1cd457f111564
                                                • Opcode Fuzzy Hash: 745646faa56d91e977d29689b6d10c55204c06f7873250d23cc20a5c136cfe80
                                                • Instruction Fuzzy Hash: E811BB75904280DFCB02CF10C5C4B55BBA1FB84324F28C6AED84A4B656C33AD84ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1A56A Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 59e54f169b235ca221c6a920757c9c1e744d85a90952ae943496fad3b5f7ff6a
                                                • Instruction ID: a9bd351e90a63a398bbf603343f471490871396988dd09aefc4950fe641e5e59
                                                • Opcode Fuzzy Hash: 59e54f169b235ca221c6a920757c9c1e744d85a90952ae943496fad3b5f7ff6a
                                                • Instruction Fuzzy Hash: 0C216A70A05248CFEB44DF64C9596EEB7B2FF88314F0042A5D809AB358DB385E41CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E14424 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cc661673a3e5e45480cbf37599e72090cefa6cf528389c4a94faef461542d91b
                                                • Instruction ID: 580cf66aa0cd776e2396e59c35a0d9964f57ad82ff56be97c1e49c43191101d7
                                                • Opcode Fuzzy Hash: cc661673a3e5e45480cbf37599e72090cefa6cf528389c4a94faef461542d91b
                                                • Instruction Fuzzy Hash: 5F110C70900318DFDB15CF9AC4847DABEF5AF48324F24C169E9296B390C7708986DB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E19C83 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e78158d203f1ea80ea35f8e84cb5789985cb442bf3c8027536236f34cb634fc
                                                • Instruction ID: e83cb380cbdd2b52048029edbf85e060cda2d7072a6ee226f45ea7188cb0a621
                                                • Opcode Fuzzy Hash: 9e78158d203f1ea80ea35f8e84cb5789985cb442bf3c8027536236f34cb634fc
                                                • Instruction Fuzzy Hash: 7A115834A04219CFDB40DF68C594AEABBF1FB4A308F1094A9D408DB309DB74AE80DF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E14430 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46c98e4e6be99789dd5bc86d4ffb95fbc7133ed241572e02b5d5357b89b3c205
                                                • Instruction ID: 6428d44df21d715c1c2d5bd89b3a19a3e4fd1a33ef866eb832c6033a781b9270
                                                • Opcode Fuzzy Hash: 46c98e4e6be99789dd5bc86d4ffb95fbc7133ed241572e02b5d5357b89b3c205
                                                • Instruction Fuzzy Hash: 1501DB70900318DFDB14CF9AC48479ABEF5BF88364F24C169E929AB290C7748985DB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E146D4 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41a28971c018aba2bc3f8fda71810af9847d9a4f546beeed2f267f4a246106a4
                                                • Instruction ID: a4387cc03f28bedf51b5dadaed32586a6a9f2b870ca14b7a587cffec5ddd29f5
                                                • Opcode Fuzzy Hash: 41a28971c018aba2bc3f8fda71810af9847d9a4f546beeed2f267f4a246106a4
                                                • Instruction Fuzzy Hash: 05014871C00219DEEB51CF69C4043EEBBF1AB0A364F24962AE424EB2E0D3744A81DF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E19D3C Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0052fb61db6fd1b22ef0e5735905e2f98be66d81965ee05e00e0b7447f78c4a
                                                • Instruction ID: d9652cfff219ca450856f00e681e5cdb65554895b15cab46844450f08f325509
                                                • Opcode Fuzzy Hash: e0052fb61db6fd1b22ef0e5735905e2f98be66d81965ee05e00e0b7447f78c4a
                                                • Instruction Fuzzy Hash: 8B11F734A14258CFCB50DF69DA99ADAFBF1FB4A308F1181AAD4089B755DB349D80CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E146E0 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e87ba2db196863c626d397408eb2df7e2f7bcf75d44d1b56f7605d91c721511f
                                                • Instruction ID: 25a3bd62512df2f0fbe5ff308ddfaffb610d92423bb078213c75a498b24ba2d6
                                                • Opcode Fuzzy Hash: e87ba2db196863c626d397408eb2df7e2f7bcf75d44d1b56f7605d91c721511f
                                                • Instruction Fuzzy Hash: 9601D670C00219DFDB55CF6AC4047AEBAF1AB4A364F148626E424AB2D0D7744A40DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1A858 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2f6d711e7625b0f25345b743da7ab7925155ddeed79bb22befbbee4f371ae6b
                                                • Instruction ID: 08c9719bb143c4c2607c208824b0bac995ba1bcc60d5a30d42d8e75e3a1b7d94
                                                • Opcode Fuzzy Hash: a2f6d711e7625b0f25345b743da7ab7925155ddeed79bb22befbbee4f371ae6b
                                                • Instruction Fuzzy Hash: 32F0B4F2C063CCDFC7468BB4D5182E57F75DB86105B0501EBE4058BA21E6250E5A9752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E19D92 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7abd6604105ddc1dc6fb433d1b9236dace96493402b30088d4eabce43201981
                                                • Instruction ID: c83b93caaa134faa6a580ee469ada84685d50340e20f818b9541aa44944fcff7
                                                • Opcode Fuzzy Hash: e7abd6604105ddc1dc6fb433d1b9236dace96493402b30088d4eabce43201981
                                                • Instruction Fuzzy Hash: 4D011274A0028DCFDB04DF98D55A5DDBBB2FB88704F2081699909AB348DA34AA428F90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E14780 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2368d31f41e6501153d3465936e9b7743b6d0cc62b26e73c260f9605143a5df2
                                                • Instruction ID: 3b1fbd1710107b58c88ed04a2bd6518997dec7b062f40b84ce2261815a34ab20
                                                • Opcode Fuzzy Hash: 2368d31f41e6501153d3465936e9b7743b6d0cc62b26e73c260f9605143a5df2
                                                • Instruction Fuzzy Hash: A2E06D727001246F5304DAAEEC85C6BBBEEEBCD674351813AF50DCB311DA309C0086A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1BD78 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5ee57bd11f845eabecfe7cbe460af239afa30b447aa48fc75a654c59b72416cb
                                                • Instruction ID: 3f896f006acb144ff0da3ab6646b6be6a582ce3058866806b22b025842a0d0f2
                                                • Opcode Fuzzy Hash: 5ee57bd11f845eabecfe7cbe460af239afa30b447aa48fc75a654c59b72416cb
                                                • Instruction Fuzzy Hash: 9BF09034D042849FCB45DFB8D5005D9BFF0AB46214B2482EFD4549B642C3324A46DF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E15BF8 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfd5e80882993524625bf48b5acf755f271f4c29c783bcdcc0fc93c2b069f43e
                                                • Instruction ID: 1efcd635a586368d74c944530311c0a01a01efafb1fb1026158bde15cd1e73ce
                                                • Opcode Fuzzy Hash: dfd5e80882993524625bf48b5acf755f271f4c29c783bcdcc0fc93c2b069f43e
                                                • Instruction Fuzzy Hash: 63F05E70E09248AFC741DBA4D845A9DBFF4AB85204F1085EAD844A7351D6395A42CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E15DB0 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c107deb6ccd913213887db4c6b3d8a39ee884344c18d96442fdfc015a531153
                                                • Instruction ID: a1d3876e67b3edd72e871f0f0cdeacad49e066a70c2c01c105d70e1acaf1bbd9
                                                • Opcode Fuzzy Hash: 1c107deb6ccd913213887db4c6b3d8a39ee884344c18d96442fdfc015a531153
                                                • Instruction Fuzzy Hash: ACF0E970804284AFC755CFA4D8409EDBFB0EF86214F1481DAE85497392C3354A43DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E152E0 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9f3a01a960479e41146ae7fec9f62ab2792c952eba51232008c7aa89cbf8ece
                                                • Instruction ID: 9ad8f4346fc728973bbed441fca229e5fff1c30e85b4030f36c0f5a90ed0cf1b
                                                • Opcode Fuzzy Hash: f9f3a01a960479e41146ae7fec9f62ab2792c952eba51232008c7aa89cbf8ece
                                                • Instruction Fuzzy Hash: B8F05E74D09248AFC745DFA4D44169DBBB4EB45304F2480EAD819D7351E2358E02DF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E13940 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3fc48b4f0901289982dd6f28f39bf62bc80bbe6f56a5f0e9dd0e240351087cb0
                                                • Instruction ID: 90b27c62b3821828a27689702e2c3ea21743d03778b4e443ebb3587a2c57cfa7
                                                • Opcode Fuzzy Hash: 3fc48b4f0901289982dd6f28f39bf62bc80bbe6f56a5f0e9dd0e240351087cb0
                                                • Instruction Fuzzy Hash: 64F0E230C042849FCB55CBA8C8426ECBFB0EF02320F1482DAE8549B2A2D3324A43DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E196F8 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eaca7ec71fd2674dfea4dc16a007ecc40c19051d30339c085653bdbcb4e5286b
                                                • Instruction ID: d4575e5d4985f1a4ba7f6d8fd113801891379a22b97404ede7bf2eeb2afe2522
                                                • Opcode Fuzzy Hash: eaca7ec71fd2674dfea4dc16a007ecc40c19051d30339c085653bdbcb4e5286b
                                                • Instruction Fuzzy Hash: 6DF0D470D15204AFCB45DBA8D59169CBFF0EB49208F24C5AAD818D7291D6365A07CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1A715 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b14d0a203d80a181f5d9b2a2a6be99e7f6e0caf912e2769dce430aaf8e74aa5
                                                • Instruction ID: a966448281f548a64b94845bffe001cdccbc0a6637be453d30a633cec7a1cea6
                                                • Opcode Fuzzy Hash: 6b14d0a203d80a181f5d9b2a2a6be99e7f6e0caf912e2769dce430aaf8e74aa5
                                                • Instruction Fuzzy Hash: 38F03C34A003498FDB50DF18C69579EB7B1FB49314F108596E51AA7788DB345D80CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E165A0 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7f08f973da6709d3f1afbc6e541ed3a4f700de43228f254998831e75b58fe32
                                                • Instruction ID: ce749ea2c84302e242071b14e9893e97e1a97776b344881d82075540f358dc95
                                                • Opcode Fuzzy Hash: e7f08f973da6709d3f1afbc6e541ed3a4f700de43228f254998831e75b58fe32
                                                • Instruction Fuzzy Hash: 8DF0E234904284AFCB51CBA8C840ADCBFF0EF46324F2482DAE8649B392D3364A03DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E16258 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 743fdd58032c7196f778896cd870124a1718a395d7a7477fb83be325ad969ebe
                                                • Instruction ID: d7a924998e1770caef79475353f4b48e4cdba2609bfe6453357251a7ad3445ad
                                                • Opcode Fuzzy Hash: 743fdd58032c7196f778896cd870124a1718a395d7a7477fb83be325ad969ebe
                                                • Instruction Fuzzy Hash: B5F08C75904244AFCB55CFA4C840AECBFF0EB56210F2482DA98649B392C6365A43EB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E16638 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 558a16b94a0b9c1361940cb1ec4a16cec56dd53d9ddbcc6ca647ceb0085506d1
                                                • Instruction ID: 2bda6e0bf494bbe17bf5a096c8442e54e008312a7c44b70768a9c397bc3ada8c
                                                • Opcode Fuzzy Hash: 558a16b94a0b9c1361940cb1ec4a16cec56dd53d9ddbcc6ca647ceb0085506d1
                                                • Instruction Fuzzy Hash: 24F0A0B0D05284AFD701CBA4D4516ECBFF0EF42224F24C5DBC8588B292C63B9A43CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E135BA Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fbc1c21779b03993172d3afaabdcf0168b3cb6a71a90baf1c1c3c07dd95804d3
                                                • Instruction ID: 43b8227549e513f14a5a759b01c1a6d746a838778a189415d22e61ee160d4226
                                                • Opcode Fuzzy Hash: fbc1c21779b03993172d3afaabdcf0168b3cb6a71a90baf1c1c3c07dd95804d3
                                                • Instruction Fuzzy Hash: 1AF0A970C142089FCB40CB90C8812EDBBB4EB86300F2082EA98099B252D63A4E46DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1BCF9 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ea236470de7f2a4a3f8c0a493dc4608033f16b7d06e9e7e377790536bf3b5b33
                                                • Instruction ID: c0057a19f0719c288a206d38754cfd9778de7b61ba1a56b52be54ab76b2df5a9
                                                • Opcode Fuzzy Hash: ea236470de7f2a4a3f8c0a493dc4608033f16b7d06e9e7e377790536bf3b5b33
                                                • Instruction Fuzzy Hash: 5FE048345492849FC706CBB4E8115E6BFB49F43214B1840DFD8444B643D7315E46DB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0555EA48 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.611886332.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_5550000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7561f819de46770042b04cd63ed3e8cba8f8fa4fd5d7ef43422ebb1eccced31f
                                                • Instruction ID: 06a2e3e36ba351e03df0bbc4d0f29071a9c4ecb035acc61e2308b658b957fd6a
                                                • Opcode Fuzzy Hash: 7561f819de46770042b04cd63ed3e8cba8f8fa4fd5d7ef43422ebb1eccced31f
                                                • Instruction Fuzzy Hash: 3DF0A535D10208EFCB45DFA8D845AADBBB5FB48310F10C4AAAC1897350D7369A52DF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E13110 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c929d3c4b31c3dc92497309f4d47b19162d50abc78cb600cc5cd318722e82bb
                                                • Instruction ID: 1f3c3f939f2879d1b01e3aab0bbc7d64045716b3591069d2990550cc09c82b6b
                                                • Opcode Fuzzy Hash: 8c929d3c4b31c3dc92497309f4d47b19162d50abc78cb600cc5cd318722e82bb
                                                • Instruction Fuzzy Hash: BBF0A030D152849FC750CBA4D841AA8BFF0AB85314F2485EAD8688B292C6364A47CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E15DC0 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a336aa60e01ff25323fa7036abb6391bf8d90658f2e6819dac3b417b3bac70d0
                                                • Instruction ID: 3c617d1ed733a595e8ffab1f9f58c0e4b1ac4a7937a53db61a209bd822963a9c
                                                • Opcode Fuzzy Hash: a336aa60e01ff25323fa7036abb6391bf8d90658f2e6819dac3b417b3bac70d0
                                                • Instruction Fuzzy Hash: 6EE0ED74D00208EFCB44DFA8D44569DFBF4EB88304F10C0A99818A7340D7359E52DF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E165B0 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a336aa60e01ff25323fa7036abb6391bf8d90658f2e6819dac3b417b3bac70d0
                                                • Instruction ID: 154de14eefafe12744d5e8d90ea3047fccc2688de846ab398056831e925d4510
                                                • Opcode Fuzzy Hash: a336aa60e01ff25323fa7036abb6391bf8d90658f2e6819dac3b417b3bac70d0
                                                • Instruction Fuzzy Hash: B4E0ED74D00208EFCB44DFA8D44169CFBF4EB48304F10C4A9981897340D7359A52DF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E16268 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a336aa60e01ff25323fa7036abb6391bf8d90658f2e6819dac3b417b3bac70d0
                                                • Instruction ID: 52d3cb1527a89e2bcdba87cbc0c5f2bc9609065c09fe613662e9e389550b9ba1
                                                • Opcode Fuzzy Hash: a336aa60e01ff25323fa7036abb6391bf8d90658f2e6819dac3b417b3bac70d0
                                                • Instruction Fuzzy Hash: 8BE0ED74D00208EFCB44DFE8D4416ACFBF4EB48304F10C0A9980897340D7359A52DF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E13950 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a336aa60e01ff25323fa7036abb6391bf8d90658f2e6819dac3b417b3bac70d0
                                                • Instruction ID: 95c70ba7e428efd615a4dd25ec3b0155f9e6c1d21ea4c3a7f284f6595345549a
                                                • Opcode Fuzzy Hash: a336aa60e01ff25323fa7036abb6391bf8d90658f2e6819dac3b417b3bac70d0
                                                • Instruction Fuzzy Hash: 52E0ED74D00208EFCB44DFA8D44169CFBF4EB48304F10C0A99818A7340D7359A52DF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E16648 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bdaffc5140cdc645094bca7f701dee6dd4d8c0b4fedc161de8e3203663e9839
                                                • Instruction ID: 4c41dc2ef9f65e9200aaba924138f9771fe52a2496d27500c5c14bbf3702aef9
                                                • Opcode Fuzzy Hash: 6bdaffc5140cdc645094bca7f701dee6dd4d8c0b4fedc161de8e3203663e9839
                                                • Instruction Fuzzy Hash: 40E09A74E10208EFCB44DFA9D5856ADFBF4EB88304F10C5AA981897340D7369E42DF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E19708 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bdaffc5140cdc645094bca7f701dee6dd4d8c0b4fedc161de8e3203663e9839
                                                • Instruction ID: 2771fbbd4fbec0ef9a99adced3225e74b3347795156869de48a36cda6d00da56
                                                • Opcode Fuzzy Hash: 6bdaffc5140cdc645094bca7f701dee6dd4d8c0b4fedc161de8e3203663e9839
                                                • Instruction Fuzzy Hash: C4E09A74E10208EFCB44DFA9D5956ADFBF4EB88304F10C5AA981897341D736AE42DF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E15C08 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bdaffc5140cdc645094bca7f701dee6dd4d8c0b4fedc161de8e3203663e9839
                                                • Instruction ID: 2f5a9f83ae3cd0936cb4f5581e51f88ba91a06b873c1c9cef21748aea6c1d540
                                                • Opcode Fuzzy Hash: 6bdaffc5140cdc645094bca7f701dee6dd4d8c0b4fedc161de8e3203663e9839
                                                • Instruction Fuzzy Hash: CCE09A74E10208EFCB44DFA9D5856ADFBF4EB88304F10C5AA981897340D7369E42DF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1BD88 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 428cf215a09601424bc5eed6fa4cadb408a1a178ebd71be01c24f75a327df522
                                                • Instruction ID: 191ac8aabb644009cf039851b59fc078daa7dfa59c4631a1ed0183fff95aef3b
                                                • Opcode Fuzzy Hash: 428cf215a09601424bc5eed6fa4cadb408a1a178ebd71be01c24f75a327df522
                                                • Instruction Fuzzy Hash: F5E01A34E00208EFCB84DFA8D54169DFBF4EB88304F10C1AA980897740D7319E02DF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E152F0 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bdaffc5140cdc645094bca7f701dee6dd4d8c0b4fedc161de8e3203663e9839
                                                • Instruction ID: 1a4906fe4ccef89ad6310494c653e5df76b7a82acadc327d708ccd357114af97
                                                • Opcode Fuzzy Hash: 6bdaffc5140cdc645094bca7f701dee6dd4d8c0b4fedc161de8e3203663e9839
                                                • Instruction Fuzzy Hash: 14E09A74E10208EFCB84DFA9D5856ADFBF8EB88304F10C5AA981997344D7369E42DF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E13120 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bdaffc5140cdc645094bca7f701dee6dd4d8c0b4fedc161de8e3203663e9839
                                                • Instruction ID: ba21c73fe4b63bd098dae2864eadb2ad007f74136ea03cb662910f47989a2323
                                                • Opcode Fuzzy Hash: 6bdaffc5140cdc645094bca7f701dee6dd4d8c0b4fedc161de8e3203663e9839
                                                • Instruction Fuzzy Hash: D4E09A74E10208EFCB84DFA9D5856ADFBF4EB88314F10C5AA985897340D7369E46DF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1A83C Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e5eccf692007b07115ef4f4c34bfeb692db76f77edb24fbbbcd11cee2081923
                                                • Instruction ID: 673a1f9991f0f571d4048a49723a491d22d0ffbf24fb5041d2bcbab9e01fcc75
                                                • Opcode Fuzzy Hash: 9e5eccf692007b07115ef4f4c34bfeb692db76f77edb24fbbbcd11cee2081923
                                                • Instruction Fuzzy Hash: A0E0C27484620CDFCB40DFF8E1096FA3BB4EB05209F0022B691068BA60EF300B80EB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E135C8 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4445b09b2a53039a9bdb646f61d81fa031b59de1188c98eb524f1f11c5105a34
                                                • Instruction ID: c24177246fc7183cc94df73acf68c86a39a452a16cb3b7807205dbca033006c4
                                                • Opcode Fuzzy Hash: 4445b09b2a53039a9bdb646f61d81fa031b59de1188c98eb524f1f11c5105a34
                                                • Instruction Fuzzy Hash: 3DE09274D00208EBCB44DF99D5816ACFBB8EB88304F20C1AAA80957344DA369E42DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1A878 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ec09f11edc938d1f90ae0a2b7257a4064af1a19b60d4d62b84f6d519b22cc6a
                                                • Instruction ID: 81b4b02aa8bd798c0031267c4ba6a8d4afc255192d16e5bb9c4b32a6c086483e
                                                • Opcode Fuzzy Hash: 2ec09f11edc938d1f90ae0a2b7257a4064af1a19b60d4d62b84f6d519b22cc6a
                                                • Instruction Fuzzy Hash: 7ED0127194120CEBCB40DFF4D5096EB7BF9EB45245F0006A6950597920EF310E94DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E1273D Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 28958030d84271e85c6929f69c411592c2560f4df0d515c1a0952d30616ef6f3
                                                • Instruction ID: d2ac58df963b68abeca9233dcc1c485eb8d47a6326d1550345099724533cd7ae
                                                • Opcode Fuzzy Hash: 28958030d84271e85c6929f69c411592c2560f4df0d515c1a0952d30616ef6f3
                                                • Instruction Fuzzy Hash: 49D0673BB10118AF8B059F98E8408DDB7B6FB98225B048516F915A3261C6319925DF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06E14058 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.618103000.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_6e10000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1184a0493914d017cd2d330fe0ebfc5ae2a6035983596be6eaa283650ee0c5d2
                                                • Instruction ID: debd32936f2f2e38e45c1255ad124c9e84a41890c83303f36c12ad2ba9550698
                                                • Opcode Fuzzy Hash: 1184a0493914d017cd2d330fe0ebfc5ae2a6035983596be6eaa283650ee0c5d2
                                                • Instruction Fuzzy Hash: 13D022720053802FC7837B1088028C57F2AAF0320073685A6E0828F0B2C1248517AB22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 0555FE28 Relevance: 5.1, Strings: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.611886332.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_5550000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: K/m$K/m$K/m$K/m
                                                • API String ID: 0-3707662446
                                                • Opcode ID: 68947a78130ea4d3e44fed0acdf1f1fdd15dfdc8972d6e911270e139b7f3be74
                                                • Instruction ID: 53a25689a469fdefbc12c715b2b3ab159b6fab3aea5795bbdbb874d4451710ab
                                                • Opcode Fuzzy Hash: 68947a78130ea4d3e44fed0acdf1f1fdd15dfdc8972d6e911270e139b7f3be74
                                                • Instruction Fuzzy Hash: D911A5743446018FC390DF7AE4A0A2AF7D6BFCA654304487EE50ACB362DFA1DC068791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:10.6%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:101
                                                Total number of Limit Nodes:10
                                                execution_graph 15831 7648990 15832 7648b1b 15831->15832 15833 76489b6 15831->15833 15833->15832 15835 7648c10 PostMessageW 15833->15835 15836 7648c7c 15835->15836 15836->15833 15709 15740d0 15710 15740e2 15709->15710 15711 15740ee 15710->15711 15715 15741e0 15710->15715 15720 1573868 15711->15720 15713 157410d 15716 1574205 15715->15716 15724 15742d0 15716->15724 15728 15742e0 15716->15728 15721 1573873 15720->15721 15736 157586c 15721->15736 15723 1576a31 15723->15713 15725 1574307 15724->15725 15726 15743e4 15725->15726 15732 15738a8 15725->15732 15726->15726 15730 1574307 15728->15730 15729 15743e4 15729->15729 15730->15729 15731 15738a8 CreateActCtxA 15730->15731 15731->15729 15733 1575370 CreateActCtxA 15732->15733 15735 1575433 15733->15735 15735->15735 15737 1575877 15736->15737 15740 157588c 15737->15740 15739 1576c5d 15739->15723 15741 1575897 15740->15741 15744 15758bc 15741->15744 15743 1576d3a 15743->15739 15745 15758c7 15744->15745 15748 15758ec 15745->15748 15747 1576e2a 15747->15743 15749 15758f7 15748->15749 15751 157753e 15749->15751 15754 1579479 15749->15754 15750 157757c 15750->15747 15751->15750 15758 157b5b9 15751->15758 15763 15794a1 15754->15763 15768 15794b0 15754->15768 15755 157948e 15755->15751 15760 157b5e9 15758->15760 15759 157b60d 15759->15750 15760->15759 15791 157b769 15760->15791 15795 157b778 15760->15795 15764 1579471 15763->15764 15765 15794ae 15763->15765 15764->15755 15771 15795a8 15765->15771 15766 15794bf 15766->15755 15770 15795a8 2 API calls 15768->15770 15769 15794bf 15769->15755 15770->15769 15772 15795bb 15771->15772 15773 15795d3 15772->15773 15779 1579830 15772->15779 15783 1579820 15772->15783 15773->15766 15774 15795cb 15774->15773 15775 15797d0 GetModuleHandleW 15774->15775 15776 15797fd 15775->15776 15776->15766 15780 1579844 15779->15780 15781 1579869 15780->15781 15787 15788d8 15780->15787 15781->15774 15784 1579844 15783->15784 15785 15788d8 LoadLibraryExW 15784->15785 15786 1579869 15784->15786 15785->15786 15786->15774 15788 1579a10 LoadLibraryExW 15787->15788 15790 1579a89 15788->15790 15790->15781 15792 157b785 15791->15792 15793 157b7bf 15792->15793 15799 157a25c 15792->15799 15793->15759 15797 157b785 15795->15797 15796 157a25c 2 API calls 15798 157b7bf 15796->15798 15797->15796 15797->15798 15798->15759 15800 157a267 15799->15800 15801 157c4b8 15800->15801 15803 157c078 15800->15803 15804 157c083 15803->15804 15805 15758ec 2 API calls 15804->15805 15806 157c527 15805->15806 15810 157e290 15806->15810 15815 157e2a8 15806->15815 15807 157c560 15807->15801 15811 157e2a8 15810->15811 15812 157e2e5 15811->15812 15813 157e717 LoadLibraryExW GetModuleHandleW 15811->15813 15814 157e728 LoadLibraryExW GetModuleHandleW 15811->15814 15812->15807 15813->15812 15814->15812 15817 157e325 15815->15817 15818 157e2d9 15815->15818 15816 157e2e5 15816->15807 15817->15807 15818->15816 15819 157e717 LoadLibraryExW GetModuleHandleW 15818->15819 15820 157e728 LoadLibraryExW GetModuleHandleW 15818->15820 15819->15817 15820->15817 15821 157b890 GetCurrentProcess 15822 157b903 15821->15822 15823 157b90a GetCurrentThread 15821->15823 15822->15823 15824 157b947 GetCurrentProcess 15823->15824 15825 157b940 15823->15825 15826 157b97d 15824->15826 15825->15824 15827 157b9a5 GetCurrentThreadId 15826->15827 15828 157b9d6 15827->15828 15829 157bab8 DuplicateHandle 15830 157bb4e 15829->15830

                                                Executed Functions

                                                Function 0157B880 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0157B8F0
                                                • GetCurrentThread.KERNEL32 ref: 0157B92D
                                                • GetCurrentProcess.KERNEL32 ref: 0157B96A
                                                • GetCurrentThreadId.KERNEL32 ref: 0157B9C3
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.594019356.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_1570000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 1c47b04c1c932aea1e134559c6c6c1ea73dab81f075637401c24cff1443b7505
                                                • Instruction ID: bef119934c372b86543068527ce07dd50481801751b64fa3b7bccd3726c1fc78
                                                • Opcode Fuzzy Hash: 1c47b04c1c932aea1e134559c6c6c1ea73dab81f075637401c24cff1443b7505
                                                • Instruction Fuzzy Hash: 6B5166B4D006488FDB14CFAAD5497EEBBF1FF4C304F24895AE019A7250C7345984CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0157B890 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0157B8F0
                                                • GetCurrentThread.KERNEL32 ref: 0157B92D
                                                • GetCurrentProcess.KERNEL32 ref: 0157B96A
                                                • GetCurrentThreadId.KERNEL32 ref: 0157B9C3
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.594019356.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_1570000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 789532e814939fe5b45302b8b730285bcc0bacdb33ca883ddb31492eea8e76ae
                                                • Instruction ID: 3316cadb34f0dafb8db57d99b797c6e17df51e03f4b40f4f81034ad4d3b328f7
                                                • Opcode Fuzzy Hash: 789532e814939fe5b45302b8b730285bcc0bacdb33ca883ddb31492eea8e76ae
                                                • Instruction Fuzzy Hash: CD5162B0D006088FDB14CFAAD949BEEBBF1FF4C314F24895AE019AB250C7345984CB66
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015795A8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 41 15795a8-15795bd call 1577294 44 15795d3-15795d7 41->44 45 15795bf 41->45 46 15795eb-157962c 44->46 47 15795d9-15795e3 44->47 94 15795c5 call 1579830 45->94 95 15795c5 call 1579820 45->95 52 157962e-1579636 46->52 53 1579639-1579647 46->53 47->46 48 15795cb-15795cd 48->44 49 1579708-15797c8 48->49 89 15797d0-15797fb GetModuleHandleW 49->89 90 15797ca-15797cd 49->90 52->53 55 157966b-157966d 53->55 56 1579649-157964e 53->56 57 1579670-1579677 55->57 58 1579650-1579657 call 157887c 56->58 59 1579659 56->59 61 1579684-157968b 57->61 62 1579679-1579681 57->62 60 157965b-1579669 58->60 59->60 60->57 65 157968d-1579695 61->65 66 1579698-15796a1 call 157888c 61->66 62->61 65->66 71 15796a3-15796ab 66->71 72 15796ae-15796b3 66->72 71->72 74 15796b5-15796bc 72->74 75 15796d1-15796de 72->75 74->75 77 15796be-15796ce call 157889c call 15788ac 74->77 81 1579701-1579707 75->81 82 15796e0-15796fe 75->82 77->75 82->81 91 1579804-1579818 89->91 92 15797fd-1579803 89->92 90->89 92->91 94->48 95->48
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 015797EE
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.594019356.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_1570000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 42e56f221156c3dd58d3f6b964c56b4534828c8c70c828be3a232bd510f73bdc
                                                • Instruction ID: bcafe8cf386467f9429a1b3332aa3ca163d8ba73fff97ab560614253c52943e8
                                                • Opcode Fuzzy Hash: 42e56f221156c3dd58d3f6b964c56b4534828c8c70c828be3a232bd510f73bdc
                                                • Instruction Fuzzy Hash: 14711670A00B058FDB24DF6AD44579ABBF1BF88318F048A2DD546DBA40D775E845CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01575364 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 96 1575364-1575431 CreateActCtxA 98 1575433-1575439 96->98 99 157543a-1575494 96->99 98->99 106 1575496-1575499 99->106 107 15754a3-15754a7 99->107 106->107 108 15754a9-15754b5 107->108 109 15754b8 107->109 108->109 111 15754b9 109->111 111->111
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 01575421
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.594019356.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_1570000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: d32f668a0a89c354b2841b6d54c4fabcfe027327d1afbb1a69b44e093fba8500
                                                • Instruction ID: a8fcbb5af84b6dc10ea22d0187980d3ae3cd2ca87289bdd9592e729c57e1792f
                                                • Opcode Fuzzy Hash: d32f668a0a89c354b2841b6d54c4fabcfe027327d1afbb1a69b44e093fba8500
                                                • Instruction Fuzzy Hash: 80412270C0061CCFDB24CFAAC885BDDBBB6BF88305F248469D409AB211DB756A46CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015738A8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 112 15738a8-1575431 CreateActCtxA 115 1575433-1575439 112->115 116 157543a-1575494 112->116 115->116 123 1575496-1575499 116->123 124 15754a3-15754a7 116->124 123->124 125 15754a9-15754b5 124->125 126 15754b8 124->126 125->126 128 15754b9 126->128 128->128
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 01575421
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.594019356.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_1570000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 9478dfebcb388857618d9c1c0fdb154b82fdd2b7573ddeb896fd62267d996b17
                                                • Instruction ID: a8a12b8a4395f784740f042fa43f6cfd40e5339ebb47795cbc538ec0dee094de
                                                • Opcode Fuzzy Hash: 9478dfebcb388857618d9c1c0fdb154b82fdd2b7573ddeb896fd62267d996b17
                                                • Instruction Fuzzy Hash: 2041F370D0061CCFDB24CFAAC845BDDBBB6BF48305F148469D409AB251DB756945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0157BAB0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 129 157bab0-157bab5 130 157bab8-157bb4c DuplicateHandle 129->130 131 157bb55-157bb72 130->131 132 157bb4e-157bb54 130->132 132->131
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0157BB3F
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.594019356.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_1570000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 2c6c3b6a544b13e7000c9392e1560d6086f7c2a14fcb9159a3c51c5127fc99a7
                                                • Instruction ID: c6c1dcc52b481598424dbce5bd263e533bd99cfeaef534968a54cff3bd4591a0
                                                • Opcode Fuzzy Hash: 2c6c3b6a544b13e7000c9392e1560d6086f7c2a14fcb9159a3c51c5127fc99a7
                                                • Instruction Fuzzy Hash: 0921D6B5D002089FDB11CF9AD485ADEBBF9FF48310F14841AE914A7310D375A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0157BAB8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 135 157bab8-157bb4c DuplicateHandle 136 157bb55-157bb72 135->136 137 157bb4e-157bb54 135->137 137->136
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0157BB3F
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.594019356.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_1570000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 19f653e2cf208d18b9c5db3fb5ccbb610d3ea0f09e08f16eafc583310c36f782
                                                • Instruction ID: 1fc476a1e6282b9686aa9bbbf95f27ab6cee17e27ac9405544b67f08b69f0c67
                                                • Opcode Fuzzy Hash: 19f653e2cf208d18b9c5db3fb5ccbb610d3ea0f09e08f16eafc583310c36f782
                                                • Instruction Fuzzy Hash: E321C4B5D002089FDB10CF9AD485AEEFBF9FB48324F14841AE914A7310D374A954CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01579A08 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 140 1579a08-1579a50 141 1579a52-1579a55 140->141 142 1579a58-1579a87 LoadLibraryExW 140->142 141->142 143 1579a90-1579aad 142->143 144 1579a89-1579a8f 142->144 144->143
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01579869,00000800,00000000,00000000), ref: 01579A7A
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.594019356.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_1570000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: a70a95c366125e5482114fa80d622e557cc00c026d266ef2ee18c5ebe0205cb5
                                                • Instruction ID: 2cc01d13f0627e327ebec065640afb94e7d08b28a4dd8ea3bfe8413b4f494ee2
                                                • Opcode Fuzzy Hash: a70a95c366125e5482114fa80d622e557cc00c026d266ef2ee18c5ebe0205cb5
                                                • Instruction Fuzzy Hash: 9021F4B6D002098FDB10CFAAD485ADEFBF5BB88324F14852AD419A7610C379A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015788D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 147 15788d8-1579a50 149 1579a52-1579a55 147->149 150 1579a58-1579a87 LoadLibraryExW 147->150 149->150 151 1579a90-1579aad 150->151 152 1579a89-1579a8f 150->152 152->151
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01579869,00000800,00000000,00000000), ref: 01579A7A
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.594019356.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_1570000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 01f792db8ac519232011f004dea303849378c7b3f735a133c063555ed966c8bd
                                                • Instruction ID: 78d097152acb539be322e826299ef10fab25d67d28041ccace8b19883b94ba9e
                                                • Opcode Fuzzy Hash: 01f792db8ac519232011f004dea303849378c7b3f735a133c063555ed966c8bd
                                                • Instruction Fuzzy Hash: 141133B6D002098FDB10CF9AD445BDEFBF5BB48324F14882AE519AB200C3B5A544CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01579788 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 155 1579788-15797c8 156 15797d0-15797fb GetModuleHandleW 155->156 157 15797ca-15797cd 155->157 158 1579804-1579818 156->158 159 15797fd-1579803 156->159 157->156 159->158
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 015797EE
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.594019356.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_1570000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 49cf05a9232958a9752fc45a281bead7acc268dbd454be862aa623678933131e
                                                • Instruction ID: bb2d20244d9c9aafda66a7b9329e1229a7d848dabdbe3c190421a81f2c6059f2
                                                • Opcode Fuzzy Hash: 49cf05a9232958a9752fc45a281bead7acc268dbd454be862aa623678933131e
                                                • Instruction Fuzzy Hash: 9B1110B5C002498FDB10CF9AD445BDEFBF5BF88324F14842AD819A7600D378A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07648C10 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 239 7648c10-7648c7a PostMessageW 240 7648c83-7648c97 239->240 241 7648c7c-7648c82 239->241 241->240
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 07648C6D
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.601371660.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7640000_AheGmkp.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: b8ea29c870e878d41fc916aeab190aa3bdf4bf473eac599d329065fe93a49306
                                                • Instruction ID: 952066ad18c0bae06cf1b4a9f63111718b38c521ef55e04c3f5a81a95a66ad1d
                                                • Opcode Fuzzy Hash: b8ea29c870e878d41fc916aeab190aa3bdf4bf473eac599d329065fe93a49306
                                                • Instruction Fuzzy Hash: 8411E5B58003499FDB10CF9AD485BDEFBF8FB48324F14885AE515A7600C374A544CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012AD3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.593421029.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_12ad000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b35cd88547ebd52daf0f010f2c966802988e777d38afd74ace13618a470199ec
                                                • Instruction ID: 88886c0ba731434bdb631f1f5c848a3dbbd564342f5e96533da168701aea5f94
                                                • Opcode Fuzzy Hash: b35cd88547ebd52daf0f010f2c966802988e777d38afd74ace13618a470199ec
                                                • Instruction Fuzzy Hash: 2F216AB5514348DFDB01CF94D8C4BA6BFA5FB88324F60C569D9050F606C336E846CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012BD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.593562862.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_12bd000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 64d2820f24c0bb86666d4226be869fbde4d5175d87fb7c0942d7ef553fca8781
                                                • Instruction ID: 7946e3919227296318a976108d03659f31a3d52bff640001904d0a9442440cd4
                                                • Opcode Fuzzy Hash: 64d2820f24c0bb86666d4226be869fbde4d5175d87fb7c0942d7ef553fca8781
                                                • Instruction Fuzzy Hash: B0214574514248DFCB11CFA4D4C4BA6BBA5FB843A8F24CD69D9090B242C33AD807CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012BD1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.593562862.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_12bd000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e7883671993e7ff78f532ccf255ef5fc0df7e0deb1d10048b3cb0e03f13c7ae
                                                • Instruction ID: b3d459abc2ef0bdc0ec6e8d9742001c91c88910dfe7d3838ba4ecd08f199b78c
                                                • Opcode Fuzzy Hash: 1e7883671993e7ff78f532ccf255ef5fc0df7e0deb1d10048b3cb0e03f13c7ae
                                                • Instruction Fuzzy Hash: B7212575514288EFDB01CF94D5C0BA6BBA5FB84368F20C96DD9494B243C376D806CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012BD006 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.593562862.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_12bd000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca9d311246f8982e4633759fafa31165417c45a99c669a834e794d654fa6e980
                                                • Instruction ID: 0269a36c786ccf23b9af20df72d08f46f2d6b375449ecb9613a0ff2c946884d5
                                                • Opcode Fuzzy Hash: ca9d311246f8982e4633759fafa31165417c45a99c669a834e794d654fa6e980
                                                • Instruction Fuzzy Hash: 2321AF714083849FCB02CF24D994B51BF71EB46314F28C9DAD8498B2A7C33A980ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012AD3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.593421029.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_12ad000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aa2c92c73345dd94b882f66b2ebcc93d8caff48f93451b4849a2d6067674b8f6
                                                • Instruction ID: ef865a4e9f3b06ed84204198dc8d4fa7a932d334955cee7c2529bc127a3223c0
                                                • Opcode Fuzzy Hash: aa2c92c73345dd94b882f66b2ebcc93d8caff48f93451b4849a2d6067674b8f6
                                                • Instruction Fuzzy Hash: 6D110376404284DFDB02CF54D5C4B56BF71FB84324F24C6A9D9090BA17C33AE45ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012BD1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.593562862.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_12bd000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 745646faa56d91e977d29689b6d10c55204c06f7873250d23cc20a5c136cfe80
                                                • Instruction ID: c89fb95d68c00cca54ac9cfed7f972550022a346ed2e1aba5fcd6778dea7d88f
                                                • Opcode Fuzzy Hash: 745646faa56d91e977d29689b6d10c55204c06f7873250d23cc20a5c136cfe80
                                                • Instruction Fuzzy Hash: F911BB75904284DFDB02CF54C5C4B95BFA1FB84328F28C6AED9494B657C33AD44ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012AD745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.593421029.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_12ad000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f9fdcbe0280f7acefafd8296f1de1774c140253cb521f5d0821d06716c3f6d0
                                                • Instruction ID: 1fca85aa3c4d6648dd3a037f972c0eb0fcef234d819d1e5d7fb0ef4ecf0616bd
                                                • Opcode Fuzzy Hash: 8f9fdcbe0280f7acefafd8296f1de1774c140253cb521f5d0821d06716c3f6d0
                                                • Instruction Fuzzy Hash: 7C014735514388ABE7194E99CC85BA6BFDCEF41334F08891AEE040EA42D7789840CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012AD744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.593421029.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_12ad000_AheGmkp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e1322aea886f450d460f6202811d84b20e2976446dd95885c20528a5d2f001d
                                                • Instruction ID: ffbd5d85fcbeac43ba40584360240657334a0bdcba5525e8d284a83a830507eb
                                                • Opcode Fuzzy Hash: 4e1322aea886f450d460f6202811d84b20e2976446dd95885c20528a5d2f001d
                                                • Instruction Fuzzy Hash: DFF0C271404288AFE7158E59CC84BA2FF98EB41734F18C45AEE084F686C3789844CAB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%