Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IMG 003.exe

Overview

General Information

Sample name:IMG 003.exe
Analysis ID:1467967
MD5:605e5a50ebdec57b636cff6353684913
SHA1:891d2beea2edaa689cd3cfedc1e30f4ec5dde82e
SHA256:30225014a390133cd81a5896e070c88313e33c21c6cb40d9fec1600bf9f70f4f
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • IMG 003.exe (PID: 6676 cmdline: "C:\Users\user\Desktop\IMG 003.exe" MD5: 605E5A50EBDEC57B636CFF6353684913)
    • powershell.exe (PID: 5828 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7496 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5700 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • IMG 003.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\IMG 003.exe" MD5: 605E5A50EBDEC57B636CFF6353684913)
  • aBYKwaZ.exe (PID: 7456 cmdline: C:\Users\user\AppData\Roaming\aBYKwaZ.exe MD5: 605E5A50EBDEC57B636CFF6353684913)
    • schtasks.exe (PID: 7628 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmp170F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aBYKwaZ.exe (PID: 7680 cmdline: "C:\Users\user\AppData\Roaming\aBYKwaZ.exe" MD5: 605E5A50EBDEC57B636CFF6353684913)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.com", "Username": "wizzy@transmedmaritime.cf", "Password": "!feanyi#@12"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2918405791.000000000307B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.2918405791.0000000003090000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000D.00000002.2918450759.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.IMG 003.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
            • 0x3342f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
            • 0x334a1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
            • 0x3352b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
            • 0x335bd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
            • 0x33627:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
            • 0x33699:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
            • 0x3372f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
            • 0x337bf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
            0.2.IMG 003.exe.439e370.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.IMG 003.exe.439e370.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.IMG 003.exe.439e370.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3162f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x316a1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3172b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x317bd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31827:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31899:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3192f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x319bf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                9.2.aBYKwaZ.exe.459ec50.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 24 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IMG 003.exe", ParentImage: C:\Users\user\Desktop\IMG 003.exe, ParentProcessId: 6676, ParentProcessName: IMG 003.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe", ProcessId: 5828, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IMG 003.exe", ParentImage: C:\Users\user\Desktop\IMG 003.exe, ParentProcessId: 6676, ParentProcessName: IMG 003.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe", ProcessId: 5828, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmp170F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmp170F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\aBYKwaZ.exe, ParentImage: C:\Users\user\AppData\Roaming\aBYKwaZ.exe, ParentProcessId: 7456, ParentProcessName: aBYKwaZ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmp170F.tmp", ProcessId: 7628, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\IMG 003.exe, Initiated: true, ProcessId: 7252, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\IMG 003.exe", ParentImage: C:\Users\user\Desktop\IMG 003.exe, ParentProcessId: 6676, ParentProcessName: IMG 003.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp", ProcessId: 5700, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IMG 003.exe", ParentImage: C:\Users\user\Desktop\IMG 003.exe, ParentProcessId: 6676, ParentProcessName: IMG 003.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe", ProcessId: 5828, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\IMG 003.exe", ParentImage: C:\Users\user\Desktop\IMG 003.exe, ParentProcessId: 6676, ParentProcessName: IMG 003.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp", ProcessId: 5700, ProcessName: schtasks.exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.com", "Username": "wizzy@transmedmaritime.cf", "Password": "!feanyi#@12"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeReversingLabs: Detection: 47%
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeVirustotal: Detection: 40%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: IMG 003.exeReversingLabs: Detection: 31%
                  Source: IMG 003.exeVirustotal: Detection: 40%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: IMG 003.exeJoe Sandbox ML: detected
                  Source: IMG 003.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49737 version: TLS 1.2
                  Source: IMG 003.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: frGi.pdb source: IMG 003.exe, aBYKwaZ.exe.0.dr
                  Source: Binary string: frGi.pdbSHA256 source: IMG 003.exe, aBYKwaZ.exe.0.dr
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 4x nop then jmp 0192A915h0_2_0192AD52
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 4x nop then jmp 0DCC9B75h9_2_0DCC9FDB

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.4:49736 -> 77.88.21.158:587
                  Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.4:49736 -> 77.88.21.158:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: smtp.yandex.com
                  Source: aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.gl
                  Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
                  Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000647F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.0000000006463000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                  Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.000000000144E000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
                  Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
                  Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.000000000144E000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
                  Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000647F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.0000000006463000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                  Source: IMG 003.exe, 00000000.00000002.1706447663.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003001000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 00000009.00000002.1769731116.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
                  Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.000000000307B000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.yandex.com
                  Source: IMG 003.exe, aBYKwaZ.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: IMG 003.exe, 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2914141071.0000000000435000.00000040.00000400.00020000.00000000.sdmp, aBYKwaZ.exe, 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: IMG 003.exe, 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003001000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2914163281.0000000000431000.00000040.00000400.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: IMG 003.exe, 00000008.00000002.2918405791.0000000003001000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: IMG 003.exe, 00000008.00000002.2918405791.0000000003001000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.000000000144E000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000647F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.0000000006463000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49737 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, SKTzxzsJw.cs.Net Code: vTmhWR
                  Source: 0.2.IMG 003.exe.439e370.4.raw.unpack, SKTzxzsJw.cs.Net Code: vTmhWR
                  Installs a global keyboard hook
                  Source: C:\Users\user\Desktop\IMG 003.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\IMG 003.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\aBYKwaZ.exe
                  Source: C:\Users\user\Desktop\IMG 003.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWindow created: window name: CLIPBRDWNDCLASS

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 8.2.IMG 003.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.IMG 003.exe.439e370.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.aBYKwaZ.exe.459ec50.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.IMG 003.exe.43d8d90.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.aBYKwaZ.exe.4564230.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  .NET source code contains very large array initializations
                  Source: 0.2.IMG 003.exe.95f0000.6.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
                  Source: 0.2.IMG 003.exe.331b4d4.1.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 0_2_0175DDEC0_2_0175DDEC
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 0_2_019263400_2_01926340
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 0_2_019263480_2_01926348
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 0_2_019244300_2_01924430
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 0_2_019248680_2_01924868
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 0_2_0192DA680_2_0192DA68
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 0_2_01924CA00_2_01924CA0
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 0_2_01926CF80_2_01926CF8
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_012FE2998_2_012FE299
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_012FA9688_2_012FA968
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_012F4A988_2_012F4A98
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_012F3E808_2_012F3E80
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_012F41C88_2_012F41C8
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_012F19A08_2_012F19A0
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06CBB2838_2_06CBB283
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06CB30E08_2_06CB30E0
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06CB76F88_2_06CB76F8
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06CBE4008_2_06CBE400
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06CB00408_2_06CB0040
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06DA19088_2_06DA1908
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06DA19038_2_06DA1903
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06CB00238_2_06CB0023
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06CB00388_2_06CB0038
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0110DDEC9_2_0110DDEC
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0DCCCCC89_2_0DCCCCC8
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0DCC6CF89_2_0DCC6CF8
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0DCC4CA09_2_0DCC4CA0
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0DCC48689_2_0DCC4868
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0DCC44189_2_0DCC4418
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0DCC44309_2_0DCC4430
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0DCC63489_2_0DCC6348
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0DCC633A9_2_0DCC633A
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_00D041C813_2_00D041C8
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_00D0A96813_2_00D0A968
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_00D04A9813_2_00D04A98
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_00D0AB1C13_2_00D0AB1C
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_00D0DCC013_2_00D0DCC0
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_00D03E8013_2_00D03E80
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066B664813_2_066B6648
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066B562813_2_066B5628
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066B7DD813_2_066B7DD8
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066BB28313_2_066BB283
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066B30E013_2_066B30E0
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066BC1E813_2_066BC1E8
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066B76F813_2_066B76F8
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066B240813_2_066B2408
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066BE40013_2_066BE400
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066B5D3B13_2_066B5D3B
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066B004013_2_066B0040
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_067AE4E813_2_067AE4E8
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_067A18CA13_2_067A18CA
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_067A190813_2_067A1908
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_067A190213_2_067A1902
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_066B002213_2_066B0022
                  Source: IMG 003.exe, 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedf8fc031-c024-49b7-9cf2-cdfecdf01d4a.exe4 vs IMG 003.exe
                  Source: IMG 003.exe, 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs IMG 003.exe
                  Source: IMG 003.exe, 00000000.00000002.1714374757.0000000007AB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs IMG 003.exe
                  Source: IMG 003.exe, 00000000.00000002.1715011158.00000000095F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs IMG 003.exe
                  Source: IMG 003.exe, 00000000.00000002.1705002448.00000000013CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs IMG 003.exe
                  Source: IMG 003.exe, 00000000.00000002.1706447663.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs IMG 003.exe
                  Source: IMG 003.exe, 00000000.00000002.1706447663.00000000033C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedf8fc031-c024-49b7-9cf2-cdfecdf01d4a.exe4 vs IMG 003.exe
                  Source: IMG 003.exe, 00000000.00000000.1640910658.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefrGi.exeD vs IMG 003.exe
                  Source: IMG 003.exe, 00000008.00000002.2914886404.00000000010F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs IMG 003.exe
                  Source: IMG 003.exeBinary or memory string: OriginalFilenamefrGi.exeD vs IMG 003.exe
                  Source: IMG 003.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 8.2.IMG 003.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.IMG 003.exe.439e370.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.aBYKwaZ.exe.459ec50.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.IMG 003.exe.43d8d90.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.aBYKwaZ.exe.4564230.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: IMG 003.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: aBYKwaZ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, f0Pi2hT7uJL80FX4Rh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vCSyCTfIWhq3JOLxpn.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vCSyCTfIWhq3JOLxpn.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vCSyCTfIWhq3JOLxpn.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, f0Pi2hT7uJL80FX4Rh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vCSyCTfIWhq3JOLxpn.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vCSyCTfIWhq3JOLxpn.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vCSyCTfIWhq3JOLxpn.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@2/2
                  Source: C:\Users\user\Desktop\IMG 003.exeFile created: C:\Users\user\AppData\Roaming\aBYKwaZ.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMutant created: \Sessions\1\BaseNamedObjects\xcoDYPZI
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4884:120:WilError_03
                  Source: C:\Users\user\Desktop\IMG 003.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFDAB.tmpJump to behavior
                  Source: IMG 003.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: IMG 003.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: IMG 003.exeReversingLabs: Detection: 31%
                  Source: IMG 003.exeVirustotal: Detection: 40%
                  Source: C:\Users\user\Desktop\IMG 003.exeFile read: C:\Users\user\Desktop\IMG 003.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\IMG 003.exe "C:\Users\user\Desktop\IMG 003.exe"
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Users\user\Desktop\IMG 003.exe "C:\Users\user\Desktop\IMG 003.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\aBYKwaZ.exe C:\Users\user\AppData\Roaming\aBYKwaZ.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmp170F.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess created: C:\Users\user\AppData\Roaming\aBYKwaZ.exe "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Users\user\Desktop\IMG 003.exe "C:\Users\user\Desktop\IMG 003.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmp170F.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess created: C:\Users\user\AppData\Roaming\aBYKwaZ.exe "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: vaultcli.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\Desktop\IMG 003.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\IMG 003.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: IMG 003.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: IMG 003.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: IMG 003.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: frGi.pdb source: IMG 003.exe, aBYKwaZ.exe.0.dr
                  Source: Binary string: frGi.pdbSHA256 source: IMG 003.exe, aBYKwaZ.exe.0.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: IMG 003.exe, MainForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: aBYKwaZ.exe.0.dr, MainForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.IMG 003.exe.95f0000.6.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.IMG 003.exe.95f0000.6.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vCSyCTfIWhq3JOLxpn.cs.Net Code: nMkImFVXFc System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vCSyCTfIWhq3JOLxpn.cs.Net Code: nMkImFVXFc System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.IMG 003.exe.331b4d4.1.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.IMG 003.exe.331b4d4.1.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
                  Source: IMG 003.exeStatic PE information: 0xE8A28A03 [Sat Sep 5 05:17:55 2093 UTC]
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 0_2_019204EA push edx; ret 0_2_019204EB
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 0_2_01923618 push esp; iretd 0_2_01923621
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_012F0C55 push edi; retf 8_2_012F0C7A
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06CB8418 push ebx; ret 8_2_06CB841A
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06CB8833 push esi; ret 8_2_06CB8836
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06CB8830 push edi; ret 8_2_06CB8832
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06CB496B push ss; ret 8_2_06CB496E
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06DA6C33 push es; ret 8_2_06DA6C40
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06DA7670 push esp; iretd 8_2_06DA7679
                  Source: C:\Users\user\Desktop\IMG 003.exeCode function: 8_2_06DA7C24 push esp; iretd 8_2_06DA7C2D
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0DCCE905 push FFFFFF8Bh; iretd 9_2_0DCCE907
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0DCC04EA push edx; ret 9_2_0DCC04EB
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 9_2_0DCC3618 push esp; iretd 9_2_0DCC3621
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_00D00617 push edx; retf 13_2_00D0061A
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_00D00838 push edx; retf 13_2_00D00846
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_00D00C55 push edi; retf 13_2_00D00C7A
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_067A6C32 push es; ret 13_2_067A6C40
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_067A7670 push esp; iretd 13_2_067A7679
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_067A11B5 push ebx; retf 13_2_067A11BC
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_067A7C24 push esp; iretd 13_2_067A7C2D
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeCode function: 13_2_067A7944 push ebx; retf 13_2_067A7945
                  Source: IMG 003.exeStatic PE information: section name: .text entropy: 7.544396745144058
                  Source: aBYKwaZ.exe.0.drStatic PE information: section name: .text entropy: 7.544396745144058
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, XSIdLuSHVVMbXEBnRk.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'kyBVc9CvEL', 'HI2VaNvHf0', 'KjlVzJRVyL', 'R6rqHxj2Qj', 'MWPqAxDpBq', 'tW4qVOFeWB', 'lkqqqyf1c0', 'qM68DNsUKJ1vMRVARev'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, h3CmZSIWZKFQJ3whsE.csHigh entropy of concatenated method names: 'FX9Au0Pi2h', 'zuJAfL80FX', 'sEQAO7EJHg', 'FmhAYiprwA', 'J8lAnswXxo', 'R7eA1qglrv', 'R2th4bjNqmNcgs0vVF', 'tKrWHhlb7fdnB4aE51', 'uLrAA9UNVY', 'C52AqebgjE'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, UcyrsfJpC81Cwfa1WS.csHigh entropy of concatenated method names: 'a3yu9S240r', 'aR5uSAOUNE', 'j6Hu8uQ3ah', 'LJR8asdiEG', 'GU78zuabnO', 'MDvuHhhfdH', 'pH4uAJOGh2', 'Kq0uVcuk3J', 'VX4uqFRw3k', 'iOhuIbtgKn'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, DIC77dcbVGfb0ZKQVI.csHigh entropy of concatenated method names: 'XEeU4GwqeU', 'H4eU3jX6YF', 'stQUkePExK', 'ftKUDvK9c6', 'edDU2gm4fN', 'uDGULaNns8', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, xxo27e4qglrvAQrsmi.csHigh entropy of concatenated method names: 'L9J8j4Avtb', 'oPn8GaLDvR', 'cm58FABb2P', 'MSc8u4ZlX4', 'LHZ8fd85Oe', 'ongFEiNraw', 'QkWFpMd2RO', 'UisFZFcy2y', 'mLlF0DjUm8', 'rLMFcFFVet'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, xrw0tlAqqY7H3tKyYi0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Fmld2etOMC', 'XycdRv6MOt', 'WkBdwx3NcU', 'vSRdhxflqx', 'Q0QdEx2JiP', 'bfqdpS4NHv', 'hIkdZ97os2'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, IDqXVQV0QpWLHAPx2x.csHigh entropy of concatenated method names: 'Sdom3opLx', 'ouf7f70Cf', 'd5otjZnwW', 'Bn6y8U6Uf', 'k61PjhHEZ', 'sfx5Wlr5w', 'haS3Q7EkOSsxBWUSvt', 'sgHS71fOMkSjeI4qXo', 'SHNUZPvBu', 'CIGdWsr7C'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vWh1BKpdAe6ULESqsB.csHigh entropy of concatenated method names: 'xvti0jENeD', 'KjmiaV5aGF', 'pPnUH4odtW', 'iZMUAns2NU', 'e9RiBHPj60', 'dDmiNo3eOe', 'tsoivmMOAq', 'Gj3i2RFJEM', 'NKNiRfFy1q', 'AvRiwnyhut'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, HTRRXi25oIY0C1PIAY.csHigh entropy of concatenated method names: 'Nran6huSIp', 'b09nNl42rA', 'rban2J9ilq', 'DZXnRSAMf8', 'TZqn34ejWV', 'AjbnkELx4d', 'u7DnDRGdt2', 'PpTnLfqCxF', 'wl1nWn8Sjv', 'saGnJHC1eg'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, a4CNNYw48AkfsbTdWY.csHigh entropy of concatenated method names: 'ToString', 'aDa1BjGjBN', 'ihT13Tc0PB', 'njW1kxRBwG', 's721DjkPg2', 'Aa21LP9CDh', 'h1f1W6UPkU', 'iri1J9uU5Q', 'qck1ly9L0L', 'zAm1bRqINo'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, OAZtfoGelWqo8FNBrD.csHigh entropy of concatenated method names: 'Dispose', 'g2OAcXoIwx', 'uuOV3Pr1KI', 'BDj99cY5g4', 'ebfAahJ2PH', 'zoXAzP58iy', 'ProcessDialogKey', 'B9yVHIC77d', 'MVGVAfb0ZK', 'tVIVVXATW3'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, Y8MTZFAH1SfBEO3hiI0.csHigh entropy of concatenated method names: 'dcnxoO9EWK', 'hPQxKnweWN', 'Qdrxmtmq9Q', 'aTJx70Ty2t', 'zhJxgBMHpH', 'SPextngJnL', 'lP0xyQT1G4', 'FICxTupXj9', 'lgexP7xk46', 'gUBx5i26aL'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, aa5nAO3deR1t0CtJ8c.csHigh entropy of concatenated method names: 'jr4GBuhFl0y64dYGpIb', 'FNbtCFhAmamDjeJRTum', 'QtY8Unhyuk', 'Mv18xWCptP', 'Eb38dBKc2N', 'ItHelshis1EZVAiCB1l', 'Cu4oNKhdVS61DgiokBK'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, VrwABt5xyMU7KL8lsw.csHigh entropy of concatenated method names: 'gUpFgUJ1g5', 'INJFy0ppFi', 'V6MSkCCPlT', 'CXGSDa0aM6', 'JDHSLfRO08', 'Ka6SWfFrsY', 'CeXSJe4Ofj', 'Do2SlkFi9o', 'jwBSbMqXcY', 'D8wS6Rgsey'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vCSyCTfIWhq3JOLxpn.csHigh entropy of concatenated method names: 'vkIqjaC0bO', 'yPAq9e2jcq', 'WQaqGduPh9', 'YDOqSON9P6', 'CUoqFqqOEB', 'KL1q8DAshB', 'CWCqumIODW', 'evHqfihcs0', 'PP2qCVDZSv', 'bsDqOBX3TB'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, nXy3Qav2iClUHmsmKf.csHigh entropy of concatenated method names: 'LiBMTnNPAj', 'NkYMPUFmtk', 'lNjM4sHHFI', 'ocxM39f144', 'RCLMDu01hY', 'ViwMLYZLFA', 'GO3MJoOmXS', 'T3iMlkrCdL', 'jJAM6hpHA0', 'IrmMBDQgAf'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, f0Pi2hT7uJL80FX4Rh.csHigh entropy of concatenated method names: 'hF9G2Ks7OB', 'aOKGRd2dAR', 'YEBGwgrWB6', 'bLsGhHaOkW', 'rJOGEFI0NO', 'Fu2Gp2rrVs', 'NtAGZPcTPP', 'DGKG0LXSLV', 'IgBGcb301K', 'oktGa6RPqq'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, FRvlGNAATApnSHHZXZS.csHigh entropy of concatenated method names: 'ToString', 'pHpdqGovfT', 'mMGdI3Y6kJ', 'sfOdjr0FWo', 'TH4d9NvLvt', 'VP1dGt6PNT', 'WlxdSwxX47', 'rDvdF3yqt0', 'BKwUFgUrhFBkdpbOKSq', 'GDBoq5UQFXgAl82TfOu'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, xATW3Naow795m2pvhD.csHigh entropy of concatenated method names: 'glvxAeu2ve', 'N2XxqJZTGr', 'pXsxIS0GOW', 'DeNx9OE07l', 'DcIxGGhs26', 'sTSxFvDvUJ', 'fuHx8qNEsj', 'qB0UZyE8eq', 'tcMU0OC33q', 'ShoUcV9Csx'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, TflZ91bZCGQd4nk0Hs.csHigh entropy of concatenated method names: 'VXouovTkyg', 'SFAuKqRvKQ', 'UqTum5RQwg', 'dLOu7Ekf9j', 'r9GugTvVGP', 'DdsutV6ncg', 'HTIuy8f8xh', 'tc0uTXJ3jH', 'oEbuPbum6i', 'Sibu5kSAdL'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, MfhJ2P0HmoXP58iyg9.csHigh entropy of concatenated method names: 'fjxU9TmNex', 'fdgUGuQLuo', 'kVHUSdCNER', 'cHVUFscTOs', 'fdMU8HXHKx', 'WKsUujAAKh', 'X87UfNpUoL', 'KW8UCrSJo8', 'ixUUOfIimE', 'qqgUYWccTf'
                  Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, DPuwadPEQ7EJHg5mhi.csHigh entropy of concatenated method names: 'c2VS7BEZHX', 'nBNSt78kZh', 'GHXSTbDXx4', 'Qe5SP4AvZJ', 'FViSnsCWiE', 'CRPS1cMjoG', 'agCSiOjhcF', 'DyYSUHWud3', 'PNSSxmYo68', 'PPZSduHlOr'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, XSIdLuSHVVMbXEBnRk.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'kyBVc9CvEL', 'HI2VaNvHf0', 'KjlVzJRVyL', 'R6rqHxj2Qj', 'MWPqAxDpBq', 'tW4qVOFeWB', 'lkqqqyf1c0', 'qM68DNsUKJ1vMRVARev'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, h3CmZSIWZKFQJ3whsE.csHigh entropy of concatenated method names: 'FX9Au0Pi2h', 'zuJAfL80FX', 'sEQAO7EJHg', 'FmhAYiprwA', 'J8lAnswXxo', 'R7eA1qglrv', 'R2th4bjNqmNcgs0vVF', 'tKrWHhlb7fdnB4aE51', 'uLrAA9UNVY', 'C52AqebgjE'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, UcyrsfJpC81Cwfa1WS.csHigh entropy of concatenated method names: 'a3yu9S240r', 'aR5uSAOUNE', 'j6Hu8uQ3ah', 'LJR8asdiEG', 'GU78zuabnO', 'MDvuHhhfdH', 'pH4uAJOGh2', 'Kq0uVcuk3J', 'VX4uqFRw3k', 'iOhuIbtgKn'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, DIC77dcbVGfb0ZKQVI.csHigh entropy of concatenated method names: 'XEeU4GwqeU', 'H4eU3jX6YF', 'stQUkePExK', 'ftKUDvK9c6', 'edDU2gm4fN', 'uDGULaNns8', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, xxo27e4qglrvAQrsmi.csHigh entropy of concatenated method names: 'L9J8j4Avtb', 'oPn8GaLDvR', 'cm58FABb2P', 'MSc8u4ZlX4', 'LHZ8fd85Oe', 'ongFEiNraw', 'QkWFpMd2RO', 'UisFZFcy2y', 'mLlF0DjUm8', 'rLMFcFFVet'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, xrw0tlAqqY7H3tKyYi0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Fmld2etOMC', 'XycdRv6MOt', 'WkBdwx3NcU', 'vSRdhxflqx', 'Q0QdEx2JiP', 'bfqdpS4NHv', 'hIkdZ97os2'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, IDqXVQV0QpWLHAPx2x.csHigh entropy of concatenated method names: 'Sdom3opLx', 'ouf7f70Cf', 'd5otjZnwW', 'Bn6y8U6Uf', 'k61PjhHEZ', 'sfx5Wlr5w', 'haS3Q7EkOSsxBWUSvt', 'sgHS71fOMkSjeI4qXo', 'SHNUZPvBu', 'CIGdWsr7C'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vWh1BKpdAe6ULESqsB.csHigh entropy of concatenated method names: 'xvti0jENeD', 'KjmiaV5aGF', 'pPnUH4odtW', 'iZMUAns2NU', 'e9RiBHPj60', 'dDmiNo3eOe', 'tsoivmMOAq', 'Gj3i2RFJEM', 'NKNiRfFy1q', 'AvRiwnyhut'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, HTRRXi25oIY0C1PIAY.csHigh entropy of concatenated method names: 'Nran6huSIp', 'b09nNl42rA', 'rban2J9ilq', 'DZXnRSAMf8', 'TZqn34ejWV', 'AjbnkELx4d', 'u7DnDRGdt2', 'PpTnLfqCxF', 'wl1nWn8Sjv', 'saGnJHC1eg'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, a4CNNYw48AkfsbTdWY.csHigh entropy of concatenated method names: 'ToString', 'aDa1BjGjBN', 'ihT13Tc0PB', 'njW1kxRBwG', 's721DjkPg2', 'Aa21LP9CDh', 'h1f1W6UPkU', 'iri1J9uU5Q', 'qck1ly9L0L', 'zAm1bRqINo'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, OAZtfoGelWqo8FNBrD.csHigh entropy of concatenated method names: 'Dispose', 'g2OAcXoIwx', 'uuOV3Pr1KI', 'BDj99cY5g4', 'ebfAahJ2PH', 'zoXAzP58iy', 'ProcessDialogKey', 'B9yVHIC77d', 'MVGVAfb0ZK', 'tVIVVXATW3'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, Y8MTZFAH1SfBEO3hiI0.csHigh entropy of concatenated method names: 'dcnxoO9EWK', 'hPQxKnweWN', 'Qdrxmtmq9Q', 'aTJx70Ty2t', 'zhJxgBMHpH', 'SPextngJnL', 'lP0xyQT1G4', 'FICxTupXj9', 'lgexP7xk46', 'gUBx5i26aL'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, aa5nAO3deR1t0CtJ8c.csHigh entropy of concatenated method names: 'jr4GBuhFl0y64dYGpIb', 'FNbtCFhAmamDjeJRTum', 'QtY8Unhyuk', 'Mv18xWCptP', 'Eb38dBKc2N', 'ItHelshis1EZVAiCB1l', 'Cu4oNKhdVS61DgiokBK'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, VrwABt5xyMU7KL8lsw.csHigh entropy of concatenated method names: 'gUpFgUJ1g5', 'INJFy0ppFi', 'V6MSkCCPlT', 'CXGSDa0aM6', 'JDHSLfRO08', 'Ka6SWfFrsY', 'CeXSJe4Ofj', 'Do2SlkFi9o', 'jwBSbMqXcY', 'D8wS6Rgsey'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vCSyCTfIWhq3JOLxpn.csHigh entropy of concatenated method names: 'vkIqjaC0bO', 'yPAq9e2jcq', 'WQaqGduPh9', 'YDOqSON9P6', 'CUoqFqqOEB', 'KL1q8DAshB', 'CWCqumIODW', 'evHqfihcs0', 'PP2qCVDZSv', 'bsDqOBX3TB'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, nXy3Qav2iClUHmsmKf.csHigh entropy of concatenated method names: 'LiBMTnNPAj', 'NkYMPUFmtk', 'lNjM4sHHFI', 'ocxM39f144', 'RCLMDu01hY', 'ViwMLYZLFA', 'GO3MJoOmXS', 'T3iMlkrCdL', 'jJAM6hpHA0', 'IrmMBDQgAf'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, f0Pi2hT7uJL80FX4Rh.csHigh entropy of concatenated method names: 'hF9G2Ks7OB', 'aOKGRd2dAR', 'YEBGwgrWB6', 'bLsGhHaOkW', 'rJOGEFI0NO', 'Fu2Gp2rrVs', 'NtAGZPcTPP', 'DGKG0LXSLV', 'IgBGcb301K', 'oktGa6RPqq'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, FRvlGNAATApnSHHZXZS.csHigh entropy of concatenated method names: 'ToString', 'pHpdqGovfT', 'mMGdI3Y6kJ', 'sfOdjr0FWo', 'TH4d9NvLvt', 'VP1dGt6PNT', 'WlxdSwxX47', 'rDvdF3yqt0', 'BKwUFgUrhFBkdpbOKSq', 'GDBoq5UQFXgAl82TfOu'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, xATW3Naow795m2pvhD.csHigh entropy of concatenated method names: 'glvxAeu2ve', 'N2XxqJZTGr', 'pXsxIS0GOW', 'DeNx9OE07l', 'DcIxGGhs26', 'sTSxFvDvUJ', 'fuHx8qNEsj', 'qB0UZyE8eq', 'tcMU0OC33q', 'ShoUcV9Csx'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, TflZ91bZCGQd4nk0Hs.csHigh entropy of concatenated method names: 'VXouovTkyg', 'SFAuKqRvKQ', 'UqTum5RQwg', 'dLOu7Ekf9j', 'r9GugTvVGP', 'DdsutV6ncg', 'HTIuy8f8xh', 'tc0uTXJ3jH', 'oEbuPbum6i', 'Sibu5kSAdL'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, MfhJ2P0HmoXP58iyg9.csHigh entropy of concatenated method names: 'fjxU9TmNex', 'fdgUGuQLuo', 'kVHUSdCNER', 'cHVUFscTOs', 'fdMU8HXHKx', 'WKsUujAAKh', 'X87UfNpUoL', 'KW8UCrSJo8', 'ixUUOfIimE', 'qqgUYWccTf'
                  Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, DPuwadPEQ7EJHg5mhi.csHigh entropy of concatenated method names: 'c2VS7BEZHX', 'nBNSt78kZh', 'GHXSTbDXx4', 'Qe5SP4AvZJ', 'FViSnsCWiE', 'CRPS1cMjoG', 'agCSiOjhcF', 'DyYSUHWud3', 'PNSSxmYo68', 'PPZSduHlOr'
                  Source: C:\Users\user\Desktop\IMG 003.exeFile created: C:\Users\user\AppData\Roaming\aBYKwaZ.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp"

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: IMG 003.exe PID: 6676, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aBYKwaZ.exe PID: 7456, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: 16F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: 32B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: 1890000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: 9750000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: A750000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: A960000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: B960000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: BD90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: CD90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: 9750000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: A960000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: BD90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: 5000000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: 1100000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: 4AA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: 86D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: 96D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: 98C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: A8C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: AC90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: BC90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: CC90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: E030000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: F030000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: 10030000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: 11030000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: D00000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: 2A70000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory allocated: 29C0000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199940Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199811Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199702Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199593Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199484Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199374Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199265Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199156Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199047Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198929Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198828Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198718Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198609Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198499Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198390Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198281Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199953
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199843
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199734
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199624
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199515
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199406
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199284
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199168
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199046
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1198937
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1198828
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1198718
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1198609
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6468Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 594Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6997Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2246Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeWindow / User API: threadDelayed 3625Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeWindow / User API: threadDelayed 6209Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWindow / User API: threadDelayed 7269
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWindow / User API: threadDelayed 2585
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 6720Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2020Thread sleep count: 6468 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7144Thread sleep count: 594 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -99890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -99778s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -99671s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -99562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -99453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -99343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -99234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -99124s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -99015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -98879s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -98765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -98656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -98546s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -98437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -98328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -98218s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -98109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -98000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -97889s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -97767s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -97640s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -97531s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -97420s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -97311s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -97203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -97092s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -96984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -96871s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -96765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -96656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -96544s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -96428s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -96312s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -96194s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -95921s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -95725s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1199940s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1199811s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1199702s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1199593s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1199484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1199374s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1199265s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1199156s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1199047s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1198929s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1198828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1198718s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1198609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1198499s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1198390s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492Thread sleep time: -1198281s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7480Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -35048813740048126s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -100000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -99874s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -99765s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -99653s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -99546s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -99436s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -99309s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -99202s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -99087s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -98937s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -98742s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -98517s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -98334s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -98194s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -98078s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -97968s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -97859s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -97749s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -97640s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -97531s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -97421s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -97312s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -97203s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -97092s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -96984s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -96873s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -96765s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -96656s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -96544s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -96437s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -96326s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -96218s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -96109s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -95999s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -95890s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -95781s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -95671s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -95562s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1199953s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1199843s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1199734s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1199624s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1199515s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1199406s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1199284s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1199168s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1199046s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1198937s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1198828s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1198718s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780Thread sleep time: -1198609s >= -30000s
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\IMG 003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 99890Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 99778Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 99671Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 99562Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 99453Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 99343Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 99234Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 99124Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 99015Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 98879Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 98765Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 98656Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 98546Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 98437Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 98328Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 98218Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 98109Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 98000Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 97889Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 97767Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 97640Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 97531Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 97420Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 97311Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 97203Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 97092Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 96984Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 96871Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 96765Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 96656Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 96544Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 96428Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 96312Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 96194Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 95921Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 95725Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199940Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199811Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199702Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199593Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199484Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199374Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199265Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199156Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1199047Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198929Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198828Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198718Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198609Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198499Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198390Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeThread delayed: delay time: 1198281Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 100000
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 99874
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 99765
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 99653
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 99546
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 99436
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 99309
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 99202
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 99087
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 98937
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 98742
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 98517
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 98334
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 98194
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 98078
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 97968
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 97859
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 97749
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 97640
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 97531
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 97421
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 97312
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 97203
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 97092
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 96984
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 96873
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 96765
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 96656
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 96544
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 96437
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 96326
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 96218
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 96109
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 95999
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 95890
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 95781
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 95671
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 95562
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199953
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199843
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199734
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199624
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199515
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199406
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199284
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199168
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1199046
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1198937
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1198828
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1198718
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeThread delayed: delay time: 1198609
                  Source: IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe"
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\IMG 003.exeMemory written: C:\Users\user\Desktop\IMG 003.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeMemory written: C:\Users\user\AppData\Roaming\aBYKwaZ.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeProcess created: C:\Users\user\Desktop\IMG 003.exe "C:\Users\user\Desktop\IMG 003.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmp170F.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeProcess created: C:\Users\user\AppData\Roaming\aBYKwaZ.exe "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Users\user\Desktop\IMG 003.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Users\user\Desktop\IMG 003.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeQueries volume information: C:\Users\user\AppData\Roaming\aBYKwaZ.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeQueries volume information: C:\Users\user\AppData\Roaming\aBYKwaZ.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\IMG 003.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.IMG 003.exe.439e370.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.459ec50.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.IMG 003.exe.43d8d90.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.4564230.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.2918405791.000000000307B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2918405791.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.2918450759.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.2918450759.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2918405791.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: IMG 003.exe PID: 6676, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: IMG 003.exe PID: 7252, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aBYKwaZ.exe PID: 7456, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aBYKwaZ.exe PID: 7680, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\IMG 003.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeFile opened: C:\FTP Navigator\Ftplist.txt
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\IMG 003.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\IMG 003.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: 0.2.IMG 003.exe.439e370.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.459ec50.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.IMG 003.exe.43d8d90.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.4564230.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.2918450759.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2918405791.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: IMG 003.exe PID: 6676, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: IMG 003.exe PID: 7252, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aBYKwaZ.exe PID: 7456, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aBYKwaZ.exe PID: 7680, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.IMG 003.exe.439e370.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.459ec50.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.IMG 003.exe.43d8d90.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.4564230.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.2918405791.000000000307B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2918405791.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.2918450759.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.2918450759.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2918405791.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: IMG 003.exe PID: 6676, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: IMG 003.exe PID: 7252, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aBYKwaZ.exe PID: 7456, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aBYKwaZ.exe PID: 7680, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Scheduled Task/Job                  		3
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Software Packing                  		NTDS211
                  Security Software Discovery                  		Distributed Component Object Model21
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets1
                  Process Discovery                  		SSH1
                  Clipboard Data                  		23
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials141
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467967 Sample: IMG 003.exe Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 46 smtp.yandex.com 2->46 48 smtp.yandex.ru 2->48 50 api.ipify.org 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 62 13 other signatures 2->62 8 IMG 003.exe 7 2->8         started        12 aBYKwaZ.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\aBYKwaZ.exe, PE32 8->38 dropped 40 C:\Users\user\...\aBYKwaZ.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpFDAB.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\IMG 003.exe.log, ASCII 8->44 dropped 64 Adds a directory exclusion to Windows Defender 8->64 66 Injects a PE file into a foreign processes 8->66 14 IMG 003.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Multi AV Scanner detection for dropped file 12->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->70 72 Machine Learning detection for dropped file 12->72 24 aBYKwaZ.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 smtp.yandex.ru 77.88.21.158, 49736, 49738, 49746 YANDEXRU Russian Federation 14->52 54 api.ipify.org 172.67.74.152, 443, 49733, 49737 CLOUDFLARENETUS United States 14->54 74 Installs a global keyboard hook 14->74 76 Loading BitLocker PowerShell Module 18->76 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->78 80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal ftp login credentials 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 36 conhost.exe 26->36         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  IMG 003.exe32%ReversingLabs
                  IMG 003.exe41%VirustotalBrowse
                  IMG 003.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\aBYKwaZ.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\aBYKwaZ.exe47%ReversingLabsByteCode-MSIL.Trojan.GenSteal
                  C:\Users\user\AppData\Roaming\aBYKwaZ.exe41%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  smtp.yandex.ru0%VirustotalBrowse
                  api.ipify.org0%VirustotalBrowse
                  smtp.yandex.com0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  https://api.ipify.org/0%URL Reputationsafe
                  http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                  http://www.fontbureau.com0%URL Reputationsafe
                  http://www.fontbureau.com/designersG0%URL Reputationsafe
                  http://www.fontbureau.com/designers/?0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  http://www.fontbureau.com/designers?0%URL Reputationsafe
                  http://www.fontbureau.com/designers?0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.fontbureau.com/designers0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  https://api.ipify.org/t0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  https://api.ipify.org0%URL Reputationsafe
                  https://api.ipify.org0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                  http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.fontbureau.com/designers80%URL Reputationsafe
                  http://www.fonts.com0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://tempuri.org/DataSet1.xsd0%Avira URL Cloudsafe
                  http://smtp.yandex.com0%Avira URL Cloudsafe
                  http://crl.gl0%Avira URL Cloudsafe
                  http://smtp.yandex.com0%VirustotalBrowse
                  http://tempuri.org/DataSet1.xsd0%VirustotalBrowse
                  http://crl.gl0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  smtp.yandex.ru
                  		77.88.21.158
                  		truefalseunknown
                  api.ipify.org
                  		172.67.74.152
                  		truefalseunknown
                  smtp.yandex.com
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.comIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersGIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/?IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cn/bTheIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://account.dyn.com/IMG 003.exe, 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2914141071.0000000000435000.00000040.00000400.00020000.00000000.sdmp, aBYKwaZ.exe, 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/DataSet1.xsdIMG 003.exe, aBYKwaZ.exe.0.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.goodfont.co.krIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.ipify.org/tIMG 003.exe, 00000008.00000002.2918405791.0000000003001000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://smtp.yandex.comIMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.000000000307B000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.carterandcone.comlIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sajatypeworks.comIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.typography.netDIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/cabarga.htmlNIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cn/cTheIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/staff/dennis.htmIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.ipify.orgIMG 003.exe, 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003001000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2914163281.0000000000431000.00000040.00000400.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/frere-user.htmlIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://crl.glaBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/DPleaseIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers8IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fonts.comIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sandoll.co.krIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.deDPleaseIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.zhongyicts.com.cnIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameIMG 003.exe, 00000000.00000002.1706447663.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003001000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 00000009.00000002.1769731116.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sakkal.comIMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  77.88.21.158
                  		smtp.yandex.ruRussian Federation
                  		13238YANDEXRUfalse
                  172.67.74.152
                  		api.ipify.orgUnited States
                  		13335CLOUDFLARENETUSfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1467967
                  Start date and time:2024-07-05 07:15:12 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 0s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:18
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:IMG 003.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@19/15@2/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 98%
                  • Number of executed functions: 183
                  • Number of non-executed functions: 20
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  01:16:02API Interceptor1736487x Sleep call for process: IMG 003.exe modified
                  01:16:05API Interceptor46x Sleep call for process: powershell.exe modified
                  01:16:09API Interceptor941290x Sleep call for process: aBYKwaZ.exe modified
                  06:16:08Task SchedulerRun new task: aBYKwaZ path: C:\Users\user\AppData\Roaming\aBYKwaZ.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  77.88.21.1582024.scr.exeGet hashmaliciousAgentTeslaBrowse
                    tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                      gB49zgUhr8.exeGet hashmaliciousAgentTeslaBrowse
                        RFQ Enqiury Requirement.pif.exeGet hashmaliciousAgentTeslaBrowse
                          VfeC87R1r6.exeGet hashmaliciousAgentTeslaBrowse
                            SecuriteInfo.com.Win32.PWSX-gen.21357.32352.exeGet hashmaliciousAgentTeslaBrowse
                              SIEMENS #2427021-S06564.exeGet hashmaliciousAgentTeslaBrowse
                                DHL Delivery Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                  DHL Delivery Invoice AWB#7490327845.exeGet hashmaliciousAgentTeslaBrowse
                                    DHL Delivery Invoice AWB#7490327845.exeGet hashmaliciousAgentTeslaBrowse
                                      172.67.74.152242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                      • api.ipify.org/?format=wef
                                      K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      stub.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      stub.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                      • api.ipify.org/?format=json
                                      Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/?format=json
                                      Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/?format=json
                                      Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                      • api.ipify.org/?format=json
                                      Sky-Beta.exeGet hashmaliciousStealitBrowse
                                      • api.ipify.org/?format=json
                                      SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/?format=json

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      smtp.yandex.ru2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                                      • 77.88.21.158
                                      gB49zgUhr8.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      RFQ Enqiury Requirement.pif.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      VfeC87R1r6.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      SecuriteInfo.com.Win32.PWSX-gen.21357.32352.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      SIEMENS #2427021-S06564.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      DHL Delivery Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      DHL Delivery Invoice AWB#7490327845.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      DHL Delivery Invoice AWB#7490327845.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      api.ipify.orgmsupdate.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.13.205
                                      msupdate.exeGet hashmaliciousUnknownBrowse
                                      • 172.67.74.152
                                      c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 104.26.12.205
                                      XX(1).exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 172.67.74.152
                                      Ship Docs_CI PL HBL COO_.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.12.205
                                      M.V TBN - VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.13.205
                                      0001.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 172.67.74.152
                                      Zz3h8cOX1E.exeGet hashmaliciousQuasarBrowse
                                      • 104.26.13.205
                                      Luciana Alvarez CV.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.13.205
                                      Acal BFi UK - Products List 020240704.exeGet hashmaliciousAgentTesla, RedLine, StormKitty, XWormBrowse
                                      • 172.67.74.152

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      YANDEXRUhttps://nmg.evlink21.net/Get hashmaliciousUnknownBrowse
                                      • 213.180.193.90
                                      http://adobefallshomes.comGet hashmaliciousUnknownBrowse
                                      • 77.88.21.119
                                      2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                      • 213.180.204.90
                                      tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                                      • 77.88.21.158
                                      gB49zgUhr8.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      Ref-#47882327.docxGet hashmaliciousHTMLPhisherBrowse
                                      • 77.88.21.90
                                      https://9vn.lagerpec.com/N3pd9/Get hashmaliciousHTMLPhisherBrowse
                                      • 77.88.44.55
                                      http://pelicanbcnsolutions.comGet hashmaliciousUnknownBrowse
                                      • 87.250.251.119
                                      Complete with Docusign chelsea.pdfGet hashmaliciousUnknownBrowse
                                      • 77.88.55.88
                                      CLOUDFLARENETUSmsupdate.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.13.205
                                      msupdate.exeGet hashmaliciousUnknownBrowse
                                      • 172.67.74.152
                                      pirates.batGet hashmaliciousKematian StealerBrowse
                                      • 104.16.124.96
                                      pirates.batGet hashmaliciousKematian StealerBrowse
                                      • 104.16.123.96
                                      c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 104.26.12.205
                                      6xmBUtHylU.exeGet hashmaliciousLummaCBrowse
                                      • 188.114.96.3
                                      XX(1).exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 172.67.74.152
                                      OVER DUE INVOICE PAYMENT.docxGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      https://m.exactag.com/ai.aspx?tc=d9912543bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253AW0S.sdscondo.com/index.xml%23?email=cGV0ZXIuYnJvd24yM0Bxci5jb20uYXU=Get hashmaliciousHTMLPhisherBrowse
                                      • 104.17.2.184
                                      Ship Docs_CI PL HBL COO_.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.12.205

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0epirates.batGet hashmaliciousKematian StealerBrowse
                                      • 172.67.74.152
                                      pirates.batGet hashmaliciousKematian StealerBrowse
                                      • 172.67.74.152
                                      c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 172.67.74.152
                                      XX(1).exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 172.67.74.152
                                      Ship Docs_CI PL HBL COO_.exeGet hashmaliciousAgentTeslaBrowse
                                      • 172.67.74.152
                                      https://singingfiles.com/show.php?l=0&u=2156442&id=64574Get hashmaliciousUnknownBrowse
                                      • 172.67.74.152
                                      https://sula.starladeroff.com/Get hashmaliciousUnknownBrowse
                                      • 172.67.74.152
                                      http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/Get hashmaliciousHTMLPhisherBrowse
                                      • 172.67.74.152
                                      http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
                                      • 172.67.74.152
                                      https://pub-9445ce0d74714d1c934c51ffcf83c3f2.r2.dev/slnt.html?nycsbsGet hashmaliciousHTMLPhisherBrowse
                                      • 172.67.74.152

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG 003.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG 003.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.34331486778365
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aBYKwaZ.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\aBYKwaZ.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):1216
                                      Entropy (8bit):5.34331486778365
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):2232
                                      Entropy (8bit):5.3810236212315665
                                      Encrypted:false
                                      SSDEEP:48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//ZmUyus:lGLHxv2IfLZ2KRH6Ouggs
                                      MD5:26F6E40F3C8972F2060C0201AD73BE4F
                                      SHA1:5F5B7154A29951D2BB6DD8E3E8C242A0EE7972BB
                                      SHA-256:82FFFB95FE80EDC9333F96C2051E2CA1C7A40DFA387059211394CB43E2CA5CEA
                                      SHA-512:F10D637941C0E617F9C46CA4AE5369B438F7BACFD7B8FC5C145F63F6ED6AD431E72BE4DE3E86EBA2FA0FFAEC2D1972C0EF35E862F2C2805B2EF703B0BCB349F9
                                      Malicious:false
                                      Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vem45lg.t4g.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwpm1dt0.imr.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebl22nai.0ne.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ld2svign.kwg.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxg52aaw.l3b.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvak2ews.kq2.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdcq5x5s.e4t.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ttongutp.2v3.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\tmp170F.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\aBYKwaZ.exe
                                      File Type:XML 1.0 document, ASCII text
                                      Category:dropped
                                      Size (bytes):1573
                                      Entropy (8bit):5.115336295380733
                                      Encrypted:false
                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta3oxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTAIv
                                      MD5:D370BCD66336471A66D4495E3A48EFDB
                                      SHA1:AE54559396666D0ACF00D409777857E6948587B2
                                      SHA-256:720A248671D234CCB433EC06CC3D455389AC2BD23A69FADFE369D4D1F75BFCD2
                                      SHA-512:F2EB0C893CC4F466D407D73E79B1587442E1010FFEBCABA914298297BD61359980BBF46E8F470A348A4892525054BF1214026A5AEF43427AFB2FADD77531CB5F
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                      C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG 003.exe
                                      File Type:XML 1.0 document, ASCII text
                                      Category:dropped
                                      Size (bytes):1573
                                      Entropy (8bit):5.115336295380733
                                      Encrypted:false
                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta3oxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTAIv
                                      MD5:D370BCD66336471A66D4495E3A48EFDB
                                      SHA1:AE54559396666D0ACF00D409777857E6948587B2
                                      SHA-256:720A248671D234CCB433EC06CC3D455389AC2BD23A69FADFE369D4D1F75BFCD2
                                      SHA-512:F2EB0C893CC4F466D407D73E79B1587442E1010FFEBCABA914298297BD61359980BBF46E8F470A348A4892525054BF1214026A5AEF43427AFB2FADD77531CB5F
                                      Malicious:true
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                      C:\Users\user\AppData\Roaming\aBYKwaZ.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG 003.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):816640
                                      Entropy (8bit):7.536750353028743
                                      Encrypted:false
                                      SSDEEP:12288:CIjofC1PERMhIdJJenzgfQCjU2E1JNcfWqnV66J3G3eVBT5NQ:z1FhwOzgfQgE1IuqV66JO0N
                                      MD5:605E5A50EBDEC57B636CFF6353684913
                                      SHA1:891D2BEEA2EDAA689CD3CFEDC1E30F4EC5DDE82E
                                      SHA-256:30225014A390133CD81A5896E070C88313E33C21C6CB40D9FEC1600BF9F70F4F
                                      SHA-512:617CB5975BAD1BD005770CB7FC5DF4FA39091367B73294043740450A031D1A55DB9C699FB2975EE1BC83F6648868FD5EF71B54608DE0A39E32115D0CA8DE5EE2
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 47%
                                      • Antivirus: Virustotal, Detection: 41%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..l.............. ........@.. ....................................@.....................................O...................................Xa..p............................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............t..............@..B.......................H.......h....s......T.......@^..........................................^..}.....(.......(.....*z..}.....(.......(.......}....*&..(.....*....0...............&....*..................0..+.........,..{.......+....,...{....o........(.....*..0..y........."...@"..PAs....( ......(!..... .... ....s"...(#.....r...p($......(%......(&.....r...po'............s(...()......(*....*^..}.....(.......(.....*....0............(....o+....8......(,......r!..p(-.......,..8.......p...%../.o......{..

                                      C:\Users\user\AppData\Roaming\aBYKwaZ.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG 003.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.536750353028743
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:IMG 003.exe
                                      File size:816'640 bytes
                                      MD5:605e5a50ebdec57b636cff6353684913
                                      SHA1:891d2beea2edaa689cd3cfedc1e30f4ec5dde82e
                                      SHA256:30225014a390133cd81a5896e070c88313e33c21c6cb40d9fec1600bf9f70f4f
                                      SHA512:617cb5975bad1bd005770cb7fc5df4fa39091367b73294043740450a031d1a55db9c699fb2975ee1bc83f6648868fd5ef71b54608de0a39e32115d0ca8de5ee2
                                      SSDEEP:12288:CIjofC1PERMhIdJJenzgfQCjU2E1JNcfWqnV66J3G3eVBT5NQ:z1FhwOzgfQgE1IuqV66JO0N
                                      TLSH:8605F04532A49BE1FD6A57F9E460C6F003716D0AA855C33B2EC2FECB3972B11867452B
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..l............... ........@.. ....................................@................................

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0x4c8be2
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0xE8A28A03 [Sat Sep 5 05:17:55 2093 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc8b8f0x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x5bc.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xc61580x70.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xc6be80xc6c00e29f7d3e92234e1f03ae90980719fd1cFalse0.8504716981132076data7.544396745144058IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xca0000x5bc0x600c98985921330f1f9a8f22aded582c13cFalse0.4225260416666667data4.104300294353814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xcc0000xc0x2009b08ef98ec99a84e5ccf6501271f9bafFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0xca0900x32cdata0.4248768472906404
                                      RT_MANIFEST0xca3cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 5, 2024 07:16:06.645823002 CEST49733443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:06.645862103 CEST44349733172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:06.645976067 CEST49733443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:06.671715021 CEST49733443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:06.671727896 CEST44349733172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:07.152152061 CEST44349733172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:07.152223110 CEST49733443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:07.155541897 CEST49733443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:07.155550003 CEST44349733172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:07.155780077 CEST44349733172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:07.202991009 CEST49733443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:07.227982044 CEST49733443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:07.272500992 CEST44349733172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:07.356863022 CEST44349733172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:07.356929064 CEST44349733172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:07.357017994 CEST49733443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:07.374139071 CEST49733443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:09.459686041 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:09.464596033 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:09.464695930 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:10.584470034 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:10.587207079 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:10.592169046 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:10.823252916 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:10.823616028 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:10.828567982 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:11.059576988 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:11.059978962 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:11.064922094 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:11.298016071 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:11.298049927 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:11.298069954 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:11.298084021 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:11.298126936 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:11.298186064 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:11.302378893 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:11.307224989 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:11.538945913 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:11.544137001 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:11.549007893 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:11.780375957 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:11.784775019 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:11.789730072 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:12.020739079 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:12.021004915 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:12.025834084 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:12.277724981 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:12.278126001 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:12.282948017 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:12.520529032 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:12.520895958 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:12.528255939 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:12.853861094 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:12.854052067 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:12.861092091 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:13.090122938 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:13.092075109 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:13.095568895 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:13.095590115 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:13.095618010 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:13.096980095 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:13.100398064 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:13.100569963 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:13.100579977 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:13.965934038 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:14.019639015 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:14.500122070 CEST49737443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:14.500166893 CEST44349737172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:14.500222921 CEST49737443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:14.503264904 CEST49737443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:14.503281116 CEST44349737172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:14.998265028 CEST44349737172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:14.998336077 CEST49737443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:15.001409054 CEST49737443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:15.001420021 CEST44349737172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:15.001727104 CEST44349737172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:15.050894976 CEST49737443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:15.084996939 CEST49737443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:15.128546000 CEST44349737172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:15.195883989 CEST44349737172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:15.196144104 CEST44349737172.67.74.152192.168.2.4
                                      Jul 5, 2024 07:16:15.196229935 CEST49737443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:15.198863029 CEST49737443192.168.2.4172.67.74.152
                                      Jul 5, 2024 07:16:15.674561024 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:15.679502964 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:15.679615021 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:16.702056885 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:16.721348047 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:16.726229906 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:16.946852922 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:16.947052956 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:16.951944113 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.171231985 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.221769094 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:17.226752043 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.447793961 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.447863102 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.447916031 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.447933912 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:17.447966099 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.448002100 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:17.448004007 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.455459118 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:17.462774038 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.681920052 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.687081099 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:17.691991091 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.914653063 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:17.915050983 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:17.920173883 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:18.139811993 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:18.140222073 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:18.145153046 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:18.390039921 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:18.390352964 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:18.395169020 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:18.631418943 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:18.631747007 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:18.637264967 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:19.071397066 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:19.071706057 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:19.076553106 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:19.298450947 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:19.299403906 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:19.299484015 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:19.299514055 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:19.299540043 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:16:19.305641890 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:19.305655003 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:19.305757046 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:19.305767059 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:20.122410059 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:16:20.175946951 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:28.966291904 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:28.966370106 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:29.543426037 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:29.544332981 CEST49736587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:29.545571089 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:29.548280954 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:29.549061060 CEST5874973677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:29.550334930 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:29.550436974 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:30.469408989 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:30.469540119 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:30.475780010 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:30.700001955 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:30.700248957 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:30.705530882 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:30.931294918 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:30.935101032 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:30.940125942 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:31.174397945 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:31.174413919 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:31.174427032 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:31.174520016 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:31.174525976 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:31.174575090 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:31.177843094 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:31.182626963 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:31.409161091 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:31.416352987 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:31.422157049 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:31.646806002 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:31.647346973 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:31.654357910 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:31.878294945 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:31.878648043 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:31.883502960 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.124866962 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.125050068 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.129803896 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.361342907 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.361679077 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.366552114 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.598424911 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.598622084 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.603395939 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.828702927 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.830235958 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.830389977 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.830462933 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.830517054 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.832009077 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.835088015 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.835094929 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.835153103 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.835182905 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.835287094 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.835325956 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.836782932 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.836786985 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.836802006 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.836807013 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.836834908 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.836854935 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.836877108 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.836894035 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.836927891 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.837162018 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.839843988 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.839848042 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.839873075 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.839876890 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.839895010 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.839934111 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.840357065 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.840395927 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.841639996 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.841697931 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.841697931 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.841753006 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.841789961 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.841831923 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.841887951 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.841926098 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.841979027 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.844862938 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.844866991 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.844877958 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.844942093 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.844969034 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.845380068 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.846631050 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.846699953 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.846708059 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.846720934 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.846754074 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.846788883 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.847879887 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:32.849456072 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.849467039 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.849500895 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.849858999 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.849863052 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.849870920 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.849912882 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.849920988 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.849924088 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.849932909 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.850179911 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.850224972 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.850229025 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.850231886 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.850236893 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.850307941 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.850311995 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.850320101 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.850323915 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.850387096 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.850390911 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852864027 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852873087 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852875948 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852884054 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852886915 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852895975 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852929115 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852932930 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852936029 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852938890 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852952003 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:32.852960110 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:33.888993979 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:33.941638947 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:35.119296074 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:35.119355917 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:35.509063959 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:35.510371923 CEST49738587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:35.510370970 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:35.517499924 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:35.517508030 CEST5874973877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:35.517513990 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:35.525039911 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:36.347979069 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:36.348166943 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:36.355312109 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:36.570373058 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:36.570530891 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:36.575295925 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:36.792620897 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:36.793101072 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:36.797975063 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:37.016316891 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:37.016334057 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:37.016345978 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:37.016418934 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:37.016443968 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:37.016525030 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:37.018707037 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:37.023452044 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:37.241067886 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:37.245163918 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:37.250030041 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:37.467483044 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:37.469484091 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:37.474376917 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:37.691879034 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:37.740956068 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:37.953737020 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:37.958587885 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:38.215195894 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:38.225981951 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:38.231017113 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:38.458056927 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:38.461597919 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:38.466425896 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.200937033 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.201195002 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.206027031 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.423372030 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.425448895 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.425503969 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.425535917 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.425580025 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.427094936 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.430232048 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.430272102 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.430347919 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.430520058 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.430702925 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.430774927 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.431936026 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.431957960 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.431961060 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.432010889 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.432020903 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.432024956 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.432034016 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.432041883 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.432063103 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.432066917 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.432085037 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.432113886 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.435080051 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.435497046 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.435559988 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.436950922 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.437057018 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.437102079 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.437123060 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.437156916 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.437160969 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.437194109 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.437221050 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.437289000 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.437370062 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.437371016 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.440407038 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.440490007 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.440526962 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.440972090 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.442143917 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.442302942 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.442378044 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.442400932 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.442760944 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.442846060 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.442883968 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.442950010 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:39.442980051 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.443341970 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.445616961 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.446831942 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.446835995 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.446933985 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.446940899 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.446945906 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.446949005 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.446952105 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.446959972 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.446965933 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.446969986 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.446983099 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.447410107 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.447415113 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.447423935 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.447427034 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.447436094 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.447438955 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.447443008 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:39.447707891 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:40.534339905 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:40.676012039 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:41.018491983 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:41.024138927 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:41.249388933 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:41.249569893 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:41.251077890 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:41.254678011 CEST49746587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:41.260464907 CEST5874974677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:41.261076927 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:41.265882969 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:41.265973091 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:42.019661903 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.020107985 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:42.024965048 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.253034115 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.253473043 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:42.258264065 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.485774040 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.486371040 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:42.491240025 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.723740101 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.723839998 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.723850965 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.723862886 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.723872900 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.723908901 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:42.723953962 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:42.725675106 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:42.733916044 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.958499908 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:42.959877014 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:42.964674950 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.192451000 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.192677021 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:43.197510004 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.443454027 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.445168018 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:43.450212002 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.631709099 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:43.636518955 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.703119040 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.703413010 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:43.708204985 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.853975058 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.854228020 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.854284048 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:43.854573965 CEST49747587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:43.856185913 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:43.859281063 CEST5874974777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.861515999 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.861593962 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:43.950855970 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:43.951159954 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:43.955951929 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.397013903 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.397288084 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.402031898 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.500670910 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.500896931 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.505722046 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.629703999 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.630022049 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.630103111 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.630131960 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.630183935 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.631565094 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.634793043 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.634844065 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.635072947 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.635077000 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.635112047 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.636369944 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.636451960 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.636451960 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.636548042 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.636552095 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.636599064 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.636642933 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.636646032 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.636707067 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.636733055 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.636737108 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.636785030 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.636795044 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.636799097 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.636848927 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.639625072 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.639676094 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.642018080 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.642075062 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.642179012 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.642235041 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.642260075 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.642333031 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.642448902 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.642452955 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.642513037 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.642784119 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.642846107 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.642891884 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.642952919 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.643419027 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.644468069 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.644541979 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.647058010 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.647115946 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.647371054 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.647636890 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.647703886 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.648129940 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.648133993 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.648144007 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.648252010 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.648263931 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.649389029 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652091980 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652096033 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652239084 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652249098 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652292967 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652297020 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652478933 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652493000 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652501106 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652506113 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652512074 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652594090 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652636051 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652678967 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652725935 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652729988 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652777910 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652781963 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652841091 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652844906 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.652854919 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.732678890 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.732908964 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.737685919 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.964914083 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:44.965312958 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:44.970120907 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.199417114 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.199438095 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.199450016 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.199487925 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:45.199507952 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.199620962 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:45.202156067 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:45.207123995 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.434088945 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.452826977 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:45.457673073 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.649049044 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.684348106 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.684523106 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:45.689328909 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.860558987 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.860611916 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:45.917958021 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:45.918282032 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:45.924751997 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.168019056 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.168220997 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.173196077 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.410603046 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.410861015 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.415802002 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.650866032 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.651385069 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.656171083 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.883060932 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.885246992 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.885302067 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.885303020 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.885390043 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.888991117 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.890043974 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.890116930 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.890121937 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.890213013 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.890249014 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.890400887 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.893883944 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.893888950 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.893917084 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.893920898 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.893934965 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.893939018 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.893986940 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.894027948 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.894753933 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.894773960 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.894783020 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.894854069 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.894854069 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.894989967 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.895117998 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.895145893 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.895204067 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.898781061 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.898878098 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.899004936 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.899008989 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.899163961 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.899175882 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.899209023 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.899252892 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.899701118 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.899815083 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.899950981 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.899959087 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.899991989 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.900032043 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.900075912 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.900161028 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.903819084 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.903918982 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904035091 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904058933 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904103994 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:46.904107094 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904386997 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904448986 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904453039 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904530048 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904908895 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904913902 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904930115 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904958010 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904963017 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.904970884 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905041933 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905050993 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905056000 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905060053 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905062914 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905116081 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905119896 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905123949 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905128002 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905189991 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905199051 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905201912 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905205965 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905220985 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905225039 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.905232906 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.908864021 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.908880949 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.908885002 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.908895969 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.908947945 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.908951998 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.908955097 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.909037113 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.909050941 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.909054995 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.909065008 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.909077883 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:46.909086943 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:47.998079062 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:48.040887117 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:48.772979021 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:48.777935028 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:49.005388021 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:49.005409956 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:49.005678892 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:49.008980989 CEST49749587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:49.008980989 CEST49750587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:49.014126062 CEST5874974977.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:49.014209986 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:49.014463902 CEST49750587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:49.763520956 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:49.763647079 CEST49750587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:49.768791914 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:49.990175009 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:49.990335941 CEST49750587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:49.995238066 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.216536045 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.217329025 CEST49750587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:50.222953081 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.450596094 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.450649023 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.450716019 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.450860977 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.450866938 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.450874090 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.450916052 CEST49750587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:50.451050043 CEST49750587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:50.452963114 CEST49750587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:50.457721949 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.596970081 CEST49750587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:50.605283022 CEST5874975077.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.608978987 CEST49750587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:50.628993034 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:50.636957884 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:50.640991926 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:51.277471066 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:51.281153917 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:51.285962105 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:51.526583910 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:51.526710033 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:51.531497002 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:51.747647047 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:51.748136044 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:51.752897024 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:51.973794937 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:51.973814011 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:51.973828077 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:51.973872900 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:51.973890066 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:51.973938942 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:51.976438046 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:51.981161118 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:52.197395086 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:52.198630095 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:52.203538895 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:52.419789076 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:52.427381039 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:52.432322979 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:52.648237944 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:52.650969982 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:52.655808926 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:52.897032022 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:52.899338007 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:52.904186010 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.140990019 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.148451090 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.153342009 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.675168037 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.677361965 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.682246923 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.898107052 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.898478031 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.898529053 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.898593903 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.898648977 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.900448084 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.903439999 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.903455973 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.903465033 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.903476000 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.903492928 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.903522015 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.905829906 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.905842066 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.905848980 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.905858040 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.905874968 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.905895948 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.905922890 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.905934095 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.905935049 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.905945063 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.905976057 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.905987978 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.908869028 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.908880949 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.908921957 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.908936977 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.908966064 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.909004927 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.909141064 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.909181118 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.911720037 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.911751986 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.911781073 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.911799908 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.911808968 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.911819935 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.911844969 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.911890984 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.912018061 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.912061930 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.912061930 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.912117004 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.914474010 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.914518118 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.914836884 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.914891958 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.916981936 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917010069 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917043924 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.917067051 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.917190075 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917222023 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917237043 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.917259932 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.917335987 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917354107 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917387962 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.917387962 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:53.917407036 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917484045 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917498112 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917577028 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917622089 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917701960 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917743921 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917754889 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917779922 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.917876005 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.919318914 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.919605970 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.919614077 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.919626951 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.921592951 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.921606064 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.921684027 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.921693087 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.921755075 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922096014 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922105074 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922195911 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922204971 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922286987 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922296047 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922336102 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922411919 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922574997 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922583103 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922586918 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922595978 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922651052 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922765970 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922776937 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922786951 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922827005 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922837019 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922878027 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.922938108 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:53.923253059 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:55.051812887 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:55.267164946 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:55.267326117 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:59.384727001 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:59.390404940 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:59.629722118 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:59.629868031 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:59.629911900 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:59.630287886 CEST49751587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:59.631901026 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:17:59.635093927 CEST5874975177.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:59.636905909 CEST5874975277.88.21.158192.168.2.4
                                      Jul 5, 2024 07:17:59.636965036 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:00.357249022 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:00.362242937 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:00.530973911 CEST5874975277.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:00.531208038 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:00.538403034 CEST5874975277.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:00.589610100 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:00.589842081 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:00.590161085 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:00.591710091 CEST49748587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:00.591711044 CEST49753587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:00.596415043 CEST5874974877.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:00.596541882 CEST5874975377.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:00.596729040 CEST49753587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:00.755697966 CEST5874975277.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:00.755922079 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:00.760991096 CEST5874975277.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:01.410150051 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:01.760478020 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:01.822448015 CEST49753587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:01.924843073 CEST5874975277.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:01.925019026 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:01.926172972 CEST5874975277.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:01.926230907 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:01.926631927 CEST5874975277.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:01.926678896 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:01.926774025 CEST5874975377.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:01.926917076 CEST49753587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:01.926995993 CEST5874975377.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:01.927027941 CEST5874975277.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:01.927042961 CEST49753587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:01.927067995 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:01.931408882 CEST5874975277.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:01.931523085 CEST5874975277.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:01.931554079 CEST5874975377.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:01.931600094 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:01.931627989 CEST49752587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:01.931638956 CEST49753587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:02.664581060 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:02.669687033 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:02.669770002 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:02.814836025 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:02.820128918 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:02.820218086 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:03.399616957 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:03.399759054 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:03.404599905 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:03.563292027 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:03.563450098 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:03.568270922 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:03.632601023 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:03.632778883 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:03.637759924 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:03.794986963 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:03.796113968 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:03.803730965 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:03.856458902 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:03.856914043 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:03.861747980 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.029130936 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.029521942 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.034360886 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.082390070 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.082398891 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.082412004 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.082462072 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.082508087 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.082545042 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.085645914 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.090406895 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.264218092 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.264230013 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.264236927 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.264242887 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.264290094 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.266613960 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.272630930 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.309636116 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.310931921 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.315865993 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.498429060 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.502289057 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.507153988 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.534631014 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.541011095 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.545859098 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.733681917 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.734028101 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.738905907 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.764554024 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.764843941 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.769727945 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.965495110 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:04.969342947 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:04.974117041 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:05.010667086 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:05.013196945 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:05.018415928 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:05.215692997 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:05.255927086 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:05.286966085 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:05.379185915 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:05.605807066 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:05.610802889 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:05.929442883 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.097939014 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.234443903 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.241046906 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.354592085 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.359426022 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.764971972 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.765511990 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.765600920 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.765674114 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.765806913 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.765861988 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.766123056 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.766165018 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.768420935 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.769556999 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.770303965 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.770355940 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.770426035 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.770462036 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.770560980 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.770602942 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.773297071 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.773309946 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.773320913 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.773374081 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.773405075 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.773412943 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.773461103 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.775048018 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.775060892 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.775096893 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.775121927 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.775201082 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.775245905 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.775249958 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.775293112 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.775315046 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.775327921 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.775336981 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.775358915 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.775384903 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.776407003 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.776454926 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.778184891 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.778234959 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.778278112 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.778321981 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.778328896 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.778393030 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.779917002 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.779970884 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.780544043 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.780564070 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.780572891 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.780596018 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.780656099 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.781689882 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.781742096 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.783135891 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.783201933 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.783261061 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.783307076 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:06.783324957 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.784507036 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.784727097 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.784739971 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.785351992 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.785712957 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.786475897 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.786634922 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.786653042 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.786704063 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.786717892 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.786747932 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.786757946 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.787719965 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.787790060 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.787831068 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.788059950 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.788069963 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.788089037 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.788163900 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.788172960 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.788181067 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.788209915 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:06.788228035 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.097626925 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.097819090 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.102587938 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.328919888 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.329309940 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.329408884 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.329464912 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.329541922 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.331322908 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.334162951 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.334203005 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.334208012 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.334228039 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.334336996 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.334445953 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.336508036 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.336514950 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.336524010 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.336528063 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.336534977 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.336540937 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.336549997 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.336553097 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.336561918 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.336569071 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.336599112 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.336618900 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.339091063 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.339137077 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.341378927 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.341438055 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.341454983 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.341500998 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.341531038 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.341551065 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.341571093 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.341609955 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.341639996 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.341660976 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.341664076 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.341706038 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.341706038 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.341721058 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.341763020 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.341809988 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.341880083 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.343918085 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.343975067 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.346235037 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346302986 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.346333981 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346391916 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.346416950 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346421957 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346477032 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346477985 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.346512079 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346554041 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346560955 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:07.346605062 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346673012 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346734047 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346738100 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346815109 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346839905 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346892118 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346895933 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346976995 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.346981049 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.348611116 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.348800898 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.348804951 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.348845959 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.348850012 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.348905087 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.348932981 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.348959923 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.350992918 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351001024 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351084948 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351089954 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351170063 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351182938 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351280928 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351284981 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351325989 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351377010 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351427078 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351439953 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351476908 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351531029 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351535082 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351541042 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351552010 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351596117 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351605892 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351638079 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351650953 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351695061 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.351699114 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.780601978 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:07.879153013 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:08.384778976 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:08.512439966 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:12.773236036 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:12.778155088 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.034291983 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:13.238590002 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:13.269222021 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.269303083 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.269439936 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:13.269752979 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:13.269953012 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.270015955 CEST49754587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:13.270098925 CEST49756587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:13.270811081 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.270826101 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.274519920 CEST5874975477.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.274940014 CEST5874975677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.275016069 CEST49756587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:13.500842094 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.500859976 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.500935078 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:13.501291990 CEST49755587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:13.501482964 CEST49757587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:13.506093025 CEST5874975577.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.506406069 CEST5874975777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:13.506494999 CEST49757587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:14.000184059 CEST5874975677.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:14.051044941 CEST49756587192.168.2.477.88.21.158
                                      Jul 5, 2024 07:18:14.343214989 CEST5874975777.88.21.158192.168.2.4
                                      Jul 5, 2024 07:18:14.394792080 CEST49757587192.168.2.477.88.21.158

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 5, 2024 07:16:06.630248070 CEST6201853192.168.2.41.1.1.1
                                      Jul 5, 2024 07:16:06.637070894 CEST53620181.1.1.1192.168.2.4
                                      Jul 5, 2024 07:16:09.450048923 CEST5345353192.168.2.41.1.1.1
                                      Jul 5, 2024 07:16:09.457509995 CEST53534531.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jul 5, 2024 07:16:06.630248070 CEST192.168.2.41.1.1.10x2b01Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                      Jul 5, 2024 07:16:09.450048923 CEST192.168.2.41.1.1.10x30c5Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jul 5, 2024 07:16:06.637070894 CEST1.1.1.1192.168.2.40x2b01No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                      Jul 5, 2024 07:16:06.637070894 CEST1.1.1.1192.168.2.40x2b01No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                      Jul 5, 2024 07:16:06.637070894 CEST1.1.1.1192.168.2.40x2b01No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                      Jul 5, 2024 07:16:09.457509995 CEST1.1.1.1192.168.2.40x30c5No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)false
                                      Jul 5, 2024 07:16:09.457509995 CEST1.1.1.1192.168.2.40x30c5No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • api.ipify.org

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449733172.67.74.1524437252C:\Users\user\Desktop\IMG 003.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-05 05:16:07 UTC155OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                      Host: api.ipify.org
                                      Connection: Keep-Alive
                                      2024-07-05 05:16:07 UTC211INHTTP/1.1 200 OK
                                      Date: Fri, 05 Jul 2024 05:16:07 GMT
                                      Content-Type: text/plain
                                      Content-Length: 11
                                      Connection: close
                                      Vary: Origin
                                      CF-Cache-Status: DYNAMIC
                                      Server: cloudflare
                                      CF-RAY: 89e4e191794cc3f0-EWR
                                      2024-07-05 05:16:07 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                      Data Ascii: 8.46.123.33


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.449737172.67.74.1524437680C:\Users\user\AppData\Roaming\aBYKwaZ.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-05 05:16:15 UTC155OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                      Host: api.ipify.org
                                      Connection: Keep-Alive
                                      2024-07-05 05:16:15 UTC211INHTTP/1.1 200 OK
                                      Date: Fri, 05 Jul 2024 05:16:15 GMT
                                      Content-Type: text/plain
                                      Content-Length: 11
                                      Connection: close
                                      Vary: Origin
                                      CF-Cache-Status: DYNAMIC
                                      Server: cloudflare
                                      CF-RAY: 89e4e1c29fc5c402-EWR
                                      2024-07-05 05:16:15 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                      Data Ascii: 8.46.123.33


                                      SMTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Jul 5, 2024 07:16:10.584470034 CEST5874973677.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-91.sas.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156570-9GR9A24IluQ0
                                      Jul 5, 2024 07:16:10.587207079 CEST49736587192.168.2.477.88.21.158EHLO 585948
                                      Jul 5, 2024 07:16:10.823252916 CEST5874973677.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-91.sas.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Jul 5, 2024 07:16:10.823616028 CEST49736587192.168.2.477.88.21.158STARTTLS
                                      Jul 5, 2024 07:16:11.059576988 CEST5874973677.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:16:16.702056885 CEST5874973877.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-81.myt.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156576-GGRI7MFOpa60
                                      Jul 5, 2024 07:16:16.721348047 CEST49738587192.168.2.477.88.21.158EHLO 585948
                                      Jul 5, 2024 07:16:16.946852922 CEST5874973877.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-81.myt.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Jul 5, 2024 07:16:16.947052956 CEST49738587192.168.2.477.88.21.158STARTTLS
                                      Jul 5, 2024 07:16:17.171231985 CEST5874973877.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:17:30.469408989 CEST5874974677.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-63.sas.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156650-UHR5SIRGfOs0
                                      Jul 5, 2024 07:17:30.469540119 CEST49746587192.168.2.477.88.21.158EHLO 585948
                                      Jul 5, 2024 07:17:30.700001955 CEST5874974677.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-63.sas.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Jul 5, 2024 07:17:30.700248957 CEST49746587192.168.2.477.88.21.158STARTTLS
                                      Jul 5, 2024 07:17:30.931294918 CEST5874974677.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:17:36.347979069 CEST5874974777.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-45.klg.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156656-aHREhZ5XqGk0
                                      Jul 5, 2024 07:17:36.348166943 CEST49747587192.168.2.477.88.21.158EHLO 585948
                                      Jul 5, 2024 07:17:36.570373058 CEST5874974777.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-45.klg.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Jul 5, 2024 07:17:36.570530891 CEST49747587192.168.2.477.88.21.158STARTTLS
                                      Jul 5, 2024 07:17:36.792620897 CEST5874974777.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:17:42.019661903 CEST5874974877.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-45.myt.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156661-fHR1leLoFW20
                                      Jul 5, 2024 07:17:42.020107985 CEST49748587192.168.2.477.88.21.158EHLO 585948
                                      Jul 5, 2024 07:17:42.253034115 CEST5874974877.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-45.myt.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Jul 5, 2024 07:17:42.253473043 CEST49748587192.168.2.477.88.21.158STARTTLS
                                      Jul 5, 2024 07:17:42.485774040 CEST5874974877.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:17:44.500670910 CEST5874974977.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-87.sas.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156664-iHR6f44WrqM0
                                      Jul 5, 2024 07:17:44.500896931 CEST49749587192.168.2.477.88.21.158EHLO 585948
                                      Jul 5, 2024 07:17:44.732678890 CEST5874974977.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-87.sas.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Jul 5, 2024 07:17:44.732908964 CEST49749587192.168.2.477.88.21.158STARTTLS
                                      Jul 5, 2024 07:17:44.964914083 CEST5874974977.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:17:49.763520956 CEST5874975077.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156669-nHR4NBFsH4Y0
                                      Jul 5, 2024 07:17:49.763647079 CEST49750587192.168.2.477.88.21.158EHLO 585948
                                      Jul 5, 2024 07:17:49.990175009 CEST5874975077.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Jul 5, 2024 07:17:49.990335941 CEST49750587192.168.2.477.88.21.158STARTTLS
                                      Jul 5, 2024 07:17:50.216536045 CEST5874975077.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:17:51.277471066 CEST5874975177.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156671-pHRkNBFsKuQ0
                                      Jul 5, 2024 07:17:51.281153917 CEST49751587192.168.2.477.88.21.158EHLO 585948
                                      Jul 5, 2024 07:17:51.526583910 CEST5874975177.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Jul 5, 2024 07:17:51.526710033 CEST49751587192.168.2.477.88.21.158STARTTLS
                                      Jul 5, 2024 07:17:51.747647047 CEST5874975177.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:18:00.530973911 CEST5874975277.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-74.vla.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156680-0IR77dICV4Y0
                                      Jul 5, 2024 07:18:00.531208038 CEST49752587192.168.2.477.88.21.158EHLO 585948
                                      Jul 5, 2024 07:18:00.755697966 CEST5874975277.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-74.vla.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Jul 5, 2024 07:18:00.755922079 CEST49752587192.168.2.477.88.21.158STARTTLS
                                      Jul 5, 2024 07:18:01.924843073 CEST5874975277.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:18:01.926172972 CEST5874975277.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:18:01.926631927 CEST5874975277.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:18:01.926774025 CEST5874975377.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-81.vla.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156681-1IR7gv3wQmI0
                                      Jul 5, 2024 07:18:01.926995993 CEST5874975377.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-81.vla.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156681-1IR7gv3wQmI0
                                      Jul 5, 2024 07:18:01.927027941 CEST5874975277.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:18:03.399616957 CEST5874975477.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156683-3IRLdV2DTeA0
                                      Jul 5, 2024 07:18:03.399759054 CEST49754587192.168.2.477.88.21.158EHLO 585948
                                      Jul 5, 2024 07:18:03.563292027 CEST5874975577.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156683-3IRsA0SXwa60
                                      Jul 5, 2024 07:18:03.563450098 CEST49755587192.168.2.477.88.21.158EHLO 585948
                                      Jul 5, 2024 07:18:03.632601023 CEST5874975477.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Jul 5, 2024 07:18:03.632778883 CEST49754587192.168.2.477.88.21.158STARTTLS
                                      Jul 5, 2024 07:18:03.794986963 CEST5874975577.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Jul 5, 2024 07:18:03.796113968 CEST49755587192.168.2.477.88.21.158STARTTLS
                                      Jul 5, 2024 07:18:03.856458902 CEST5874975477.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:18:04.029130936 CEST5874975577.88.21.158192.168.2.4220 Go ahead
                                      Jul 5, 2024 07:18:14.000184059 CEST5874975677.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-46.sas.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156693-DIRSa4KXrCg0
                                      Jul 5, 2024 07:18:14.343214989 CEST5874975777.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-42.klg.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1720156694-EIRZ7b5VlqM0

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:01:16:01
                                      Start date:05/07/2024
                                      Path:C:\Users\user\Desktop\IMG 003.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\IMG 003.exe"
                                      Imagebase:0xdd0000
                                      File size:816'640 bytes
                                      MD5 hash:605E5A50EBDEC57B636CFF6353684913
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:01:16:04
                                      Start date:05/07/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe"
                                      Imagebase:0x4a0000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:01:16:04
                                      Start date:05/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:01:16:04
                                      Start date:05/07/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"
                                      Imagebase:0x4a0000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:01:16:04
                                      Start date:05/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:01:16:04
                                      Start date:05/07/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp"
                                      Imagebase:0x2a0000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:01:16:04
                                      Start date:05/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:01:16:05
                                      Start date:05/07/2024
                                      Path:C:\Users\user\Desktop\IMG 003.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\IMG 003.exe"
                                      Imagebase:0xc00000
                                      File size:816'640 bytes
                                      MD5 hash:605E5A50EBDEC57B636CFF6353684913
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2918405791.000000000307B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2918405791.0000000003090000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2918405791.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2918405791.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:9
                                      Start time:01:16:08
                                      Start date:05/07/2024
                                      Path:C:\Users\user\AppData\Roaming\aBYKwaZ.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\aBYKwaZ.exe
                                      Imagebase:0x6e0000
                                      File size:816'640 bytes
                                      MD5 hash:605E5A50EBDEC57B636CFF6353684913
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 47%, ReversingLabs
                                      • Detection: 41%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:01:16:08
                                      Start date:05/07/2024
                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0x7ff693ab0000
                                      File size:496'640 bytes
                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:01:16:11
                                      Start date:05/07/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmp170F.tmp"
                                      Imagebase:0x2a0000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:01:16:11
                                      Start date:05/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:01:16:12
                                      Start date:05/07/2024
                                      Path:C:\Users\user\AppData\Roaming\aBYKwaZ.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\aBYKwaZ.exe"
                                      Imagebase:0x600000
                                      File size:816'640 bytes
                                      MD5 hash:605E5A50EBDEC57B636CFF6353684913
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2918450759.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2918450759.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2918450759.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:12.2%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:249
                                        Total number of Limit Nodes:22
                                        execution_graph 26815 192b7b0 26816 192b93b 26815->26816 26818 192b7d6 26815->26818 26818->26816 26819 1928498 26818->26819 26820 192ba30 PostMessageW 26819->26820 26821 192ba9c 26820->26821 26821->26818 26524 175aef0 26528 175afd7 26524->26528 26536 175afe8 26524->26536 26525 175aeff 26529 175afe1 26528->26529 26530 175b01c 26529->26530 26544 175b271 26529->26544 26548 175b280 26529->26548 26530->26525 26531 175b014 26531->26530 26532 175b220 GetModuleHandleW 26531->26532 26533 175b24d 26532->26533 26533->26525 26537 175aff9 26536->26537 26538 175b01c 26536->26538 26537->26538 26542 175b271 LoadLibraryExW 26537->26542 26543 175b280 LoadLibraryExW 26537->26543 26538->26525 26539 175b014 26539->26538 26540 175b220 GetModuleHandleW 26539->26540 26541 175b24d 26540->26541 26541->26525 26542->26539 26543->26539 26545 175b294 26544->26545 26546 175b2b9 26545->26546 26552 175ad08 26545->26552 26546->26531 26549 175b294 26548->26549 26550 175b2b9 26549->26550 26551 175ad08 LoadLibraryExW 26549->26551 26550->26531 26551->26550 26553 175b460 LoadLibraryExW 26552->26553 26555 175b4d9 26553->26555 26555->26546 26822 175d280 26823 175d2c6 GetCurrentProcess 26822->26823 26825 175d318 GetCurrentThread 26823->26825 26827 175d311 26823->26827 26826 175d355 GetCurrentProcess 26825->26826 26828 175d34e 26825->26828 26831 175d38b 26826->26831 26827->26825 26828->26826 26829 175d3b3 GetCurrentThreadId 26830 175d3e4 26829->26830 26831->26829 26556 19278d9 26561 192a58e 26556->26561 26582 192a519 26556->26582 26602 192a528 26556->26602 26557 1927889 26562 192a51c 26561->26562 26564 192a591 26561->26564 26563 192a54a 26562->26563 26622 192b0d2 26562->26622 26630 192aac9 26562->26630 26635 192aa88 26562->26635 26640 192b34b 26562->26640 26645 192aeaa 26562->26645 26653 192abe1 26562->26653 26658 192a901 26562->26658 26663 192ac21 26562->26663 26668 192a920 26562->26668 26673 192ab63 26562->26673 26678 192b002 26562->26678 26683 192acfe 26562->26683 26688 192b055 26562->26688 26693 192aa95 26562->26693 26698 192af36 26562->26698 26709 192acd0 26562->26709 26717 192aaf3 26562->26717 26563->26557 26564->26557 26583 192a528 26582->26583 26584 192a54a 26583->26584 26585 192b0d2 2 API calls 26583->26585 26586 192aaf3 4 API calls 26583->26586 26587 192acd0 4 API calls 26583->26587 26588 192af36 6 API calls 26583->26588 26589 192aa95 2 API calls 26583->26589 26590 192b055 2 API calls 26583->26590 26591 192acfe 2 API calls 26583->26591 26592 192b002 2 API calls 26583->26592 26593 192ab63 2 API calls 26583->26593 26594 192a920 2 API calls 26583->26594 26595 192ac21 2 API calls 26583->26595 26596 192a901 2 API calls 26583->26596 26597 192abe1 2 API calls 26583->26597 26598 192aeaa 2 API calls 26583->26598 26599 192b34b 2 API calls 26583->26599 26600 192aa88 2 API calls 26583->26600 26601 192aac9 2 API calls 26583->26601 26584->26557 26585->26584 26586->26584 26587->26584 26588->26584 26589->26584 26590->26584 26591->26584 26592->26584 26593->26584 26594->26584 26595->26584 26596->26584 26597->26584 26598->26584 26599->26584 26600->26584 26601->26584 26603 192a542 26602->26603 26604 192a54a 26603->26604 26605 192b0d2 2 API calls 26603->26605 26606 192aaf3 4 API calls 26603->26606 26607 192acd0 4 API calls 26603->26607 26608 192af36 6 API calls 26603->26608 26609 192aa95 2 API calls 26603->26609 26610 192b055 2 API calls 26603->26610 26611 192acfe 2 API calls 26603->26611 26612 192b002 2 API calls 26603->26612 26613 192ab63 2 API calls 26603->26613 26614 192a920 2 API calls 26603->26614 26615 192ac21 2 API calls 26603->26615 26616 192a901 2 API calls 26603->26616 26617 192abe1 2 API calls 26603->26617 26618 192aeaa 2 API calls 26603->26618 26619 192b34b 2 API calls 26603->26619 26620 192aa88 2 API calls 26603->26620 26621 192aac9 2 API calls 26603->26621 26604->26557 26605->26604 26606->26604 26607->26604 26608->26604 26609->26604 26610->26604 26611->26604 26612->26604 26613->26604 26614->26604 26615->26604 26616->26604 26617->26604 26618->26604 26619->26604 26620->26604 26621->26604 26623 192b0d6 26622->26623 26726 19271f0 26623->26726 26730 19271e9 26623->26730 26624 192aa7e 26624->26563 26625 192aa90 26624->26625 26628 19271f0 WriteProcessMemory 26624->26628 26629 19271e9 WriteProcessMemory 26624->26629 26628->26624 26629->26624 26631 192b003 26630->26631 26734 19272e0 26631->26734 26738 19272d8 26631->26738 26632 192ab8d 26632->26563 26636 192aa7e 26635->26636 26636->26563 26637 192aa90 26636->26637 26638 19271f0 WriteProcessMemory 26636->26638 26639 19271e9 WriteProcessMemory 26636->26639 26638->26636 26639->26636 26641 192aa7e 26640->26641 26641->26563 26642 192aa90 26641->26642 26643 19271f0 WriteProcessMemory 26641->26643 26644 19271e9 WriteProcessMemory 26641->26644 26643->26641 26644->26641 26646 192aecd 26645->26646 26651 19271f0 WriteProcessMemory 26646->26651 26652 19271e9 WriteProcessMemory 26646->26652 26647 192aa7e 26647->26563 26648 192aa90 26647->26648 26649 19271f0 WriteProcessMemory 26647->26649 26650 19271e9 WriteProcessMemory 26647->26650 26649->26647 26650->26647 26651->26647 26652->26647 26654 192aa7e 26653->26654 26655 192aa90 26653->26655 26654->26563 26654->26655 26656 19271f0 WriteProcessMemory 26654->26656 26657 19271e9 WriteProcessMemory 26654->26657 26656->26654 26657->26654 26659 192a90f 26658->26659 26742 1927478 26659->26742 26746 192746c 26659->26746 26664 192af75 26663->26664 26750 1927130 26664->26750 26754 192712c 26664->26754 26665 192af93 26669 192a901 26668->26669 26669->26563 26671 1927478 CreateProcessA 26669->26671 26672 192746c CreateProcessA 26669->26672 26670 192aa53 26670->26563 26671->26670 26672->26670 26674 192aa7e 26673->26674 26674->26563 26674->26673 26675 192aa90 26674->26675 26676 19271f0 WriteProcessMemory 26674->26676 26677 19271e9 WriteProcessMemory 26674->26677 26676->26674 26677->26674 26679 192b003 26678->26679 26681 19272e0 ReadProcessMemory 26679->26681 26682 19272d8 ReadProcessMemory 26679->26682 26680 192ab8d 26680->26563 26681->26680 26682->26680 26684 192ad59 26683->26684 26685 192abe4 26683->26685 26684->26685 26686 19271f0 WriteProcessMemory 26684->26686 26687 19271e9 WriteProcessMemory 26684->26687 26685->26563 26686->26685 26687->26685 26689 192aaeb 26688->26689 26689->26688 26690 192b082 26689->26690 26758 192b5d0 26689->26758 26763 192b5c0 26689->26763 26690->26563 26694 192aa31 26693->26694 26695 192aa53 26693->26695 26694->26695 26696 1927478 CreateProcessA 26694->26696 26697 192746c CreateProcessA 26694->26697 26695->26563 26696->26695 26697->26695 26784 192b718 26698->26784 26789 192b728 26698->26789 26699 192afb5 26700 192acee 26700->26699 26776 1926b70 26700->26776 26780 1926b6c 26700->26780 26701 192aa7e 26701->26563 26702 192aa90 26701->26702 26703 19271f0 WriteProcessMemory 26701->26703 26704 19271e9 WriteProcessMemory 26701->26704 26703->26701 26704->26701 26710 192acd6 26709->26710 26713 1926b70 ResumeThread 26710->26713 26714 1926b6c ResumeThread 26710->26714 26711 192aa7e 26711->26563 26712 192aa90 26711->26712 26715 19271f0 WriteProcessMemory 26711->26715 26716 19271e9 WriteProcessMemory 26711->26716 26713->26711 26714->26711 26715->26711 26716->26711 26719 192ab29 26717->26719 26718 192b31f 26718->26563 26719->26718 26724 1926b70 ResumeThread 26719->26724 26725 1926b6c ResumeThread 26719->26725 26720 192aa90 26721 192aa7e 26721->26563 26721->26720 26722 19271f0 WriteProcessMemory 26721->26722 26723 19271e9 WriteProcessMemory 26721->26723 26722->26721 26723->26721 26724->26721 26725->26721 26727 1927238 WriteProcessMemory 26726->26727 26729 192728f 26727->26729 26729->26624 26731 1927238 WriteProcessMemory 26730->26731 26733 192728f 26731->26733 26733->26624 26735 192732b ReadProcessMemory 26734->26735 26737 192736f 26735->26737 26737->26632 26739 19272e0 ReadProcessMemory 26738->26739 26741 192736f 26739->26741 26741->26632 26743 1927501 CreateProcessA 26742->26743 26745 19276c3 26743->26745 26745->26745 26747 1927501 26746->26747 26747->26747 26748 1927666 CreateProcessA 26747->26748 26749 19276c3 26748->26749 26749->26749 26751 1927170 VirtualAllocEx 26750->26751 26753 19271ad 26751->26753 26753->26665 26755 1927130 VirtualAllocEx 26754->26755 26757 19271ad 26755->26757 26757->26665 26759 192b5e5 26758->26759 26768 1926c20 26759->26768 26772 1926c18 26759->26772 26760 192b5fb 26760->26689 26764 192b5e5 26763->26764 26766 1926c20 Wow64SetThreadContext 26764->26766 26767 1926c18 Wow64SetThreadContext 26764->26767 26765 192b5fb 26765->26689 26766->26765 26767->26765 26769 1926c65 Wow64SetThreadContext 26768->26769 26771 1926cad 26769->26771 26771->26760 26773 1926c20 Wow64SetThreadContext 26772->26773 26775 1926cad 26773->26775 26775->26760 26777 1926bb0 ResumeThread 26776->26777 26779 1926be1 26777->26779 26779->26701 26781 1926b70 ResumeThread 26780->26781 26783 1926be1 26781->26783 26783->26701 26785 192b728 26784->26785 26787 1926c20 Wow64SetThreadContext 26785->26787 26788 1926c18 Wow64SetThreadContext 26785->26788 26786 192b753 26786->26700 26787->26786 26788->26786 26790 192b73d 26789->26790 26792 1926c20 Wow64SetThreadContext 26790->26792 26793 1926c18 Wow64SetThreadContext 26790->26793 26791 192b753 26791->26700 26792->26791 26793->26791 26794 1754668 26795 175467a 26794->26795 26796 1754686 26795->26796 26798 1754779 26795->26798 26799 1754781 26798->26799 26803 1754877 26799->26803 26807 1754888 26799->26807 26800 17547a7 26800->26796 26804 1754881 26803->26804 26805 175498c 26804->26805 26811 1754514 26804->26811 26805->26800 26808 17548af 26807->26808 26809 175498c 26808->26809 26810 1754514 CreateActCtxA 26808->26810 26809->26800 26810->26809 26812 1755918 CreateActCtxA 26811->26812 26814 17559db 26812->26814 26832 175d4c8 DuplicateHandle 26833 175d55e 26832->26833

                                        Executed Functions

                                        Function 0192AD52 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 38a9b8aa6823a70cc3e04c2f5ed05320cb378517ee925fb6937c44839634de6e
                                        • Instruction ID: d99393ef6eadf034a8cefa82927498a59d9963e053226bbbc860008d3f862345
                                        • Opcode Fuzzy Hash: 38a9b8aa6823a70cc3e04c2f5ed05320cb378517ee925fb6937c44839634de6e
                                        • Instruction Fuzzy Hash: 3BF01C7584D294CFCB81AF74D48C9E4B6B5BB57301B1414FBC40EAA616C6324A44CF14
                                        Function 0175D271 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 296 175d271-175d30f GetCurrentProcess 300 175d311-175d317 296->300 301 175d318-175d34c GetCurrentThread 296->301 300->301 302 175d355-175d389 GetCurrentProcess 301->302 303 175d34e-175d354 301->303 304 175d392-175d3ad call 175d450 302->304 305 175d38b-175d391 302->305 303->302 309 175d3b3-175d3e2 GetCurrentThreadId 304->309 305->304 310 175d3e4-175d3ea 309->310 311 175d3eb-175d44d 309->311 310->311
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 0175D2FE
                                        • GetCurrentThread.KERNEL32 ref: 0175D33B
                                        • GetCurrentProcess.KERNEL32 ref: 0175D378
                                        • GetCurrentThreadId.KERNEL32 ref: 0175D3D1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: b201ac2bbe11e2a75853c41f472c1dd24a51cd892b4d78fea9f03197c16a5ff1
                                        • Instruction ID: 87846e6aab276753221e524cf0761b5bf461d74e5a17576080ecf1aa4045c72c
                                        • Opcode Fuzzy Hash: b201ac2bbe11e2a75853c41f472c1dd24a51cd892b4d78fea9f03197c16a5ff1
                                        • Instruction Fuzzy Hash: C75164B09003498FDB68DFAAD588B9EFFF1FF88314F208059E409A72A1D7745984CB61
                                        Function 0175D280 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 318 175d280-175d30f GetCurrentProcess 322 175d311-175d317 318->322 323 175d318-175d34c GetCurrentThread 318->323 322->323 324 175d355-175d389 GetCurrentProcess 323->324 325 175d34e-175d354 323->325 326 175d392-175d3ad call 175d450 324->326 327 175d38b-175d391 324->327 325->324 331 175d3b3-175d3e2 GetCurrentThreadId 326->331 327->326 332 175d3e4-175d3ea 331->332 333 175d3eb-175d44d 331->333 332->333
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 0175D2FE
                                        • GetCurrentThread.KERNEL32 ref: 0175D33B
                                        • GetCurrentProcess.KERNEL32 ref: 0175D378
                                        • GetCurrentThreadId.KERNEL32 ref: 0175D3D1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: b2422a8b8b6063fbf68016a7d917af041c7cf84a14c3903c722956884c772c8f
                                        • Instruction ID: c50a5d0c9e362a0cbce74dec028a65f42c4e1995ba0c144e6cd250a658331077
                                        • Opcode Fuzzy Hash: b2422a8b8b6063fbf68016a7d917af041c7cf84a14c3903c722956884c772c8f
                                        • Instruction Fuzzy Hash: A15145B09007098FDB68DFAAD588B9EFBF1FF88314F208419E509A7391D7749984CB65
                                        Function 0192746C Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 533 192746c-192750d 535 1927546-1927566 533->535 536 192750f-1927519 533->536 541 1927568-1927572 535->541 542 192759f-19275ce 535->542 536->535 537 192751b-192751d 536->537 539 1927540-1927543 537->539 540 192751f-1927529 537->540 539->535 543 192752b 540->543 544 192752d-192753c 540->544 541->542 545 1927574-1927576 541->545 552 19275d0-19275da 542->552 553 1927607-19276c1 CreateProcessA 542->553 543->544 544->544 546 192753e 544->546 547 1927578-1927582 545->547 548 1927599-192759c 545->548 546->539 550 1927586-1927595 547->550 551 1927584 547->551 548->542 550->550 554 1927597 550->554 551->550 552->553 555 19275dc-19275de 552->555 564 19276c3-19276c9 553->564 565 19276ca-1927750 553->565 554->548 557 19275e0-19275ea 555->557 558 1927601-1927604 555->558 559 19275ee-19275fd 557->559 560 19275ec 557->560 558->553 559->559 561 19275ff 559->561 560->559 561->558 564->565 575 1927752-1927756 565->575 576 1927760-1927764 565->576 575->576 579 1927758 575->579 577 1927766-192776a 576->577 578 1927774-1927778 576->578 577->578 580 192776c 577->580 581 192777a-192777e 578->581 582 1927788-192778c 578->582 579->576 580->578 581->582 583 1927780 581->583 584 192779e-19277a5 582->584 585 192778e-1927794 582->585 583->582 586 19277a7-19277b6 584->586 587 19277bc 584->587 585->584 586->587 588 19277bd 587->588 588->588
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 019276AE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: c49085e0b0294e260bab23caa840f57bd25201c54c4a7672c58fa88cc36896a3
                                        • Instruction ID: 55ad2e06e0d7e4816523ec736af931993d4656beefa96a060fc5e0c2847f7e78
                                        • Opcode Fuzzy Hash: c49085e0b0294e260bab23caa840f57bd25201c54c4a7672c58fa88cc36896a3
                                        • Instruction Fuzzy Hash: 85A16B71D0026A8FDF25CFA9C841BEDBBB6BF58310F1481A9D808B7294DB749985CF91
                                        Function 01927478 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 590 1927478-192750d 592 1927546-1927566 590->592 593 192750f-1927519 590->593 598 1927568-1927572 592->598 599 192759f-19275ce 592->599 593->592 594 192751b-192751d 593->594 596 1927540-1927543 594->596 597 192751f-1927529 594->597 596->592 600 192752b 597->600 601 192752d-192753c 597->601 598->599 602 1927574-1927576 598->602 609 19275d0-19275da 599->609 610 1927607-19276c1 CreateProcessA 599->610 600->601 601->601 603 192753e 601->603 604 1927578-1927582 602->604 605 1927599-192759c 602->605 603->596 607 1927586-1927595 604->607 608 1927584 604->608 605->599 607->607 611 1927597 607->611 608->607 609->610 612 19275dc-19275de 609->612 621 19276c3-19276c9 610->621 622 19276ca-1927750 610->622 611->605 614 19275e0-19275ea 612->614 615 1927601-1927604 612->615 616 19275ee-19275fd 614->616 617 19275ec 614->617 615->610 616->616 618 19275ff 616->618 617->616 618->615 621->622 632 1927752-1927756 622->632 633 1927760-1927764 622->633 632->633 636 1927758 632->636 634 1927766-192776a 633->634 635 1927774-1927778 633->635 634->635 637 192776c 634->637 638 192777a-192777e 635->638 639 1927788-192778c 635->639 636->633 637->635 638->639 640 1927780 638->640 641 192779e-19277a5 639->641 642 192778e-1927794 639->642 640->639 643 19277a7-19277b6 641->643 644 19277bc 641->644 642->641 643->644 645 19277bd 644->645 645->645
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 019276AE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: fc855019cae1e842af5f10f441c4e58f3457bd12845f157ff4111788f4220110
                                        • Instruction ID: 7c374a66c4affb00ed57a3cc78af94b867c720a220d8800fcce22de0dfb419e8
                                        • Opcode Fuzzy Hash: fc855019cae1e842af5f10f441c4e58f3457bd12845f157ff4111788f4220110
                                        • Instruction Fuzzy Hash: 4F915A71D0026A8FDF25CFA9C841BEDBBB6BF58310F1481A9D808B7244DB749985CF91
                                        Function 0175AFE8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 647 175afe8-175aff7 648 175b023-175b027 647->648 649 175aff9-175b006 call 175aca0 647->649 651 175b029-175b033 648->651 652 175b03b-175b07c 648->652 655 175b01c 649->655 656 175b008 649->656 651->652 658 175b07e-175b086 652->658 659 175b089-175b097 652->659 655->648 702 175b00e call 175b271 656->702 703 175b00e call 175b280 656->703 658->659 660 175b099-175b09e 659->660 661 175b0bb-175b0bd 659->661 663 175b0a0-175b0a7 call 175acac 660->663 664 175b0a9 660->664 666 175b0c0-175b0c7 661->666 662 175b014-175b016 662->655 665 175b158-175b218 662->665 668 175b0ab-175b0b9 663->668 664->668 697 175b220-175b24b GetModuleHandleW 665->697 698 175b21a-175b21d 665->698 669 175b0d4-175b0db 666->669 670 175b0c9-175b0d1 666->670 668->666 673 175b0dd-175b0e5 669->673 674 175b0e8-175b0f1 call 175acbc 669->674 670->669 673->674 678 175b0f3-175b0fb 674->678 679 175b0fe-175b103 674->679 678->679 680 175b105-175b10c 679->680 681 175b121-175b12e 679->681 680->681 683 175b10e-175b11e call 175accc call 175acdc 680->683 688 175b151-175b157 681->688 689 175b130-175b14e 681->689 683->681 689->688 699 175b254-175b268 697->699 700 175b24d-175b253 697->700 698->697 700->699 702->662 703->662
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0175B23E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: ec5a4219a06e194c05feb306e70df7c7527232efa924e7a3e48f72d363ed7ae4
                                        • Instruction ID: 3bab0bd6b4b6889e78c55bf4dcbc1a0a682fe35ba2176e52e187a0b9752ad407
                                        • Opcode Fuzzy Hash: ec5a4219a06e194c05feb306e70df7c7527232efa924e7a3e48f72d363ed7ae4
                                        • Instruction Fuzzy Hash: 8E811370A00B058FD7A4DF29D44476AFBF2FF88304F108A29D99AD7A50DBB5E845CB91
                                        Function 0175590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 813 175590d 814 1755915-17559d9 CreateActCtxA 813->814 816 17559e2-1755a3c 814->816 817 17559db-17559e1 814->817 824 1755a3e-1755a41 816->824 825 1755a4b-1755a4f 816->825 817->816 824->825 826 1755a51-1755a5d 825->826 827 1755a60 825->827 826->827 829 1755a61 827->829 829->829
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 017559C9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 5b929d781962ae1edcb1bfdb207c43c1e50f04274ddf83ef5ebc811e0241fde2
                                        • Instruction ID: 75f77f3e0d2f676a80768eaae2870b1070b52710163870e9f172af364cb4e1f6
                                        • Opcode Fuzzy Hash: 5b929d781962ae1edcb1bfdb207c43c1e50f04274ddf83ef5ebc811e0241fde2
                                        • Instruction Fuzzy Hash: 4D41B2B0C00719CADB24DFA9C984BDEFBF5BF89314F20816AD409AB251DBB56945CF90
                                        Function 01755A84 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 830 1755a84-1755a8f 832 1755b09-1755b37 830->832
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c4152f1fc215185f3324b6cbfd9516b5d180e93167edcde8faa9d6d2a7c3393
                                        • Instruction ID: 1e9bbcf4dcdc517ad3bbcfa7a90859830441f3b335ad4ec2463f7d4db8c620b7
                                        • Opcode Fuzzy Hash: 2c4152f1fc215185f3324b6cbfd9516b5d180e93167edcde8faa9d6d2a7c3393
                                        • Instruction Fuzzy Hash: A331AEB5C04309CFDB51CBA9C88579DFFB1BF56314F14819AC809AB251C7BA6A49CF40
                                        Function 01754514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 834 1754514-17559d9 CreateActCtxA 837 17559e2-1755a3c 834->837 838 17559db-17559e1 834->838 845 1755a3e-1755a41 837->845 846 1755a4b-1755a4f 837->846 838->837 845->846 847 1755a51-1755a5d 846->847 848 1755a60 846->848 847->848 850 1755a61 848->850 850->850
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 017559C9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 91e193b8be858c73d91ee754aa4a3d9c4466669e94fec592941d3f79799a3a20
                                        • Instruction ID: d5744e1de4a12cf75611d4d9fb41d91d49121194b9afb246baa4425f0a40103e
                                        • Opcode Fuzzy Hash: 91e193b8be858c73d91ee754aa4a3d9c4466669e94fec592941d3f79799a3a20
                                        • Instruction Fuzzy Hash: 5541B2B0C0071DCADB24DFAAC984B9EFBF5BF49314F20816AD409AB251DBB56945CF90
                                        Function 019271E9 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 851 19271e9-192723e 853 1927240-192724c 851->853 854 192724e-192728d WriteProcessMemory 851->854 853->854 856 1927296-19272c6 854->856 857 192728f-1927295 854->857 857->856
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01927280
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 52554b6ad957fb0e4c72c0a086189d08cb29e9e96f573533c5e1787043054a8f
                                        • Instruction ID: 8950aef3769f40628100dc2e2233e92a64e9f55ff092c793efa13b56a0666dd3
                                        • Opcode Fuzzy Hash: 52554b6ad957fb0e4c72c0a086189d08cb29e9e96f573533c5e1787043054a8f
                                        • Instruction Fuzzy Hash: E62155B19003498FDF14CFA9C885BEEBBF1FF48310F10842AE918A7241D7789944DBA0
                                        Function 019271F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01927280
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: f0cd267828674e88c9588494c1199118f9e46a5807bdcd30267c014179ad7797
                                        • Instruction ID: b610a5f3864e51871017a9ea4596edbee5193d87444fe9909048211ee93a39e9
                                        • Opcode Fuzzy Hash: f0cd267828674e88c9588494c1199118f9e46a5807bdcd30267c014179ad7797
                                        • Instruction Fuzzy Hash: AB2127B19003599FDF14DFAAC885BEEBBF5FF48310F108429E959A7241C7789944CBA4
                                        Function 019272D8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01927360
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: e9c8e31be4a72f530c6ee07513d27d53399707daf77e2d70525a29a57efb27ea
                                        • Instruction ID: 45ffb3853c8ed6baf5cc722e130696a3c68e85d14931248d2fbf2a73767f1b58
                                        • Opcode Fuzzy Hash: e9c8e31be4a72f530c6ee07513d27d53399707daf77e2d70525a29a57efb27ea
                                        • Instruction Fuzzy Hash: 9C2136B18003599FCB14DFAAC885AEEFBF5FF48320F50842AE918A7250C7349941CBA4
                                        Function 01926C18 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01926C9E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 6b6525912cac8d0cd74491e73f0ac8c7a7624993affec2a95a4f19181b046f7e
                                        • Instruction ID: 06d873d1600f01d2c2bad183ee41fa4ef2d3dbd9f52efdf86dcddd2175667189
                                        • Opcode Fuzzy Hash: 6b6525912cac8d0cd74491e73f0ac8c7a7624993affec2a95a4f19181b046f7e
                                        • Instruction Fuzzy Hash: E92128B1D003098FDB14DFAAC4857AEFBF4EF88324F548429D959A7241CB789945CFA4
                                        Function 0175D4C1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0175D54F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 55a035eca26370dd4cad5860a71757e4119ef751e5dcfa82d77cdc180d293c54
                                        • Instruction ID: de9de3b8800e66a4ca7a3d6b030bea3170dec955ec0616846ce61906209d77f5
                                        • Opcode Fuzzy Hash: 55a035eca26370dd4cad5860a71757e4119ef751e5dcfa82d77cdc180d293c54
                                        • Instruction Fuzzy Hash: 5C21DFB59003489FDB10CFAAD984AEEBFF4EB48324F24801AE918A3351D374A944CF60
                                        Function 019272E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01927360
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 03dce618dd3366eb936f945242df0bdb7734c487f2b308b43b6a6f20702a8e8c
                                        • Instruction ID: 6d02b589f5d6e15a509e53b11bef1425990affe0387baa708de8aab67d5f7cfe
                                        • Opcode Fuzzy Hash: 03dce618dd3366eb936f945242df0bdb7734c487f2b308b43b6a6f20702a8e8c
                                        • Instruction Fuzzy Hash: FC2128B18003599FCB14DFAAC885AEEFBF5FF48320F508429E959A7240C7349944DBA4
                                        Function 01926C20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01926C9E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 1e8aa05c55dbbb4f2cbcee04fcbcff5851b5cf59ced885d2031bcb3ae9bccdbc
                                        • Instruction ID: cc1c290d44bf334a7a3ccaba93483d09bc34616fec86f50625ff7034198f2f1a
                                        • Opcode Fuzzy Hash: 1e8aa05c55dbbb4f2cbcee04fcbcff5851b5cf59ced885d2031bcb3ae9bccdbc
                                        • Instruction Fuzzy Hash: 23213871D003098FDB14DFAAC4857EEBBF4EF88324F148429D959A7241CB789945CFA4
                                        Function 0175D4C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0175D54F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 50944a8adc9b10b672a8b10cd401ed7368f02a2209ed6e00e04a6cecef55b324
                                        • Instruction ID: c34fc6a56aaeda47dc74e2f428a1c988afc777bd35e594144741e24615667137
                                        • Opcode Fuzzy Hash: 50944a8adc9b10b672a8b10cd401ed7368f02a2209ed6e00e04a6cecef55b324
                                        • Instruction Fuzzy Hash: 8021E2B59003489FDB10CFAAD884ADEFFF8EB48324F14801AE918A3350D374A944CFA0
                                        Function 0192712C Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0192719E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: c18c28ca52ecb29171833d25d094e1398c9ba59678fd2d8616e0bc896684f55f
                                        • Instruction ID: e430dad84f35f49612b66973d62debd171c52d94f6fd71d6050c2ae7ad2667f2
                                        • Opcode Fuzzy Hash: c18c28ca52ecb29171833d25d094e1398c9ba59678fd2d8616e0bc896684f55f
                                        • Instruction Fuzzy Hash: 131156B18003489FDB14DFAAC845AEEFFF5EF88320F208419E919A7250C735A941CFA0
                                        Function 0175AD08 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0175B2B9,00000800,00000000,00000000), ref: 0175B4CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 063ae2e2a2b231ed29c73e21deb89caf897cd04d9fe965ee848123450458cfd5
                                        • Instruction ID: 9ab0c879ade05f4b0ce98793980d6c9b697efb070ebf14368f879f73f257bebf
                                        • Opcode Fuzzy Hash: 063ae2e2a2b231ed29c73e21deb89caf897cd04d9fe965ee848123450458cfd5
                                        • Instruction Fuzzy Hash: FA1106B59003498FDB24CF9AC444AAEFFF5EB48310F10842ED919A7201C375A545CFA5
                                        Function 01927130 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0192719E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 38b3740341f613a075b722e0810eed0c6b1a01eb4847356e2be63826e92dea04
                                        • Instruction ID: 189dd23ac5e8a52fc94965dc6e731c6a5bc31de4a66416d871dc19db82f22c68
                                        • Opcode Fuzzy Hash: 38b3740341f613a075b722e0810eed0c6b1a01eb4847356e2be63826e92dea04
                                        • Instruction Fuzzy Hash: F81126719003499FDB14DFAAC845ADEBFF5EF88320F248419E519A7250C775A944CFA0
                                        Function 0175B458 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0175B2B9,00000800,00000000,00000000), ref: 0175B4CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 1cd490b325d3c740e2d629cc5f8ae8dd7c7ede6f825db90ad891e67b8676ebad
                                        • Instruction ID: 72421b9dcaeae1378903b44f3ecac025859140cc6fd40e9fc1016ccd52dbcba8
                                        • Opcode Fuzzy Hash: 1cd490b325d3c740e2d629cc5f8ae8dd7c7ede6f825db90ad891e67b8676ebad
                                        • Instruction Fuzzy Hash: C81114B68003498FDB24CF9AD844AAEFFF5EB88320F10852ED919A7200C775A545CFA5
                                        Function 01926B6C Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: f8a8e0c7dfd9181ebd7afd8a748bf0e74d5df36da2dd500dc09cef5d5d44c512
                                        • Instruction ID: db12abd166cefee549a6c6fec776970d1e4b8213ca5488dd93b2f8cd6d95a88c
                                        • Opcode Fuzzy Hash: f8a8e0c7dfd9181ebd7afd8a748bf0e74d5df36da2dd500dc09cef5d5d44c512
                                        • Instruction Fuzzy Hash: 011158B19003488FDB14DFAAC4457AEFFF4EB88324F20841AD519A7240CB35A944CF94
                                        Function 01926B70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: a46fdb5a4d68f6c5ed4218e016e67cc03f934189c8230b7955caf664c554943a
                                        • Instruction ID: 96bde3637275b6c568e9f1bbf2faea4f2c96cf2406c7b975c1ca52d2a4a86b99
                                        • Opcode Fuzzy Hash: a46fdb5a4d68f6c5ed4218e016e67cc03f934189c8230b7955caf664c554943a
                                        • Instruction Fuzzy Hash: 14113AB19043488FDB14DFAAC4457DEFFF5EB88324F248419D559A7240CB75A944CF94
                                        Function 01928498 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0192BA8D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 6a8bc027a7e1fc83bc95b9d3f07fa8a41e5c4fcfafa2824da083b2a7e4af688c
                                        • Instruction ID: 28fd7549e1ca51447f30ebd9885f2008161d553ed02b1c2a32ee4ec19f5b5356
                                        • Opcode Fuzzy Hash: 6a8bc027a7e1fc83bc95b9d3f07fa8a41e5c4fcfafa2824da083b2a7e4af688c
                                        • Instruction Fuzzy Hash: F51103B58003599FDB10DF9AD889BEEFFF8EB48320F108419E519A7200C375A944CFA1
                                        Function 0192BA28 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0192BA8D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: bcc64c2a39ad30ca625aa78ecb9af84ff3f5dde23b7e3a56243f2d5f46c9ea6e
                                        • Instruction ID: 985a567fb434eb11e18bc7e8ae71e357adc0cf5df243ef85437ad44dc782f829
                                        • Opcode Fuzzy Hash: bcc64c2a39ad30ca625aa78ecb9af84ff3f5dde23b7e3a56243f2d5f46c9ea6e
                                        • Instruction Fuzzy Hash: F811F2B58003499FDB10DF99D889BEEFBF8FB48320F20851AE559A3210C375A944CFA1
                                        Function 0175B1D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0175B23E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 9126aec1d259bcc72e7483def6e20555388fbb18863cb5a2dccfd122f5bd1a89
                                        • Instruction ID: bd250074b2f07edb50ee014c1f52580ceba03a5aa90320c67eca885217ecce03
                                        • Opcode Fuzzy Hash: 9126aec1d259bcc72e7483def6e20555388fbb18863cb5a2dccfd122f5bd1a89
                                        • Instruction Fuzzy Hash: A81110B5C003498FDB14CF9AD848AEEFBF5EF88320F10842AD929A7200C375A545CFA1
                                        Function 0175B500 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0175B2B9,00000800,00000000,00000000), ref: 0175B4CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 6feda6d6b38a2c71a3e8cd1d1580d73f69ad1b5b8bb507dd983f9753eb04c304
                                        • Instruction ID: 8e52e22dad9edfb0b9172df9d5ea9e9143fd47c8b44369379c8458dcbfb64207
                                        • Opcode Fuzzy Hash: 6feda6d6b38a2c71a3e8cd1d1580d73f69ad1b5b8bb507dd983f9753eb04c304
                                        • Instruction Fuzzy Hash: 2701DF768043448FDB218BADD8047EAFFF5EF99328F14805AD618D3651C7B69404CBA5
                                        Function 0138D3D8 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1704848282.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_138d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4899895b49fc9ef9d622cfdf72056805fdfd09550bb2465b5edc11123e87ed33
                                        • Instruction ID: e8b5bb61ccb0c8748eb56fce8f76ea7401d6b1d852428a02cdfaa43f29859a6b
                                        • Opcode Fuzzy Hash: 4899895b49fc9ef9d622cfdf72056805fdfd09550bb2465b5edc11123e87ed33
                                        • Instruction Fuzzy Hash: 072148B1504304DFDB01EF58D9C0B56BF65FB94328F20C56CD90A1B296C736E416C7A1
                                        Function 0138D110 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1704848282.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_138d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ad541b2d64811702cd5fd41ebaab745d8b9e310de959f3407a35fbf2b15065d
                                        • Instruction ID: 94282158f2f71dfc52c12507d4f4aa52376f4a8c3cc0d4e66996be0ceb95bedd
                                        • Opcode Fuzzy Hash: 5ad541b2d64811702cd5fd41ebaab745d8b9e310de959f3407a35fbf2b15065d
                                        • Instruction Fuzzy Hash: 26212571604304DFDB45EF58D9C0B26BF66FF94328F24C569E90A0B286C336D816C7A1
                                        Function 0139D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1704879305.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_139d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 92c530ae9c8984d18ad1064a92e21026b61d4f2529c812090aa8addff9d1b1cb
                                        • Instruction ID: 18a8bfb844812836e36c2700f7fbf1badd01dd081c149e0d095022b351ced498
                                        • Opcode Fuzzy Hash: 92c530ae9c8984d18ad1064a92e21026b61d4f2529c812090aa8addff9d1b1cb
                                        • Instruction Fuzzy Hash: 35210071604204DFDF15DF68D885B26BBA5FB84358F20CA6DD80A0B386C33AD807CA61
                                        Function 0139D1D4 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1704879305.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_139d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cfb581740620567a8f65e2e9ebf274069c23f343b24d59295cc087671c7d87d4
                                        • Instruction ID: 0318d7a08b52e9be394970cfdad86ff97a777ed7afbbb2eb50f7edd136c13a2a
                                        • Opcode Fuzzy Hash: cfb581740620567a8f65e2e9ebf274069c23f343b24d59295cc087671c7d87d4
                                        • Instruction Fuzzy Hash: 6C21F5B5604204EFDF05DF98D9C5B25BBA5FB84328F24C6ADD94A4B392C336D406CA61
                                        Function 0138D3D3 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1704848282.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_138d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                        • Instruction ID: dc7bf70595c95c456f849d93ad547c85f32cab151a5260809b8cebc97143736d
                                        • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                        • Instruction Fuzzy Hash: E011DF76504340DFDB02DF48D5C4B56BF72FB84324F24C2A9D9090B296C33AE45ACBA1
                                        Function 0138D10B Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1704848282.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_138d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                        • Instruction ID: 1e59eb4a88f41bcdec6b840e9c224ea84893bb0286c8ca319b671f1c3d3d9e77
                                        • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                        • Instruction Fuzzy Hash: 9111AC76504280CFDB16DF54D9C4B16BF72FB84328F24C6A9D9094B296C33AD45ACBA2
                                        Function 0139D1CF Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1704879305.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_139d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction ID: 4816f4c638177645ac744a736ab7c0b60d2cf517d2ada2d05d64a7370e28ea50
                                        • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction Fuzzy Hash: 3411BB75904280DFDB02CF58C5C4B15BBB2FB84228F24C6ADD8894B296C33AD40ACB61
                                        Function 0139D017 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1704879305.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_139d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction ID: 881c61dc1eb2bf2cea9c27e73e052e5ceeca2b9fb8421044a5800dc083a393ad
                                        • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction Fuzzy Hash: 2D118E75504280DFDB16CF58D5C4B15BB62FB44318F24C6A9D84A4B756C33AD44ACB61
                                        Function 0138D759 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1704848282.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_138d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 95e02e171154cfc9394e34a29d31b89485d27f801bf99f3a6830c19c12496692
                                        • Instruction ID: cbecc63cddd6721d3bfc97b85327830d66a56467f6c3b52c28efa7414fcd378c
                                        • Opcode Fuzzy Hash: 95e02e171154cfc9394e34a29d31b89485d27f801bf99f3a6830c19c12496692
                                        • Instruction Fuzzy Hash: 3501A7710043849AE7107F99DCC4B66BFE8DF51329F18C91AFD190A2C6C7799840C671
                                        Function 0138D758 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1704848282.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_138d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 79c348c7b2c4debcf5a507bf191a74d3825d96d3de2ff0f92d9a91a2968b51bc
                                        • Instruction ID: 72fc8906e60a82f792fc05e0faf487d79e81624bfe13e45aa51b87c813ffc970
                                        • Opcode Fuzzy Hash: 79c348c7b2c4debcf5a507bf191a74d3825d96d3de2ff0f92d9a91a2968b51bc
                                        • Instruction Fuzzy Hash: 30F062714043849EE7219F5ADCC8B62FFE8EF51635F18C55AFD084A2C6C379A844CAB1

                                        Non-executed Functions

                                        Function 0192DA68 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PHdq$PHdq
                                        • API String ID: 0-1995607813
                                        • Opcode ID: 70b139a3843b5672d03e3e4b046fbc94410d52fe09aa118b146529b1cd399d9d
                                        • Instruction ID: 61fc60d1804d86146f18feff1710f1cfd8ddf4d4f8c93de8857dbe2c829afccc
                                        • Opcode Fuzzy Hash: 70b139a3843b5672d03e3e4b046fbc94410d52fe09aa118b146529b1cd399d9d
                                        • Instruction Fuzzy Hash: 9CD1D474A00614CFDB18DFA9C598EA9B7F5BF8C301F2580A8E509AB365DB31AD40CF60
                                        Function 01926348 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6d3638c148f29b3d906de42eba6ad82605c4f082134020b5710d8ec4ef7b0d35
                                        • Instruction ID: a0317f23804a215546fbf81dd6ff04c1272d8e7421d79fe5c2ea9c9cb9586070
                                        • Opcode Fuzzy Hash: 6d3638c148f29b3d906de42eba6ad82605c4f082134020b5710d8ec4ef7b0d35
                                        • Instruction Fuzzy Hash: B3E1FD74E011198FCB15DFA9C5809AEFBB2FF89305F248169D918AB759D730AD81CFA0
                                        Function 01924430 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 367d0744563f833116976f3ca2ee62c524e9b38bbdba5da552b61f92affd3bce
                                        • Instruction ID: 77ef0ea315f0264e88713bd5e6696faad8f4e5777b69f7c434884c752bd1c713
                                        • Opcode Fuzzy Hash: 367d0744563f833116976f3ca2ee62c524e9b38bbdba5da552b61f92affd3bce
                                        • Instruction Fuzzy Hash: 1BE10874E011198FCB15DFA8C5809AEBBB2FF89305F248169D418AB359D730AD81CFA1
                                        Function 01924868 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 55c4f843ba5fb295fe677ba13dbdcefc687cfa488ae7b6d7532af8dd8378a2f6
                                        • Instruction ID: 40bac4f8ed5b77af98a8b025e1b8adf70e3451f10c924ff7829555d0c4437704
                                        • Opcode Fuzzy Hash: 55c4f843ba5fb295fe677ba13dbdcefc687cfa488ae7b6d7532af8dd8378a2f6
                                        • Instruction Fuzzy Hash: B3E1E974E011298FCB15DFA9C5809AEBBB2FF89305F248169D518AB359D730AD81CFA1
                                        Function 01924CA0 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce304f74343f2bfdf204f7f0618c78ddbcfdd4f886f505614e3518821aea1f45
                                        • Instruction ID: c29c257bddad79b7b157ca064894f5edbbe9fa86c9c6a7c02ba76929810ef058
                                        • Opcode Fuzzy Hash: ce304f74343f2bfdf204f7f0618c78ddbcfdd4f886f505614e3518821aea1f45
                                        • Instruction Fuzzy Hash: D0E11A74E011298FDB14DFA8C5849AEFBB2FF89314F248169D418AB359D734AD81CFA0
                                        Function 01926CF8 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d243ba4c6ae350bf6de9ce72481185369c1f9b5b358ee2c9e39199f4407f1dc9
                                        • Instruction ID: bb9ea01609e78f3258974463b9300d2be6c4eadb72448b20157890b2519941c6
                                        • Opcode Fuzzy Hash: d243ba4c6ae350bf6de9ce72481185369c1f9b5b358ee2c9e39199f4407f1dc9
                                        • Instruction Fuzzy Hash: AFE1FD74E011198FCB15DFA9C5809AEFBB2FF89305F248159D918AB35AD734AD81CFA0
                                        Function 0175DDEC Relevance: .3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705706055.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1750000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e218b949754f4cfd1dddf9a7c79875172fdcd7db7fd1ea037c94c6438c2de481
                                        • Instruction ID: 383d7bc5d30558be099f379842f3f746d4b3862e0ad120167d833f4a4bd56a62
                                        • Opcode Fuzzy Hash: e218b949754f4cfd1dddf9a7c79875172fdcd7db7fd1ea037c94c6438c2de481
                                        • Instruction Fuzzy Hash: 0CA16032E0020ACFCF55DFB4C8445AEFBB2FF99300B15456AE905AB265DBB1E955CB40
                                        Function 01926340 Relevance: .1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1705982138.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1920000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13cd0db95ff920f6915b21c3a21c1b63f725a840a18e9459907a008c6016dbb6
                                        • Instruction ID: d15c685e79ce95501ba4fc260988354e80e56b47d0defb3904df9f6343d4eafb
                                        • Opcode Fuzzy Hash: 13cd0db95ff920f6915b21c3a21c1b63f725a840a18e9459907a008c6016dbb6
                                        • Instruction Fuzzy Hash: 77510974E012298FDB15CFA9C5809AEFBF2FF89304F248169D858AB316D7309941CFA1

                                        Execution Graph

                                        Execution Coverage:7.3%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:17
                                        Total number of Limit Nodes:4
                                        execution_graph 41112 12f0848 41114 12f084e 41112->41114 41113 12f091b 41114->41113 41116 12f1380 41114->41116 41118 12f1396 41116->41118 41117 12f1484 41117->41114 41118->41117 41120 12f7ea8 41118->41120 41121 12f7eb2 41120->41121 41122 12f7ecc 41121->41122 41125 6cbfa88 41121->41125 41129 6cbfa98 41121->41129 41122->41118 41127 6cbfaad 41125->41127 41126 6cbfcc2 41126->41122 41127->41126 41128 6cbfcd9 GlobalMemoryStatusEx 41127->41128 41128->41127 41130 6cbfaad 41129->41130 41131 6cbfcc2 41130->41131 41132 6cbfcd9 GlobalMemoryStatusEx 41130->41132 41131->41122 41132->41130

                                        Executed Functions

                                        Function 06CB30E0 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 6cb30e0-6cb3101 1 6cb3103-6cb3106 0->1 2 6cb3108-6cb3127 1->2 3 6cb312c-6cb312f 1->3 2->3 4 6cb38d0-6cb38d2 3->4 5 6cb3135-6cb3154 3->5 7 6cb38d9-6cb38dc 4->7 8 6cb38d4 4->8 13 6cb316d-6cb3177 5->13 14 6cb3156-6cb3159 5->14 7->1 9 6cb38e2-6cb38eb 7->9 8->7 17 6cb317d-6cb318c 13->17 14->13 15 6cb315b-6cb316b 14->15 15->17 126 6cb318e call 6cb38f8 17->126 127 6cb318e call 6cb3900 17->127 19 6cb3193-6cb3198 20 6cb319a-6cb31a0 19->20 21 6cb31a5-6cb3482 19->21 20->9 42 6cb3488-6cb3537 21->42 43 6cb38c2-6cb38cf 21->43 52 6cb3539-6cb355e 42->52 53 6cb3560 42->53 55 6cb3569-6cb357c 52->55 53->55 57 6cb38a9-6cb38b5 55->57 58 6cb3582-6cb35a4 55->58 57->42 59 6cb38bb 57->59 58->57 61 6cb35aa-6cb35b4 58->61 59->43 61->57 62 6cb35ba-6cb35c5 61->62 62->57 63 6cb35cb-6cb36a1 62->63 75 6cb36af-6cb36df 63->75 76 6cb36a3-6cb36a5 63->76 80 6cb36ed-6cb36f9 75->80 81 6cb36e1-6cb36e3 75->81 76->75 82 6cb36fb-6cb36ff 80->82 83 6cb3759-6cb375d 80->83 81->80 82->83 86 6cb3701-6cb372b 82->86 84 6cb389a-6cb38a3 83->84 85 6cb3763-6cb379f 83->85 84->57 84->63 97 6cb37ad-6cb37bb 85->97 98 6cb37a1-6cb37a3 85->98 93 6cb3739-6cb3756 86->93 94 6cb372d-6cb372f 86->94 93->83 94->93 100 6cb37bd-6cb37c8 97->100 101 6cb37d2-6cb37dd 97->101 98->97 100->101 104 6cb37ca 100->104 105 6cb37df-6cb37e5 101->105 106 6cb37f5-6cb3806 101->106 104->101 107 6cb37e9-6cb37eb 105->107 108 6cb37e7 105->108 110 6cb3808-6cb380e 106->110 111 6cb381e-6cb382a 106->111 107->106 108->106 112 6cb3812-6cb3814 110->112 113 6cb3810 110->113 115 6cb382c-6cb3832 111->115 116 6cb3842-6cb3893 111->116 112->111 113->111 117 6cb3836-6cb3838 115->117 118 6cb3834 115->118 116->84 117->116 118->116 126->19 127->19
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq$$dq$$dq
                                        • API String ID: 0-2331353128
                                        • Opcode ID: e1d3eb387f8b4b95f62f4e9a683623e0301bce277e75f86663aba4903930b255
                                        • Instruction ID: c265a1a8f1b0f861c0bb44f2e09b2e402e83475513b0f25818a8faa3ea1a89d2
                                        • Opcode Fuzzy Hash: e1d3eb387f8b4b95f62f4e9a683623e0301bce277e75f86663aba4903930b255
                                        • Instruction Fuzzy Hash: 6A322F30E1075ACFCB14EF65C95459DB7B2FFC9300F20966AD40AA7264EB74AA85CB90
                                        Function 06CBB283 Relevance: .6, Instructions: 553COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6cd6f3fcb951b3caf1574566e04d6df19e755decc14558b752639938c93aa516
                                        • Instruction ID: f62043df758e3682a08a6a01c5ba9453a03acc0eb3be3cf53facfe6cb9974410
                                        • Opcode Fuzzy Hash: 6cd6f3fcb951b3caf1574566e04d6df19e755decc14558b752639938c93aa516
                                        • Instruction Fuzzy Hash: 07124D70E102198BDF64DB68C4907EEB7B2FB49310F64952AE409EB391DE39DD81CB91
                                        Function 06CB91A0 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 128 6cb91a0-6cb91c5 129 6cb91c7-6cb91ca 128->129 130 6cb91cc-6cb91eb 129->130 131 6cb91f0-6cb91f3 129->131 130->131 132 6cb91f9-6cb920e 131->132 133 6cb9ab3-6cb9ab5 131->133 140 6cb9210-6cb9216 132->140 141 6cb9226-6cb923c 132->141 135 6cb9abc-6cb9abf 133->135 136 6cb9ab7 133->136 135->129 137 6cb9ac5-6cb9acf 135->137 136->135 142 6cb921a-6cb921c 140->142 143 6cb9218 140->143 145 6cb9247-6cb9249 141->145 142->141 143->141 146 6cb924b-6cb9251 145->146 147 6cb9261-6cb92d2 145->147 148 6cb9253 146->148 149 6cb9255-6cb9257 146->149 158 6cb92fe-6cb931a 147->158 159 6cb92d4-6cb92f7 147->159 148->147 149->147 164 6cb931c-6cb933f 158->164 165 6cb9346-6cb9361 158->165 159->158 164->165 170 6cb938c-6cb93a7 165->170 171 6cb9363-6cb9385 165->171 176 6cb93a9-6cb93cb 170->176 177 6cb93d2-6cb93dc 170->177 171->170 176->177 178 6cb93de-6cb93e7 177->178 179 6cb93ec-6cb9466 177->179 178->137 185 6cb9468-6cb9486 179->185 186 6cb94b3-6cb94c8 179->186 190 6cb9488-6cb9497 185->190 191 6cb94a2-6cb94b1 185->191 186->133 190->191 191->185 191->186
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq
                                        • API String ID: 0-185584874
                                        • Opcode ID: 372418d608e28d239eebac85fdd21af02bf0b1461dd6a2a689f4e8dc5d9f8c81
                                        • Instruction ID: 155d6f3f929d7df2f1eeb1a7846074b8c100ebbf42f1116aada898eed844be65
                                        • Opcode Fuzzy Hash: 372418d608e28d239eebac85fdd21af02bf0b1461dd6a2a689f4e8dc5d9f8c81
                                        • Instruction Fuzzy Hash: BB915130F0021A9FDB54EF65D9507AEB7F6EF86200F108569D909EB384EA38DD428F91
                                        Function 06CBCFA8 Relevance: 4.6, Strings: 3, Instructions: 800COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 194 6cbcfa8-6cbcfc3 195 6cbcfc5-6cbcfc8 194->195 196 6cbcfca-6cbd00c 195->196 197 6cbd011-6cbd014 195->197 196->197 198 6cbd031-6cbd034 197->198 199 6cbd016-6cbd02c 197->199 200 6cbd07d-6cbd080 198->200 201 6cbd036-6cbd078 198->201 199->198 204 6cbd08f-6cbd092 200->204 205 6cbd082-6cbd084 200->205 201->200 208 6cbd0db-6cbd0de 204->208 209 6cbd094-6cbd0a3 204->209 206 6cbd08a 205->206 207 6cbd48d 205->207 206->204 213 6cbd490-6cbd49c 207->213 216 6cbd0e8-6cbd0eb 208->216 217 6cbd0e0-6cbd0e5 208->217 214 6cbd0b2-6cbd0be 209->214 215 6cbd0a5-6cbd0aa 209->215 220 6cbd18e-6cbd19d 213->220 221 6cbd4a2-6cbd78f 213->221 222 6cbd9c1-6cbd9f6 214->222 223 6cbd0c4-6cbd0d6 214->223 215->214 218 6cbd0ed-6cbd12f 216->218 219 6cbd134-6cbd137 216->219 217->216 218->219 228 6cbd139-6cbd17b 219->228 229 6cbd180-6cbd183 219->229 226 6cbd19f-6cbd1a4 220->226 227 6cbd1ac-6cbd1b8 220->227 406 6cbd9b6-6cbd9c0 221->406 407 6cbd795-6cbd79b 221->407 238 6cbd9f8-6cbd9fb 222->238 223->208 226->227 227->222 235 6cbd1be-6cbd1d0 227->235 228->229 229->213 232 6cbd189-6cbd18c 229->232 232->220 239 6cbd1d5-6cbd1d8 232->239 235->239 246 6cbda0a-6cbda0d 238->246 247 6cbd9fd call 6cbdb15 238->247 244 6cbd1da-6cbd21c 239->244 245 6cbd221-6cbd224 239->245 244->245 253 6cbd26d-6cbd270 245->253 254 6cbd226-6cbd268 245->254 251 6cbda0f-6cbda3b 246->251 252 6cbda40-6cbda43 246->252 257 6cbda03-6cbda05 247->257 251->252 259 6cbda66-6cbda68 252->259 260 6cbda45-6cbda61 252->260 261 6cbd2b9-6cbd2bc 253->261 262 6cbd272-6cbd2b4 253->262 254->253 257->246 268 6cbda6a 259->268 269 6cbda6f-6cbda72 259->269 260->259 266 6cbd2be-6cbd300 261->266 267 6cbd305-6cbd308 261->267 262->261 266->267 272 6cbd30a-6cbd30c 267->272 273 6cbd313-6cbd316 267->273 268->269 269->238 271 6cbda74-6cbda83 269->271 300 6cbdaea-6cbdaff 271->300 301 6cbda85-6cbdae8 call 6cb65f8 271->301 279 6cbd34b-6cbd354 272->279 280 6cbd30e 272->280 281 6cbd339-6cbd33b 273->281 282 6cbd318-6cbd334 273->282 289 6cbd363-6cbd36f 279->289 290 6cbd356-6cbd35b 279->290 280->273 286 6cbd33d 281->286 287 6cbd342-6cbd345 281->287 282->281 286->287 287->195 287->279 298 6cbd480-6cbd485 289->298 299 6cbd375-6cbd389 289->299 290->289 298->207 299->207 315 6cbd38f-6cbd3a1 299->315 301->300 325 6cbd3a3-6cbd3a9 315->325 326 6cbd3c5-6cbd3c7 315->326 330 6cbd3ab 325->330 331 6cbd3ad-6cbd3b9 325->331 328 6cbd3d1-6cbd3dd 326->328 339 6cbd3eb 328->339 340 6cbd3df-6cbd3e9 328->340 332 6cbd3bb-6cbd3c3 330->332 331->332 332->328 341 6cbd3f0-6cbd3f2 339->341 340->341 341->207 344 6cbd3f8-6cbd414 call 6cb65f8 341->344 352 6cbd423-6cbd42f 344->352 353 6cbd416-6cbd41b 344->353 352->298 355 6cbd431-6cbd47e 352->355 353->352 355->207 408 6cbd7aa-6cbd7b3 407->408 409 6cbd79d-6cbd7a2 407->409 408->222 410 6cbd7b9-6cbd7cc 408->410 409->408 412 6cbd7d2-6cbd7d8 410->412 413 6cbd9a6-6cbd9b0 410->413 414 6cbd7da-6cbd7df 412->414 415 6cbd7e7-6cbd7f0 412->415 413->406 413->407 414->415 415->222 416 6cbd7f6-6cbd817 415->416 419 6cbd819-6cbd81e 416->419 420 6cbd826-6cbd82f 416->420 419->420 420->222 421 6cbd835-6cbd852 420->421 421->413 424 6cbd858-6cbd85e 421->424 424->222 425 6cbd864-6cbd87d 424->425 427 6cbd999-6cbd9a0 425->427 428 6cbd883-6cbd8aa 425->428 427->413 427->424 428->222 431 6cbd8b0-6cbd8ba 428->431 431->222 432 6cbd8c0-6cbd8d7 431->432 434 6cbd8d9-6cbd8e4 432->434 435 6cbd8e6-6cbd901 432->435 434->435 435->427 440 6cbd907-6cbd920 call 6cb65f8 435->440 444 6cbd92f-6cbd938 440->444 445 6cbd922-6cbd927 440->445 444->222 446 6cbd93e-6cbd992 444->446 445->444 446->427
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq
                                        • API String ID: 0-2861643491
                                        • Opcode ID: 8f95561375ce95667c17342b7a820ab265b5837f61673b18927859984e97f5d4
                                        • Instruction ID: 1e5ebdc01d07dd9e58764114d4b4c1514aaada669d5471c9d38203ca3e175660
                                        • Opcode Fuzzy Hash: 8f95561375ce95667c17342b7a820ab265b5837f61673b18927859984e97f5d4
                                        • Instruction Fuzzy Hash: 43621070A002168FCB55EF68D590A9EB7F2FF84311F209968D40A9F359DB75ED86CB80
                                        Function 06CB4BF0 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 454 6cb4bf0-6cb4c14 455 6cb4c16-6cb4c19 454->455 456 6cb52f8-6cb52fb 455->456 457 6cb4c1f-6cb4d17 455->457 458 6cb52fd-6cb5317 456->458 459 6cb531c-6cb531e 456->459 477 6cb4d9a-6cb4da1 457->477 478 6cb4d1d-6cb4d6a call 6cb54a3 457->478 458->459 461 6cb5320 459->461 462 6cb5325-6cb5328 459->462 461->462 462->455 464 6cb532e-6cb533b 462->464 479 6cb4da7-6cb4e17 477->479 480 6cb4e25-6cb4e2e 477->480 491 6cb4d70-6cb4d8c 478->491 497 6cb4e19 479->497 498 6cb4e22 479->498 480->464 494 6cb4d8e 491->494 495 6cb4d97-6cb4d98 491->495 494->495 495->477 497->498 498->480
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fiq$XPiq$\Oiq
                                        • API String ID: 0-1639307521
                                        • Opcode ID: 20ac9ded7e955572fc152997a86784aef54cfb16a089b5a729d41c26d43536ab
                                        • Instruction ID: f71e4bb828559934581125d261c9b7f33fd3a70b01a5e3d784e7717d7dc57557
                                        • Opcode Fuzzy Hash: 20ac9ded7e955572fc152997a86784aef54cfb16a089b5a729d41c26d43536ab
                                        • Instruction Fuzzy Hash: B8619170F102099FEB54EFA5C8147AEBBF6FF88300F208429E506EB395DA759C458B90
                                        Function 012FEB30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 501 12feb30-12feb4b 502 12feb4d-12feb74 501->502 503 12feb75-12feb94 call 12fe730 501->503 508 12feb9a-12febf9 503->508 509 12feb96-12feb99 503->509 516 12febff-12fec8c GlobalMemoryStatusEx 508->516 517 12febfb-12febfe 508->517 521 12fec8e-12fec94 516->521 522 12fec95-12fecbd 516->522 521->522
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2915924563.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_12f0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6o+p
                                        • API String ID: 0-2449111081
                                        • Opcode ID: 11eb4cfe106137b05a7cb340ff00d92f55eb751126ea4c55d487dd5e657ca5f3
                                        • Instruction ID: 9afd0126c14649ef68e9d0165e45c36ee23bd6c684a97cc6ba03e3bdb41ade77
                                        • Opcode Fuzzy Hash: 11eb4cfe106137b05a7cb340ff00d92f55eb751126ea4c55d487dd5e657ca5f3
                                        • Instruction Fuzzy Hash: E2415372D003498FCB01DFA9D8046EEBFF5EF99310F06816AE605A7291EB349845CBE1
                                        Function 012FEC18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 525 12fec18-12fec56 526 12fec5e-12fec8c GlobalMemoryStatusEx 525->526 527 12fec8e-12fec94 526->527 528 12fec95-12fecbd 526->528 527->528
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE ref: 012FEC7F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2915924563.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_12f0000_IMG 003.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID: 6o+p
                                        • API String ID: 1890195054-2449111081
                                        • Opcode ID: b368a1f7165e7dbe519e2ee87c6268d604bfd5910f6a3334e0b5c711cc58a045
                                        • Instruction ID: b8c77504b50249ee8ceabd712db7a3d179c65e6de76a945e80e0f06f227ea870
                                        • Opcode Fuzzy Hash: b368a1f7165e7dbe519e2ee87c6268d604bfd5910f6a3334e0b5c711cc58a045
                                        • Instruction Fuzzy Hash: D31123B1C1025A9BCB10DF9AC544BDEFBF4EF48320F15812AE918A7240D378A944CFA5
                                        Function 06CB9193 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1612 6cb9193-6cb91c5 1614 6cb91c7-6cb91ca 1612->1614 1615 6cb91cc-6cb91eb 1614->1615 1616 6cb91f0-6cb91f3 1614->1616 1615->1616 1617 6cb91f9-6cb920e 1616->1617 1618 6cb9ab3-6cb9ab5 1616->1618 1625 6cb9210-6cb9216 1617->1625 1626 6cb9226-6cb923c 1617->1626 1620 6cb9abc-6cb9abf 1618->1620 1621 6cb9ab7 1618->1621 1620->1614 1622 6cb9ac5-6cb9acf 1620->1622 1621->1620 1627 6cb921a-6cb921c 1625->1627 1628 6cb9218 1625->1628 1630 6cb9247-6cb9249 1626->1630 1627->1626 1628->1626 1631 6cb924b-6cb9251 1630->1631 1632 6cb9261-6cb92d2 1630->1632 1633 6cb9253 1631->1633 1634 6cb9255-6cb9257 1631->1634 1643 6cb92fe-6cb931a 1632->1643 1644 6cb92d4-6cb92f7 1632->1644 1633->1632 1634->1632 1649 6cb931c-6cb933f 1643->1649 1650 6cb9346-6cb9361 1643->1650 1644->1643 1649->1650 1655 6cb938c-6cb93a7 1650->1655 1656 6cb9363-6cb9385 1650->1656 1661 6cb93a9-6cb93cb 1655->1661 1662 6cb93d2-6cb93dc 1655->1662 1656->1655 1661->1662 1663 6cb93de-6cb93e7 1662->1663 1664 6cb93ec-6cb9466 1662->1664 1663->1622 1670 6cb9468-6cb9486 1664->1670 1671 6cb94b3-6cb94c8 1664->1671 1675 6cb9488-6cb9497 1670->1675 1676 6cb94a2-6cb94b1 1670->1676 1671->1618 1675->1676 1676->1670 1676->1671
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq
                                        • API String ID: 0-2340669324
                                        • Opcode ID: 959324cedeae625686d074c409751880bccd079ee16007f96e1ca63fb441cd04
                                        • Instruction ID: c533cf46c796e5fc062db4b8457b87d4ba22c5b7202b9667406b582e0229fb6c
                                        • Opcode Fuzzy Hash: 959324cedeae625686d074c409751880bccd079ee16007f96e1ca63fb441cd04
                                        • Instruction Fuzzy Hash: FD519230F002159FDB54EF74D950BAEB7F6EB89600F108539D90AEB394EA38DD428B91
                                        Function 06CB80D0 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq
                                        • API String ID: 0-847773763
                                        • Opcode ID: 841d6dbd428574bda188eeeef53adb2012c56eddb571c39c8dab4c55084ff71c
                                        • Instruction ID: 0725b95e0cf2f9af6ae6bcb805efef90f6d7e0a554620cbcb8448a62ae4c0fd3
                                        • Opcode Fuzzy Hash: 841d6dbd428574bda188eeeef53adb2012c56eddb571c39c8dab4c55084ff71c
                                        • Instruction Fuzzy Hash: EA719E30B012158FDB54EF75C9546AE77AAFFC4200F149828D806EB394EB79ED82CB90
                                        Function 06CB4BE7 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: XPiq
                                        • API String ID: 0-3497805733
                                        • Opcode ID: 7ebd089087a9e7578586657fdd09c91e3c70fcba068863c556a6a6bb81c12ec5
                                        • Instruction ID: 5e20e45ffd9eefdf85d59b8c600dae4d06d9bc5709ff7edd11610e1fdf64c8eb
                                        • Opcode Fuzzy Hash: 7ebd089087a9e7578586657fdd09c91e3c70fcba068863c556a6a6bb81c12ec5
                                        • Instruction Fuzzy Hash: 59416170F102089FDB55DFA5C814BAEBBF6FF88700F208529E106AB399DA759C458B91
                                        Function 06CBDB15 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PHdq
                                        • API String ID: 0-2991842255
                                        • Opcode ID: b26c2fcde8e8cba0e44aed2e5c2b244f4c90e746062dfeaaf368d5724a678767
                                        • Instruction ID: 7970eb763bcd0929499dad1d03ea15fc28949c25a8c2bbe5aa13e94e4d098b79
                                        • Opcode Fuzzy Hash: b26c2fcde8e8cba0e44aed2e5c2b244f4c90e746062dfeaaf368d5724a678767
                                        • Instruction Fuzzy Hash: 9941A170E007099FDB64DFA5D4546EEBBB2FF85300F204929E406EB240EB74EA46CB91
                                        Function 06CB2290 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PHdq
                                        • API String ID: 0-2991842255
                                        • Opcode ID: f8c19855e859d178004a531df631f8edd8bb1025a477436087e0732121cde677
                                        • Instruction ID: f94a958f86b5c5f944bdad6d52beec598b90c7668b50b0054ee6d5e3d9d234e6
                                        • Opcode Fuzzy Hash: f8c19855e859d178004a531df631f8edd8bb1025a477436087e0732121cde677
                                        • Instruction Fuzzy Hash: 6A31F230B002159FDB55AB74D5546BE7AE6AB89210F10942CE406EB384DE39DE42CBA1
                                        Function 06CB80C7 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq
                                        • API String ID: 0-847773763
                                        • Opcode ID: 20d950ac9fb818c7040c03985bf4cdbfad8223ae98cbd7c33b7ddf40e6c8d80e
                                        • Instruction ID: 764bf5efaf0988b67dd662115a3c1aa24415ffa7205e74dcde6d053497a1c22f
                                        • Opcode Fuzzy Hash: 20d950ac9fb818c7040c03985bf4cdbfad8223ae98cbd7c33b7ddf40e6c8d80e
                                        • Instruction Fuzzy Hash: 14110132E02118DFDF649E65ED84AEEB7B9FB80311F18506AD912E7200C335DE42CBA0
                                        Function 06CB38F8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6o+p
                                        • API String ID: 0-2449111081
                                        • Opcode ID: ba80bc0894217ae3497c1b1e6cd5710965f9c912236cd3da589d8073ffa1ed39
                                        • Instruction ID: 986958a07e49229e86b05a45b3a2fc43ed72122666bb5e943f3b3414c9f8e7a1
                                        • Opcode Fuzzy Hash: ba80bc0894217ae3497c1b1e6cd5710965f9c912236cd3da589d8073ffa1ed39
                                        • Instruction Fuzzy Hash: 772137B1D01219AFCB00DF9AD884ADEFFB8FB48320F108229E518A7380C7746544CFA5
                                        Function 06CB3900 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6o+p
                                        • API String ID: 0-2449111081
                                        • Opcode ID: 457d22e38fd828028d70f74b865db1c5a53d525db6475d1831a2da00c503caf0
                                        • Instruction ID: 3b63ac597109051ae074a160dc298982bd0dc4a7ebfa0439df864aab8c719163
                                        • Opcode Fuzzy Hash: 457d22e38fd828028d70f74b865db1c5a53d525db6475d1831a2da00c503caf0
                                        • Instruction Fuzzy Hash: 5F11D0B1D01259AFCB10DF9AD984ADEFFB4FB48310F10812AE918A7340D378A954CFA5
                                        Function 06CB5948 Relevance: .3, Instructions: 322COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b9a4cf866365c0fe5a75d3a98869f6f6fdcfa2d3b8b5635f0da8e3df19aa10e
                                        • Instruction ID: c84a1c8003a969ae6b7136e8604e940718fcfa231c4d8475702e091cd94aba75
                                        • Opcode Fuzzy Hash: 1b9a4cf866365c0fe5a75d3a98869f6f6fdcfa2d3b8b5635f0da8e3df19aa10e
                                        • Instruction Fuzzy Hash: B3B1A271F002159BDF14EFA4D994AAE77B6FFC8310F609429D802AB394DA74ED46CB80
                                        Function 06CBB28B Relevance: .3, Instructions: 289COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8ff5fc6f354d8e2c2789f0b3d43cfdf2effdb2774964de4f9baa2bb68d27eb3
                                        • Instruction ID: bb443aaee341413bc0a5306d9c969cf08d2d761e05475f7eef5900ff88523d55
                                        • Opcode Fuzzy Hash: b8ff5fc6f354d8e2c2789f0b3d43cfdf2effdb2774964de4f9baa2bb68d27eb3
                                        • Instruction Fuzzy Hash: 9FA16170F102198BEF64DBACC8907EE76A6FB89311F205429E509E7391CE39DD819B52
                                        Function 06CBB6A0 Relevance: .3, Instructions: 274COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 03504774a899682416fbcf7334a2657950a8ab4ccc31d6c0df0970f68633ecaa
                                        • Instruction ID: 73d9a2b4689869c7a7f33b5ec1db7f00edbf22cb7fe0c60f9a3d012b4be83462
                                        • Opcode Fuzzy Hash: 03504774a899682416fbcf7334a2657950a8ab4ccc31d6c0df0970f68633ecaa
                                        • Instruction Fuzzy Hash: 00A15A30E102198FDFA4DF68C4807EDB7B1EB45310F24956AE409EB295DA35EE82CB91
                                        Function 06CB6D70 Relevance: .3, Instructions: 257COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9429640f2afb09d455e2e237d813b32764dde413e638b88e131a41155eefb8ef
                                        • Instruction ID: e11c02de9a030dddc3c803173079bde3ef56e8baac21609b2d07c1704e697825
                                        • Opcode Fuzzy Hash: 9429640f2afb09d455e2e237d813b32764dde413e638b88e131a41155eefb8ef
                                        • Instruction Fuzzy Hash: F3A18C30A00254CFCB54EF69D548BADB7F2EF84315F149469E80AAB350DB36EE42CB90
                                        Function 06CB6248 Relevance: .2, Instructions: 229COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 45398ff950f76b5802ee91b4b4e12a36b369e7c2389910ee0db2c1d82afc188d
                                        • Instruction ID: 2b049c446fcba19d77ba6556ead9e05cbc678f36f45fcff9bf97adb2adbbbad1
                                        • Opcode Fuzzy Hash: 45398ff950f76b5802ee91b4b4e12a36b369e7c2389910ee0db2c1d82afc188d
                                        • Instruction Fuzzy Hash: 08618F71F001214BDF549A6EC8846AFAADAEFD5220F254439E80EDB364DE65ED4287C2
                                        Function 06CB4327 Relevance: .2, Instructions: 224COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74a0d8714cb9bc9d0ea844034229b3fd9bbc7475adfcf76c8cb62a9c8c171c4d
                                        • Instruction ID: 1cd46062644ff90de600c244bf086d1c29bf97a4b83f90f47808efce9dae609f
                                        • Opcode Fuzzy Hash: 74a0d8714cb9bc9d0ea844034229b3fd9bbc7475adfcf76c8cb62a9c8c171c4d
                                        • Instruction Fuzzy Hash: CA815030B042099FDB58DFA9D9547AE77F6EB89300F108538E40AEB399DA34DD428B91
                                        Function 06CB464B Relevance: .2, Instructions: 220COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f15477a0bdd6f2d16f90868a63daa48a9089900b7443db38aafc8802028f1f04
                                        • Instruction ID: 5477f20a5254d92ce365377b0872dc5675263868df6c813cfcb3f8984616aa72
                                        • Opcode Fuzzy Hash: f15477a0bdd6f2d16f90868a63daa48a9089900b7443db38aafc8802028f1f04
                                        • Instruction Fuzzy Hash: 74914A30E102198BDF64DFA8C890BDDB7B1FF89310F208599D549AB295DB70AA85CB91
                                        Function 06CB4321 Relevance: .2, Instructions: 218COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 628caafd5ddd0ec297a64ad632b31deda45e5c5585cb27f829188a85764c00fc
                                        • Instruction ID: c99b469eb3797a6f17c3cef5f9aa4176685cdbf93c9bda74a88548d9b61d0e35
                                        • Opcode Fuzzy Hash: 628caafd5ddd0ec297a64ad632b31deda45e5c5585cb27f829188a85764c00fc
                                        • Instruction Fuzzy Hash: 1A814D30B046099FDB48DFA8D5547AEB7F2EB89300F108539D40AEB399DB34ED428B91
                                        Function 06CBAF78 Relevance: .2, Instructions: 215COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b538f3c2ef7819c20048f0bffd6f2269ebbbe652fc1ca230fd99b745a1a166a1
                                        • Instruction ID: e9dce627890887066dcd24714f5d1c36cb7b807404489293cf05d6096aad4216
                                        • Opcode Fuzzy Hash: b538f3c2ef7819c20048f0bffd6f2269ebbbe652fc1ca230fd99b745a1a166a1
                                        • Instruction Fuzzy Hash: BB716B30E1031A8FDB15EFA9D5846AEB7B2FF85300F109529E41AAB354DF74ED468B80
                                        Function 06CB4658 Relevance: .2, Instructions: 210COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b7cfd0eed49c775bb623b14175471c3e667af028d3376c7ff592c1a8a811b297
                                        • Instruction ID: c59e64a2affcf58e4ec250e5c886912b2e655ed805c4a301f0ca8956c8bcc0d9
                                        • Opcode Fuzzy Hash: b7cfd0eed49c775bb623b14175471c3e667af028d3376c7ff592c1a8a811b297
                                        • Instruction Fuzzy Hash: 5E913A30E102198BDF64DFA8C880BDDB7B1FF89310F208599D549AB295DB71AA85CB90
                                        Function 06CBEB68 Relevance: .2, Instructions: 204COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74b3d4546117673781b27ffee7efca8cdb9f342e618d39602ee7eb49214d8cae
                                        • Instruction ID: 4db8a988ff92b8a3113b22f1ab56c735aaa5e14a538c982827954da5cd3e14ff
                                        • Opcode Fuzzy Hash: 74b3d4546117673781b27ffee7efca8cdb9f342e618d39602ee7eb49214d8cae
                                        • Instruction Fuzzy Hash: 57715D70E002199FCB54EFA9D990AEEBBF6FF88300F149429E405AB355DA74ED46CB40
                                        Function 06CBEB78 Relevance: .2, Instructions: 201COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9df357d6390facb26ab2839056391de1673cecedfbfce8c46ff7e50b0c6d74fb
                                        • Instruction ID: c3afda66e1354ce7aaeff36b4fadf22b6b5548397ac6fec3e561e6be691ac86e
                                        • Opcode Fuzzy Hash: 9df357d6390facb26ab2839056391de1673cecedfbfce8c46ff7e50b0c6d74fb
                                        • Instruction Fuzzy Hash: 43714C70A002199FCB54EFA9D990AEEBBF6FF88300F14D429E005AB355DA74ED46CB50
                                        Function 06CBFCD9 Relevance: .2, Instructions: 176COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 78aff25dae36b708a5cd61cfe45c6721922bcf1932fa5e01f7c3afe79d4d462c
                                        • Instruction ID: fd87f19a0b5d1c07f7ef97e283c352ad2889560c68d145e1c0721acf175aa382
                                        • Opcode Fuzzy Hash: 78aff25dae36b708a5cd61cfe45c6721922bcf1932fa5e01f7c3afe79d4d462c
                                        • Instruction Fuzzy Hash: D751BE31E001059FDB54EFB8E8946AEBBB2EB84315F20887DE126E7391DB358955CB80
                                        Function 06CBFA88 Relevance: .2, Instructions: 173COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e93974a953f8eacf265f7845f468fe63699a07bce616104542fb5eb37aaf0f51
                                        • Instruction ID: 4e688ac0baa5580b02aa0fa2cc343679f674f59ce759839602f1cbf58e5c8e70
                                        • Opcode Fuzzy Hash: e93974a953f8eacf265f7845f468fe63699a07bce616104542fb5eb37aaf0f51
                                        • Instruction Fuzzy Hash: 7A51C770B202149BEF646BBCDC547AE669AE789311F20043ED50AD7395CF2DCD815792
                                        Function 06CB5628 Relevance: .2, Instructions: 166COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 228ef4a3f7ff05c11cd07593614ee665cbf1746dbd91dbb8060a3349a117b408
                                        • Instruction ID: 36b5ac40a47539cf7413d3ab1460b5cf89d385ef64dcb46902e8f321f288966b
                                        • Opcode Fuzzy Hash: 228ef4a3f7ff05c11cd07593614ee665cbf1746dbd91dbb8060a3349a117b408
                                        • Instruction Fuzzy Hash: 8E518074F102058FDF60CF69C480ABEF7B2FB45310FA4996AD555EB281C674DA41CB91
                                        Function 06CBFA98 Relevance: .2, Instructions: 163COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca6b6acff1630ebe8f0b346c2a66b6b79410acd13485650cb9a3dd2f36454231
                                        • Instruction ID: ed21e6df1e0c7aa1544ca382ca7bb240c5c086392dfe79b7d11d819053e6aa53
                                        • Opcode Fuzzy Hash: ca6b6acff1630ebe8f0b346c2a66b6b79410acd13485650cb9a3dd2f36454231
                                        • Instruction Fuzzy Hash: 6451A470B202145BEF646ABCDC547AF269AE789311F20443ED50AD3395CF6DCD815792
                                        Function 06CBC840 Relevance: .2, Instructions: 160COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4fdc0718a9bbf0fe2b7f36a19785d023015f3bcf1df1972efb2502dd2928788b
                                        • Instruction ID: 9c97880a36cfaba48c2cbd0780c999c70abfc66794e8d927c8eef259b6759413
                                        • Opcode Fuzzy Hash: 4fdc0718a9bbf0fe2b7f36a19785d023015f3bcf1df1972efb2502dd2928788b
                                        • Instruction Fuzzy Hash: 0B516E74B102198FCB44EF79D890AAEB7F2FB84311F108579E506AB355DB39ED428B90
                                        Function 06CB54A3 Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ea45c6e8814d2ce8ce2157a786eb248f6c62da5bd553a651b1c833e6a62a98a
                                        • Instruction ID: f0ebe406296dd99171d3dc34ac4476b74c29c60e82388f3abcf59829b6e588b9
                                        • Opcode Fuzzy Hash: 0ea45c6e8814d2ce8ce2157a786eb248f6c62da5bd553a651b1c833e6a62a98a
                                        • Instruction Fuzzy Hash: B6416A71E006098FDF70CEA9D880AAFF7F2EB84311F50492AE11AD7650D331E9498B95
                                        Function 06CB5618 Relevance: .1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5797f073035b37d1158fbabf9a4367343ab04240e1f3f9ff5df9977321434976
                                        • Instruction ID: 34c7b88e5e57880bfdbf7656fb84664b11a51bf8e3cc04c8a7598f3e1d6672e2
                                        • Opcode Fuzzy Hash: 5797f073035b37d1158fbabf9a4367343ab04240e1f3f9ff5df9977321434976
                                        • Instruction Fuzzy Hash: 0041A075E102058FDF61CF69C480ABEFBB2FB45310FA4D92AD559DB281C634DA41CB91
                                        Function 06CB2140 Relevance: .1, Instructions: 100COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d3bf9a6690177467f9300ab0a1eb70ef982ef4ac67814739eed4670955c1dc41
                                        • Instruction ID: b7d9726a84eca560b9865bccff2e2cc75f9b1a7ece6db31f4ee1a1fb250d7294
                                        • Opcode Fuzzy Hash: d3bf9a6690177467f9300ab0a1eb70ef982ef4ac67814739eed4670955c1dc41
                                        • Instruction Fuzzy Hash: BB318D30E102069BCB45DF65C854AAEBBF2EF8A310F148529E806EB350DB75EE42CB51
                                        Function 06CB2150 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be81109222d62b3428a1748364fe6fc35ad7c86b6960a83014794d02cdd205ef
                                        • Instruction ID: 8ba5e6e4622bb4be9d1697b1307a2ce41e134d40023f8b251a618b22310a626d
                                        • Opcode Fuzzy Hash: be81109222d62b3428a1748364fe6fc35ad7c86b6960a83014794d02cdd205ef
                                        • Instruction Fuzzy Hash: 11317C30E1020A9BCB49DF65C854AAEB7F2FF89310F108529E906EB354DB75EE42CB51
                                        Function 06CB3B21 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b7360569ba2bd6d224f2e1a7e53938c3c41a1d2dd3d3053b49a57b1f1f2590d
                                        • Instruction ID: 0913c823ced2b0373d75f1867b0896795d8b7e0312be9bacc47fde04be4948c7
                                        • Opcode Fuzzy Hash: 3b7360569ba2bd6d224f2e1a7e53938c3c41a1d2dd3d3053b49a57b1f1f2590d
                                        • Instruction Fuzzy Hash: 3A217C75F016159FDB10DF69E980AEEBBF5EB88710F008029E906E7294D739DD418BA0
                                        Function 06CB3B30 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b7989c31b538a64fceb6d31bfc6784ee9c7450b8a82aa2fd04e15d66cbb36a25
                                        • Instruction ID: 8dbd00fde23504a022ad9b7f35f1eeefcdd6a80fb2d63e7a232237c4a5f22c72
                                        • Opcode Fuzzy Hash: b7989c31b538a64fceb6d31bfc6784ee9c7450b8a82aa2fd04e15d66cbb36a25
                                        • Instruction Fuzzy Hash: C2219A35F006159FDB40DFA9D980AEEBBF5EB88610F108029E90AF7394E738DD408B90
                                        Function 0129D20C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2915372348.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_129d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fb1458c3bba66408e1172087bcdf447146430324464590a834ed309235c759ce
                                        • Instruction ID: 2020f596387bb5d8549e01589761c4792a0d74b08da00a4898a47a200898ddc2
                                        • Opcode Fuzzy Hash: fb1458c3bba66408e1172087bcdf447146430324464590a834ed309235c759ce
                                        • Instruction Fuzzy Hash: 4C2104B1A142499FDF01DF5CD9C4B26BBA5FB84334F24C6ADD9090B243C37AD406DA61
                                        Function 0129D044 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2915372348.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_129d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 80204193becf15532f40f477c869ac38efe7cde0e00b76261b4357040cf11566
                                        • Instruction ID: cb82bf9490deeb1f8fea1c6e7d8b18a5297e02adf0c8743a20b7994ca84bd3f4
                                        • Opcode Fuzzy Hash: 80204193becf15532f40f477c869ac38efe7cde0e00b76261b4357040cf11566
                                        • Instruction Fuzzy Hash: A92125B16142089FCF11CF6CC9C4B26BBA5FB84314F20C96DE90A0B342C776D446DA61
                                        Function 0129D3BC Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2915372348.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_129d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f846ebe21ed49da35730fae9c1a3a8c8c0401e95a48cfbf96b6290ccdf15c463
                                        • Instruction ID: dcc5712ab8f83c0851b8730daa190fb1cd194ca9ce129a5c4da2ed7ec36aaff0
                                        • Opcode Fuzzy Hash: f846ebe21ed49da35730fae9c1a3a8c8c0401e95a48cfbf96b6290ccdf15c463
                                        • Instruction Fuzzy Hash: 6D2122B5614208DFCF01DF5CD9C4B26BBA5FB84314F20CA6DE90A0B282C376E806DA61
                                        Function 06CB6D6B Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: afca17a181cecc58ca7dc0eee7efd7c86c5e5283da8d4e83ada8a3a4e1124173
                                        • Instruction ID: 1ae8372df5c7aae85533cae0a52744996461a4e94efd7507f602c1d230da2102
                                        • Opcode Fuzzy Hash: afca17a181cecc58ca7dc0eee7efd7c86c5e5283da8d4e83ada8a3a4e1124173
                                        • Instruction Fuzzy Hash: 4F216030B101199FDF94DB69F9547EEB7B6EB84310F248429E805E7344D635DE428B90
                                        Function 06CB30D7 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b223a5313786946295911f1f1877edc14cf185990abbe9da78016d579727aaf0
                                        • Instruction ID: 3446d0115f1323f0ab513c53011a3c5d7d294bffd6ab2091e19d13581544d644
                                        • Opcode Fuzzy Hash: b223a5313786946295911f1f1877edc14cf185990abbe9da78016d579727aaf0
                                        • Instruction Fuzzy Hash: F411B171F002289FCB549B79DC405DEB7F9EB89310F14956AE10AEB244DA31DA45CBE1
                                        Function 06CB3C40 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6cea02b2ae04501e9f7dc9ccd8275acb03b95079d0b2d3fd928fed71b1a34fb4
                                        • Instruction ID: 26553de9634ddaa19918f5e9ca29cb7abe08ed92e077025c21aaebd62a31a5c0
                                        • Opcode Fuzzy Hash: 6cea02b2ae04501e9f7dc9ccd8275acb03b95079d0b2d3fd928fed71b1a34fb4
                                        • Instruction Fuzzy Hash: F7118E31B040289FDB44AAA8D8146EE77AAEBC8210F108139C90AE7344EE34DD028BD1
                                        Function 06CB428B Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ce4c89a66000e9162efd97c590badc0dc2d29967a7bf49bd2a904157ca86622
                                        • Instruction ID: 935c260552a4e2f2c1a1ad467ac3ae7d9a0a29f0b00e65efaef85c5b8b651829
                                        • Opcode Fuzzy Hash: 2ce4c89a66000e9162efd97c590badc0dc2d29967a7bf49bd2a904157ca86622
                                        • Instruction Fuzzy Hash: EB018F34B145200BDB68AA6DD414B6FB7DAEBC9721F14C839F10BC7389D925DD424396
                                        Function 06CBEDE9 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae8444d5de12575b8a051b5319c5da5f499ab5fc44b53273f139923d237b7ff9
                                        • Instruction ID: 0a5f173b7697ea11b284f7d1e1e221517012f93c5e6356b9329974d8f59b954d
                                        • Opcode Fuzzy Hash: ae8444d5de12575b8a051b5319c5da5f499ab5fc44b53273f139923d237b7ff9
                                        • Instruction Fuzzy Hash: 1F01DB31B141511FDB659A3D9850BEF77E6DBC9A60F14882EF10AC7341D925DE0243D5
                                        Function 0129D207 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2915372348.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_129d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
                                        • Instruction ID: a171533176c77318c89cb9b9bf122baa22bc2f13da6acde461494cc8285e3377
                                        • Opcode Fuzzy Hash: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
                                        • Instruction Fuzzy Hash: E511DD76904288CFDB02CF58D5C4B16BB61FB84224F24C6AAD9490B647C33AD40ACBA2
                                        Function 0129D03F Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2915372348.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_129d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction ID: 69805ca80c5d969731ed1d6eff546fdeb8f68b61b7bf53a60f6a69141c827ef4
                                        • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction Fuzzy Hash: F411BB76504288CFDB12CF58C9C4B15BFA2FB84324F24C6A9D9494B292C33AD44ADB62
                                        Function 0129D3B7 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2915372348.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_129d000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction ID: 620e8e1629dda16b38577a4faa38c71cf76c29ca3ffcecd28a55fc7ee28ad982
                                        • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction Fuzzy Hash: 9711BE75504284CFDB02CF58D5C4B15BB72FB44214F24C6A9D9494B256C33AE40ADB51
                                        Function 06CBA35B Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6cefc150925d83b606ed4dd37de1741387c450b8e683373fe597611a7af03415
                                        • Instruction ID: 26846bf6740e892a60dc5aa24942a56688188ededd84f07d1a21b7f3627995ee
                                        • Opcode Fuzzy Hash: 6cefc150925d83b606ed4dd37de1741387c450b8e683373fe597611a7af03415
                                        • Instruction Fuzzy Hash: 9801D470B142105FD761FA78D854BAF77D6DB86610F00882DF54BD7340DA29DD028391
                                        Function 06CB3C37 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f09d19610fe11b3e495d8006d627c3452a4fecd97c042c3a5d834ab0554c31d2
                                        • Instruction ID: b8a63d87552faf4ac287d8c415febd6bae8dc264f67940305ff527efdb907859
                                        • Opcode Fuzzy Hash: f09d19610fe11b3e495d8006d627c3452a4fecd97c042c3a5d834ab0554c31d2
                                        • Instruction Fuzzy Hash: 6501D631B140296BDB94AAA9DC106EF76EFDBC9610F004239D50BE7340EF64DD0647E2
                                        Function 06CB4290 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 489fc5ab24beddbc58a516098c40aaad1dda65e72fd1a4e9c1cda48e01e8c5b7
                                        • Instruction ID: 54fe72c7993ab7c6893177696091f28345104b2cd1ca84188d52d9533b59f82d
                                        • Opcode Fuzzy Hash: 489fc5ab24beddbc58a516098c40aaad1dda65e72fd1a4e9c1cda48e01e8c5b7
                                        • Instruction Fuzzy Hash: 9A01AD34B140200BDB68AAADD414B6FB3DAEBC8720F14C83EE10BC7349D925DC424385
                                        Function 06CBEDF8 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b37c88e236addd56cc6f71fe3b7bec2e9d35266e9981338445896a7328565fb2
                                        • Instruction ID: af8441e09152ad7444400b2abff7b56cc039b6b1b6103648ede071df302c6a52
                                        • Opcode Fuzzy Hash: b37c88e236addd56cc6f71fe3b7bec2e9d35266e9981338445896a7328565fb2
                                        • Instruction Fuzzy Hash: 5501AF31B100110FDBA5AA6D9454BAFB3DADBC9A61F10883DF20AC7340DE29DD0243D5
                                        Function 06CBC837 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc639472b606abf2546925d885ec950503ea2c3f6e3fdc0c791255f19b59474a
                                        • Instruction ID: 7dc607ae4d38bf772771d9217ed40ca4bd71dfcf4ba23fa5526905de77924fde
                                        • Opcode Fuzzy Hash: dc639472b606abf2546925d885ec950503ea2c3f6e3fdc0c791255f19b59474a
                                        • Instruction Fuzzy Hash: 2201A735B112249BDB549E69EC409DABB65F745310F004539F505E7340DA2A9D458BD0
                                        Function 06CBA368 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5aad5e9e4ed05de4ba07694a325cd2f825a6d27053ef1a788c4b91b5cb8a8c3b
                                        • Instruction ID: 55a161bb9743a8d1f1362ef713fa9eb1cb17dc4c93444a618e83498940e9f8eb
                                        • Opcode Fuzzy Hash: 5aad5e9e4ed05de4ba07694a325cd2f825a6d27053ef1a788c4b91b5cb8a8c3b
                                        • Instruction Fuzzy Hash: 7F018C70B101244FDBA0FAA8D554B6EB3D6EB8A611F108839E60BD7340EA29ED028794
                                        Function 06CBFF41 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 24ebe7537bbb07d09da72f4dbc4b8a00821707cec4451319548672afbe0bf538
                                        • Instruction ID: ffc6050e87d3609187bee6dfed1dcf9afa36bfe9f62c716cf3346ead3c6642c5
                                        • Opcode Fuzzy Hash: 24ebe7537bbb07d09da72f4dbc4b8a00821707cec4451319548672afbe0bf538
                                        • Instruction Fuzzy Hash: 0DF090B0A002068FC750EF7CD8106AEBBF5EB88201F10417D8859E3315EB349D41CBA1
                                        Function 06CBFF48 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: df0cd6d962b7b89bc0bd93accd5a18a3ab65f04f77e312f07dfcf617cefbf834
                                        • Instruction ID: 7b7c1994bfd70d54ef4c9607988dfb4f196782c7131da92f5add6ab7892ca000
                                        • Opcode Fuzzy Hash: df0cd6d962b7b89bc0bd93accd5a18a3ab65f04f77e312f07dfcf617cefbf834
                                        • Instruction Fuzzy Hash: 9FF058B4A0020A8FC381EFBC89106AEB7F6EB88201F10417D8819D335AEE349D41CBA1
                                        Function 06CB64D3 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1cbdb69ef567762cca4d1915de201342465e12913acd618594c24d250d70ea7b
                                        • Instruction ID: 68a10f6cd91057ae5630b5b169cc059ce3188255337f57564c94e97d2f9c4f4f
                                        • Opcode Fuzzy Hash: 1cbdb69ef567762cca4d1915de201342465e12913acd618594c24d250d70ea7b
                                        • Instruction Fuzzy Hash: C4E02631E1618867CF60CA75DD09BCFB79CD701204F2088A8E408C7201E572CF008BD1

                                        Non-executed Functions

                                        Function 06CB76F8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                        • API String ID: 0-3623093008
                                        • Opcode ID: f5159159f6c93ff451e5e3aa74210755ae126d63d5151734e85a8102e3665964
                                        • Instruction ID: e774f0ea6f24b1338999e09e2fa93fa2cdf6708e41957f41b4729bda93a8012e
                                        • Opcode Fuzzy Hash: f5159159f6c93ff451e5e3aa74210755ae126d63d5151734e85a8102e3665964
                                        • Instruction Fuzzy Hash: FB121B30E012198FDB64DF65D954AAEB7B2FF88301F20956DD80AAB355DB349E81CF90
                                        Function 06CBA990 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                        • API String ID: 0-634254105
                                        • Opcode ID: 4d676ab789a6b875ca74ad84b49b31ae3f2876a5a472f04ea8151a358567878f
                                        • Instruction ID: 6fd67c227980abeb293a453771961380d43caf6396a05d47db7e7f2eae50d222
                                        • Opcode Fuzzy Hash: 4d676ab789a6b875ca74ad84b49b31ae3f2876a5a472f04ea8151a358567878f
                                        • Instruction Fuzzy Hash: 23918F70A10209DFDB64EFA9D954BAEB7B2FF44301F20942DE446A7290DB799E41CF90
                                        Function 06CB70F8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .5|q$$dq$$dq$$dq$$dq$$dq$$dq
                                        • API String ID: 0-3447281907
                                        • Opcode ID: c991aba1617b13c553fb3b9dca3e25821149446865d9319ea98df5e5b9fcaeaf
                                        • Instruction ID: 79855120e4279aea67bce2807aad119406d757c06972329909116ef1e72bd93c
                                        • Opcode Fuzzy Hash: c991aba1617b13c553fb3b9dca3e25821149446865d9319ea98df5e5b9fcaeaf
                                        • Instruction Fuzzy Hash: 46F12E34B10219CFDB54EF69D554AAEB7B2FFC4301F208568D806AB395CB39AD42CB60
                                        Function 06CBBA68 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq$$dq$$dq
                                        • API String ID: 0-2331353128
                                        • Opcode ID: ab278ebeba8e91157a7b9924ac81c785f429c2ddc95a2f80e22a185adab2c0da
                                        • Instruction ID: eafbd68061626f40b93f0e7eac92de1b09b9f848f8d79b4850e1777614fa94d0
                                        • Opcode Fuzzy Hash: ab278ebeba8e91157a7b9924ac81c785f429c2ddc95a2f80e22a185adab2c0da
                                        • Instruction Fuzzy Hash: 6B717F30E102198FDB68EF69D5406AEB7B2FF85301F205969D406AB244DF75AE42CB81
                                        Function 06CB8428 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq
                                        • API String ID: 0-185584874
                                        • Opcode ID: 20e319cfed1bdeb496195a702bc90992f496f7fa122ada3f75140ece9372e031
                                        • Instruction ID: 331a6a9777d536346a2fc4e0a6683b0b902ebfefd36c998623e7a4ba8e9144a6
                                        • Opcode Fuzzy Hash: 20e319cfed1bdeb496195a702bc90992f496f7fa122ada3f75140ece9372e031
                                        • Instruction Fuzzy Hash: F2B15C30A11219CFDB54EFA9C5506AEB7B6FF84301F249429D406EB394DB75DD82CB90
                                        Function 06CB8840 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.2935127801.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6cb0000_IMG 003.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LRdq$LRdq$$dq$$dq
                                        • API String ID: 0-340319088
                                        • Opcode ID: 13a32e25a85e8dc5f7626e699d0f68d40560b0f487137f33be0562e963492d92
                                        • Instruction ID: d64ed541a29e935c2ceddf1395422a7064baef21c391a380e23b26ee4632d2c7
                                        • Opcode Fuzzy Hash: 13a32e25a85e8dc5f7626e699d0f68d40560b0f487137f33be0562e963492d92
                                        • Instruction Fuzzy Hash: 0151CF30B012018FDB58EF28C950AAAB7F6FF88310F14956DE416AB395DB39ED41CB91

                                        Execution Graph

                                        Execution Coverage:10.3%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:242
                                        Total number of Limit Nodes:26
                                        execution_graph 25771 110d280 25772 110d2c6 GetCurrentProcess 25771->25772 25774 110d318 GetCurrentThread 25772->25774 25777 110d311 25772->25777 25775 110d355 GetCurrentProcess 25774->25775 25778 110d34e 25774->25778 25776 110d38b 25775->25776 25779 110d3b3 GetCurrentThreadId 25776->25779 25777->25774 25778->25775 25780 110d3e4 25779->25780 26031 110aef0 26034 110afe8 26031->26034 26032 110aeff 26035 110aff9 26034->26035 26036 110b01c 26034->26036 26035->26036 26042 110b280 26035->26042 26046 110b271 26035->26046 26036->26032 26037 110b014 26037->26036 26038 110b220 GetModuleHandleW 26037->26038 26039 110b24d 26038->26039 26039->26032 26043 110b294 26042->26043 26044 110b2b9 26043->26044 26050 110ad08 26043->26050 26044->26037 26047 110b294 26046->26047 26048 110ad08 LoadLibraryExW 26047->26048 26049 110b2b9 26047->26049 26048->26049 26049->26037 26051 110b460 LoadLibraryExW 26050->26051 26053 110b4d9 26051->26053 26053->26044 25781 dcc78d9 25786 dcc97ee 25781->25786 25806 dcc9778 25781->25806 25825 dcc9788 25781->25825 25782 dcc7889 25787 dcc977c 25786->25787 25788 dcc97f1 25786->25788 25799 dcc97aa 25787->25799 25844 dcc9e67 25787->25844 25852 dcca10a 25787->25852 25860 dcc9d29 25787->25860 25865 dcc9ce8 25787->25865 25870 dcc9d53 25787->25870 25878 dcca332 25787->25878 25886 dcc9f30 25787->25886 25894 dcca196 25787->25894 25905 dcc9cf5 25787->25905 25911 dcca2b5 25787->25911 25917 dcc9f5e 25787->25917 25922 dcc9dc3 25787->25922 25927 dcca262 25787->25927 25932 dcc9e81 25787->25932 25937 dcc9b61 25787->25937 25942 dcc9b80 25787->25942 25788->25782 25799->25782 25807 dcc97a2 25806->25807 25808 dcc97aa 25807->25808 25809 dcc9ce8 2 API calls 25807->25809 25810 dcc9d29 2 API calls 25807->25810 25811 dcca10a 2 API calls 25807->25811 25812 dcc9e67 4 API calls 25807->25812 25813 dcc9b80 2 API calls 25807->25813 25814 dcc9b61 2 API calls 25807->25814 25815 dcc9e81 2 API calls 25807->25815 25816 dcca262 2 API calls 25807->25816 25817 dcc9dc3 2 API calls 25807->25817 25818 dcc9f5e 2 API calls 25807->25818 25819 dcca2b5 2 API calls 25807->25819 25820 dcc9cf5 2 API calls 25807->25820 25821 dcca196 6 API calls 25807->25821 25822 dcc9f30 4 API calls 25807->25822 25823 dcca332 2 API calls 25807->25823 25824 dcc9d53 4 API calls 25807->25824 25808->25782 25809->25808 25810->25808 25811->25808 25812->25808 25813->25808 25814->25808 25815->25808 25816->25808 25817->25808 25818->25808 25819->25808 25820->25808 25821->25808 25822->25808 25823->25808 25824->25808 25826 dcc97a2 25825->25826 25827 dcc97aa 25826->25827 25828 dcc9ce8 2 API calls 25826->25828 25829 dcc9d29 2 API calls 25826->25829 25830 dcca10a 2 API calls 25826->25830 25831 dcc9e67 4 API calls 25826->25831 25832 dcc9b80 2 API calls 25826->25832 25833 dcc9b61 2 API calls 25826->25833 25834 dcc9e81 2 API calls 25826->25834 25835 dcca262 2 API calls 25826->25835 25836 dcc9dc3 2 API calls 25826->25836 25837 dcc9f5e 2 API calls 25826->25837 25838 dcca2b5 2 API calls 25826->25838 25839 dcc9cf5 2 API calls 25826->25839 25840 dcca196 6 API calls 25826->25840 25841 dcc9f30 4 API calls 25826->25841 25842 dcca332 2 API calls 25826->25842 25843 dcc9d53 4 API calls 25826->25843 25827->25782 25828->25827 25829->25827 25830->25827 25831->25827 25832->25827 25833->25827 25834->25827 25835->25827 25836->25827 25837->25827 25838->25827 25839->25827 25840->25827 25841->25827 25842->25827 25843->25827 25845 dcc9e6d 25844->25845 25947 dcc6b68 25845->25947 25951 dcc6b70 25845->25951 25846 dcc9cde 25847 dcc9cf0 25846->25847 25955 dcc71e9 25846->25955 25959 dcc71f0 25846->25959 25847->25799 25853 dcca12d 25852->25853 25856 dcc71e9 WriteProcessMemory 25853->25856 25857 dcc71f0 WriteProcessMemory 25853->25857 25854 dcc9cde 25855 dcc9cf0 25854->25855 25858 dcc71e9 WriteProcessMemory 25854->25858 25859 dcc71f0 WriteProcessMemory 25854->25859 25855->25799 25856->25854 25857->25854 25858->25854 25859->25854 25861 dcca21b 25860->25861 25862 dcc9ded 25861->25862 25963 dcc72d8 25861->25963 25967 dcc72e0 25861->25967 25862->25799 25866 dcc9cde 25865->25866 25867 dcc9cf0 25866->25867 25868 dcc71e9 WriteProcessMemory 25866->25868 25869 dcc71f0 WriteProcessMemory 25866->25869 25867->25799 25868->25866 25869->25866 25871 dcc9d89 25870->25871 25873 dcc9cf0 25871->25873 25874 dcc6b68 ResumeThread 25871->25874 25875 dcc6b70 ResumeThread 25871->25875 25872 dcc9cde 25872->25873 25876 dcc71e9 WriteProcessMemory 25872->25876 25877 dcc71f0 WriteProcessMemory 25872->25877 25873->25799 25874->25872 25875->25872 25876->25872 25877->25872 25879 dcca336 25878->25879 25882 dcc71e9 WriteProcessMemory 25879->25882 25883 dcc71f0 WriteProcessMemory 25879->25883 25880 dcc9cde 25881 dcc9cf0 25880->25881 25884 dcc71e9 WriteProcessMemory 25880->25884 25885 dcc71f0 WriteProcessMemory 25880->25885 25881->25799 25882->25880 25883->25880 25884->25880 25885->25880 25887 dcc9f36 25886->25887 25890 dcc6b68 ResumeThread 25887->25890 25891 dcc6b70 ResumeThread 25887->25891 25888 dcc9cde 25889 dcc9cf0 25888->25889 25892 dcc71e9 WriteProcessMemory 25888->25892 25893 dcc71f0 WriteProcessMemory 25888->25893 25889->25799 25890->25888 25891->25888 25892->25888 25893->25888 25971 dcca988 25894->25971 25976 dcca979 25894->25976 25895 dcca215 25896 dcc9f4e 25896->25895 25901 dcc6b68 ResumeThread 25896->25901 25902 dcc6b70 ResumeThread 25896->25902 25897 dcc9cde 25898 dcc9cf0 25897->25898 25903 dcc71e9 WriteProcessMemory 25897->25903 25904 dcc71f0 WriteProcessMemory 25897->25904 25898->25799 25901->25897 25902->25897 25903->25897 25904->25897 25906 dcc9c91 25905->25906 25907 dcc9cf9 25905->25907 25989 dcc746c 25906->25989 25994 dcc7478 25906->25994 25912 dcc9d4b 25911->25912 25912->25911 25913 dcca2e2 25912->25913 25998 dcca7e8 25912->25998 26004 dcca830 25912->26004 26009 dcca820 25912->26009 25913->25799 25919 dcc9e44 25917->25919 25918 dcca47e 25918->25799 25919->25917 25919->25918 25920 dcc71e9 WriteProcessMemory 25919->25920 25921 dcc71f0 WriteProcessMemory 25919->25921 25920->25919 25921->25919 25923 dcc9cde 25922->25923 25923->25922 25924 dcc9cf0 25923->25924 25925 dcc71e9 WriteProcessMemory 25923->25925 25926 dcc71f0 WriteProcessMemory 25923->25926 25924->25799 25925->25923 25926->25923 25928 dcca21b 25927->25928 25929 dcc9ded 25928->25929 25930 dcc72d8 ReadProcessMemory 25928->25930 25931 dcc72e0 ReadProcessMemory 25928->25931 25929->25799 25930->25928 25931->25928 25933 dcca1d5 25932->25933 26014 dcc7130 25933->26014 26018 dcc712a 25933->26018 25934 dcca1f3 25938 dcc9b6f 25937->25938 25939 dcc9cb3 25938->25939 25940 dcc746c CreateProcessA 25938->25940 25941 dcc7478 CreateProcessA 25938->25941 25939->25799 25940->25939 25941->25939 25943 dcc9b61 25942->25943 25944 dcc9c72 25943->25944 25945 dcc746c CreateProcessA 25943->25945 25946 dcc7478 CreateProcessA 25943->25946 25944->25799 25945->25944 25946->25944 25948 dcc6bb0 ResumeThread 25947->25948 25950 dcc6be1 25948->25950 25950->25846 25952 dcc6bb0 ResumeThread 25951->25952 25954 dcc6be1 25952->25954 25954->25846 25956 dcc7238 WriteProcessMemory 25955->25956 25958 dcc728f 25956->25958 25958->25846 25960 dcc7238 WriteProcessMemory 25959->25960 25962 dcc728f 25960->25962 25962->25846 25964 dcc732b ReadProcessMemory 25963->25964 25966 dcc736f 25964->25966 25966->25861 25968 dcc732b ReadProcessMemory 25967->25968 25970 dcc736f 25968->25970 25970->25861 25972 dcca99d 25971->25972 25981 dcc6c18 25972->25981 25985 dcc6c20 25972->25985 25973 dcca9b3 25973->25896 25977 dcca99d 25976->25977 25979 dcc6c18 Wow64SetThreadContext 25977->25979 25980 dcc6c20 Wow64SetThreadContext 25977->25980 25978 dcca9b3 25978->25896 25979->25978 25980->25978 25982 dcc6c65 Wow64SetThreadContext 25981->25982 25984 dcc6cad 25982->25984 25984->25973 25986 dcc6c65 Wow64SetThreadContext 25985->25986 25988 dcc6cad 25986->25988 25988->25973 25990 dcc741a 25989->25990 25991 dcc7472 CreateProcessA 25989->25991 25990->25799 25993 dcc76c3 25991->25993 25995 dcc7501 CreateProcessA 25994->25995 25997 dcc76c3 25995->25997 25999 dcca84c 25998->25999 26000 dcca7f6 25998->26000 26001 dcca85b 25999->26001 26002 dcc6c18 Wow64SetThreadContext 25999->26002 26003 dcc6c20 Wow64SetThreadContext 25999->26003 26000->25912 26001->25912 26002->26001 26003->26001 26005 dcca845 26004->26005 26007 dcc6c18 Wow64SetThreadContext 26005->26007 26008 dcc6c20 Wow64SetThreadContext 26005->26008 26006 dcca85b 26006->25912 26007->26006 26008->26006 26010 dcca845 26009->26010 26012 dcc6c18 Wow64SetThreadContext 26010->26012 26013 dcc6c20 Wow64SetThreadContext 26010->26013 26011 dcca85b 26011->25912 26012->26011 26013->26011 26015 dcc7170 VirtualAllocEx 26014->26015 26017 dcc71ad 26015->26017 26017->25934 26019 dcc7170 VirtualAllocEx 26018->26019 26021 dcc71ad 26019->26021 26021->25934 26022 110d4c8 DuplicateHandle 26023 110d55e 26022->26023 26054 1104668 26055 110467a 26054->26055 26056 1104686 26055->26056 26058 1104779 26055->26058 26059 110479d 26058->26059 26063 1104877 26059->26063 26067 1104888 26059->26067 26064 11048af 26063->26064 26066 110498c 26064->26066 26071 1104514 26064->26071 26069 11048af 26067->26069 26068 110498c 26068->26068 26069->26068 26070 1104514 CreateActCtxA 26069->26070 26070->26068 26072 1105918 CreateActCtxA 26071->26072 26074 11059db 26072->26074 26024 dccaa10 26025 dccab9b 26024->26025 26027 dccaa36 26024->26027 26027->26025 26028 dcc8368 26027->26028 26029 dccac90 PostMessageW 26028->26029 26030 dccacfc 26029->26030 26030->26027

                                        Executed Functions

                                        Function 0110D271 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 294 110d271-110d30f GetCurrentProcess 298 110d311-110d317 294->298 299 110d318-110d34c GetCurrentThread 294->299 298->299 300 110d355-110d389 GetCurrentProcess 299->300 301 110d34e-110d354 299->301 302 110d392-110d3ad call 110d450 300->302 303 110d38b-110d391 300->303 301->300 307 110d3b3-110d3e2 GetCurrentThreadId 302->307 303->302 308 110d3e4-110d3ea 307->308 309 110d3eb-110d44d 307->309 308->309
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 0110D2FE
                                        • GetCurrentThread.KERNEL32 ref: 0110D33B
                                        • GetCurrentProcess.KERNEL32 ref: 0110D378
                                        • GetCurrentThreadId.KERNEL32 ref: 0110D3D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768828676.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_1100000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID: p
                                        • API String ID: 2063062207-2678736219
                                        • Opcode ID: 2837a34c5afc32f42d858e4db9b74cddd817958625e29e9e8e3414247118bb65
                                        • Instruction ID: c709eb1e7af530c731c88215bf96745fd24efb08cbab6188b026e82f70007f23
                                        • Opcode Fuzzy Hash: 2837a34c5afc32f42d858e4db9b74cddd817958625e29e9e8e3414247118bb65
                                        • Instruction Fuzzy Hash: 555155B0D047498FDB18DFA9D548B9EBBF1EF88314F20C059E019A7390D7745988CB61
                                        Function 0110D280 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 316 110d280-110d30f GetCurrentProcess 320 110d311-110d317 316->320 321 110d318-110d34c GetCurrentThread 316->321 320->321 322 110d355-110d389 GetCurrentProcess 321->322 323 110d34e-110d354 321->323 324 110d392-110d3ad call 110d450 322->324 325 110d38b-110d391 322->325 323->322 329 110d3b3-110d3e2 GetCurrentThreadId 324->329 325->324 330 110d3e4-110d3ea 329->330 331 110d3eb-110d44d 329->331 330->331
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 0110D2FE
                                        • GetCurrentThread.KERNEL32 ref: 0110D33B
                                        • GetCurrentProcess.KERNEL32 ref: 0110D378
                                        • GetCurrentThreadId.KERNEL32 ref: 0110D3D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768828676.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_1100000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID: p
                                        • API String ID: 2063062207-2678736219
                                        • Opcode ID: 84b10c13ee095265137458bcac8a62b464afa6c6f3267bf3d6168eb8f0206793
                                        • Instruction ID: c2a6a67b7ae21157dc21e90404803c1b7ad8be98492dd9d936142af0f8fd2996
                                        • Opcode Fuzzy Hash: 84b10c13ee095265137458bcac8a62b464afa6c6f3267bf3d6168eb8f0206793
                                        • Instruction Fuzzy Hash: 045145B09007098FDB18DFAAE548B9EBBF1EF88314F20C459E419B7390DB745984CB65
                                        Function 0110AFE8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 338 110afe8-110aff7 339 110b023-110b027 338->339 340 110aff9-110b006 call 110aca0 338->340 342 110b029-110b033 339->342 343 110b03b-110b07c 339->343 346 110b008 340->346 347 110b01c 340->347 342->343 349 110b089-110b097 343->349 350 110b07e-110b086 343->350 393 110b00e call 110b280 346->393 394 110b00e call 110b271 346->394 347->339 351 110b099-110b09e 349->351 352 110b0bb-110b0bd 349->352 350->349 354 110b0a0-110b0a7 call 110acac 351->354 355 110b0a9 351->355 357 110b0c0-110b0c7 352->357 353 110b014-110b016 353->347 356 110b158-110b218 353->356 359 110b0ab-110b0b9 354->359 355->359 388 110b220-110b24b GetModuleHandleW 356->388 389 110b21a-110b21d 356->389 360 110b0d4-110b0db 357->360 361 110b0c9-110b0d1 357->361 359->357 362 110b0e8-110b0f1 call 110acbc 360->362 363 110b0dd-110b0e5 360->363 361->360 369 110b0f3-110b0fb 362->369 370 110b0fe-110b103 362->370 363->362 369->370 371 110b121-110b12e 370->371 372 110b105-110b10c 370->372 379 110b130-110b14e 371->379 380 110b151-110b157 371->380 372->371 374 110b10e-110b11e call 110accc call 110acdc 372->374 374->371 379->380 390 110b254-110b268 388->390 391 110b24d-110b253 388->391 389->388 391->390 393->353 394->353
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0110B23E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768828676.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_1100000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID: 0O$0O
                                        • API String ID: 4139908857-234839962
                                        • Opcode ID: 17b4d907b66cf2fdfa730661f4fe5db89fcfd94273c328c6a8fcfba29b8b4361
                                        • Instruction ID: 9420ae5fc95300c36ec9ba9343e2195109a1a2cc57785671d6ef2cb24db42d93
                                        • Opcode Fuzzy Hash: 17b4d907b66cf2fdfa730661f4fe5db89fcfd94273c328c6a8fcfba29b8b4361
                                        • Instruction Fuzzy Hash: 3C714470A04B058FD729DF29E44476ABBF1FF88304F00892DD49AD7A84DBB5E945CB94
                                        Function 0DCC746C Relevance: 1.8, APIs: 1, Instructions: 269processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 763 dcc746c-dcc7470 764 dcc741a-dcc7432 763->764 765 dcc7472-dcc750d 763->765 770 dcc743b-dcc7460 764->770 771 dcc7434-dcc743a 764->771 768 dcc750f-dcc7519 765->768 769 dcc7546-dcc7566 765->769 768->769 772 dcc751b-dcc751d 768->772 780 dcc759f-dcc75ce 769->780 781 dcc7568-dcc7572 769->781 771->770 773 dcc751f-dcc7529 772->773 774 dcc7540-dcc7543 772->774 778 dcc752d-dcc753c 773->778 779 dcc752b 773->779 774->769 778->778 784 dcc753e 778->784 779->778 790 dcc7607-dcc76c1 CreateProcessA 780->790 791 dcc75d0-dcc75da 780->791 781->780 782 dcc7574-dcc7576 781->782 785 dcc7578-dcc7582 782->785 786 dcc7599-dcc759c 782->786 784->774 788 dcc7584 785->788 789 dcc7586-dcc7595 785->789 786->780 788->789 789->789 792 dcc7597 789->792 802 dcc76ca-dcc7750 790->802 803 dcc76c3-dcc76c9 790->803 791->790 793 dcc75dc-dcc75de 791->793 792->786 795 dcc75e0-dcc75ea 793->795 796 dcc7601-dcc7604 793->796 797 dcc75ec 795->797 798 dcc75ee-dcc75fd 795->798 796->790 797->798 798->798 800 dcc75ff 798->800 800->796 813 dcc7760-dcc7764 802->813 814 dcc7752-dcc7756 802->814 803->802 816 dcc7774-dcc7778 813->816 817 dcc7766-dcc776a 813->817 814->813 815 dcc7758 814->815 815->813 818 dcc7788-dcc778c 816->818 819 dcc777a-dcc777e 816->819 817->816 820 dcc776c 817->820 822 dcc779e-dcc77a5 818->822 823 dcc778e-dcc7794 818->823 819->818 821 dcc7780 819->821 820->816 821->818 824 dcc77bc 822->824 825 dcc77a7-dcc77b6 822->825 823->822 827 dcc77bd 824->827 825->824 827->827
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0DCC76AE
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: fda0a281b48840c15cf677408cec273ac671f0e0490aa547ef2c28f2cf829360
                                        • Instruction ID: 682e7a10e63d27c923177adc5db297a4d448a1ec6d8d78afd3613ed84e280992
                                        • Opcode Fuzzy Hash: fda0a281b48840c15cf677408cec273ac671f0e0490aa547ef2c28f2cf829360
                                        • Instruction Fuzzy Hash: 99A17BB1D0021D8FDB21DFA8C845BEDBBB2FF48314F148569D919A7280DB749A86CF91
                                        Function 0DCC7478 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 828 dcc7478-dcc750d 830 dcc750f-dcc7519 828->830 831 dcc7546-dcc7566 828->831 830->831 832 dcc751b-dcc751d 830->832 838 dcc759f-dcc75ce 831->838 839 dcc7568-dcc7572 831->839 833 dcc751f-dcc7529 832->833 834 dcc7540-dcc7543 832->834 836 dcc752d-dcc753c 833->836 837 dcc752b 833->837 834->831 836->836 841 dcc753e 836->841 837->836 847 dcc7607-dcc76c1 CreateProcessA 838->847 848 dcc75d0-dcc75da 838->848 839->838 840 dcc7574-dcc7576 839->840 842 dcc7578-dcc7582 840->842 843 dcc7599-dcc759c 840->843 841->834 845 dcc7584 842->845 846 dcc7586-dcc7595 842->846 843->838 845->846 846->846 849 dcc7597 846->849 859 dcc76ca-dcc7750 847->859 860 dcc76c3-dcc76c9 847->860 848->847 850 dcc75dc-dcc75de 848->850 849->843 852 dcc75e0-dcc75ea 850->852 853 dcc7601-dcc7604 850->853 854 dcc75ec 852->854 855 dcc75ee-dcc75fd 852->855 853->847 854->855 855->855 857 dcc75ff 855->857 857->853 870 dcc7760-dcc7764 859->870 871 dcc7752-dcc7756 859->871 860->859 873 dcc7774-dcc7778 870->873 874 dcc7766-dcc776a 870->874 871->870 872 dcc7758 871->872 872->870 875 dcc7788-dcc778c 873->875 876 dcc777a-dcc777e 873->876 874->873 877 dcc776c 874->877 879 dcc779e-dcc77a5 875->879 880 dcc778e-dcc7794 875->880 876->875 878 dcc7780 876->878 877->873 878->875 881 dcc77bc 879->881 882 dcc77a7-dcc77b6 879->882 880->879 884 dcc77bd 881->884 882->881 884->884
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0DCC76AE
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: c6f6a282a78d93041f8296e2d2f95ffa86724d8507493200cc813904a4cd3e4a
                                        • Instruction ID: fee73b8892686a9d20be9c74d9765591471e60a17c1e06f6bf361c92a46b2a8f
                                        • Opcode Fuzzy Hash: c6f6a282a78d93041f8296e2d2f95ffa86724d8507493200cc813904a4cd3e4a
                                        • Instruction Fuzzy Hash: 6C916B71D0061D8FDB25CFA8C841BEDBBB2FF48314F1491A9D919A7280DB749A86CF91
                                        Function 01104514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 011059C9
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768828676.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_1100000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 5a4a45af3eafb1316c8e03c51845b5029bf40ac3825be6d2da9eadbc43aa73cb
                                        • Instruction ID: 8d05cb01e49d7d3a9a5905e81cd7184d6ff54b781ced6de4e8281146d6d47300
                                        • Opcode Fuzzy Hash: 5a4a45af3eafb1316c8e03c51845b5029bf40ac3825be6d2da9eadbc43aa73cb
                                        • Instruction Fuzzy Hash: 2B41E5B0C0071DCBDB29DFA9C94479EBBF6BF49304F208059D409AB291DBB56945CF91
                                        Function 0110590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 011059C9
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768828676.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_1100000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: fb06de5ce444f9105eed02472cecd32b5a5fd0d64786311a834c2ceabd66bb97
                                        • Instruction ID: 85c8bf6cd5b881d88cc19799deeb477a78300ccfed62ceea172f7529bff18337
                                        • Opcode Fuzzy Hash: fb06de5ce444f9105eed02472cecd32b5a5fd0d64786311a834c2ceabd66bb97
                                        • Instruction Fuzzy Hash: C241D4B0C0071DCEDB29DFA9C98479EBBB6BF49304F24805AD409AB251DBB56945CF90
                                        Function 0DCC71E9 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0DCC7280
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: af83562a79381d0f1331c0a441569c6294d75e0e6843a1215b5b71f3de2b3458
                                        • Instruction ID: 6d94e42d7548d8535135cc866ed3989070a696b13fce9472a9de9921a0a83013
                                        • Opcode Fuzzy Hash: af83562a79381d0f1331c0a441569c6294d75e0e6843a1215b5b71f3de2b3458
                                        • Instruction Fuzzy Hash: 942146B5900309DFCB10CFA9C885BEEBBF5FF48310F14842AE959A7281C7789945CBA0
                                        Function 0DCC71F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0DCC7280
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 780cb0c975fe82a9e3c90c130dd948bb3871b338651161742946e63a106875d9
                                        • Instruction ID: c22ffd3f90dd05a038b8161d22f153d11acf79a683f990712ae578387489379c
                                        • Opcode Fuzzy Hash: 780cb0c975fe82a9e3c90c130dd948bb3871b338651161742946e63a106875d9
                                        • Instruction Fuzzy Hash: 0C2126B19003499FCB10DFA9C885BEEBBF5FF48310F148429E959A7281C7789954CBA4
                                        Function 0DCC6C18 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0DCC6C9E
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: f7e6223cb6f8b650ccbe8f117140bd15ed4227c2f996c9affe67668f4eb2efbd
                                        • Instruction ID: 8654be5106812e38c75f5b9bd5c6fbd9550237a9de05d2dc0a2a2f77f0553723
                                        • Opcode Fuzzy Hash: f7e6223cb6f8b650ccbe8f117140bd15ed4227c2f996c9affe67668f4eb2efbd
                                        • Instruction Fuzzy Hash: DD2157B1D003088FDB10DFA9C9857EEBBF4EF88324F14842AD519A7240CB789A45CBA0
                                        Function 0DCC6C20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0DCC6C9E
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 4a8732732a053689f7440df239d1395cb05d1fc939dc55d9ef5a8bebea2992c2
                                        • Instruction ID: 21651c10ad80b0d734f4f8aafe7d93692a2954ed59b4175b61a647107820aa57
                                        • Opcode Fuzzy Hash: 4a8732732a053689f7440df239d1395cb05d1fc939dc55d9ef5a8bebea2992c2
                                        • Instruction Fuzzy Hash: 842168B19003088FCB10DFAAC4857EEBBF4EF88324F14842DD519A7240CB789945CFA4
                                        Function 0DCC72D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0DCC7360
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: e02658167cd6aa2444449ad05f00f36001d8aaab3d25a2bf393223a84b201742
                                        • Instruction ID: 66b0e4d60c551e106e00d71476a9513666c7f02b0477ae7ea27b7508b3051f67
                                        • Opcode Fuzzy Hash: e02658167cd6aa2444449ad05f00f36001d8aaab3d25a2bf393223a84b201742
                                        • Instruction Fuzzy Hash: A12125B1D003099FCF10DFA9C985AEEBBF5FF48320F54842AE959A7240D7389945DBA4
                                        Function 0DCC72E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0DCC7360
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: e3a3cbca25e84970e8ecf5dd049e5dc29eac77f85ac75100dd9385795f5657e6
                                        • Instruction ID: bb9cf757683ec9e8941c5877b8e8f0317caf6106be8c112fa267d9902870097f
                                        • Opcode Fuzzy Hash: e3a3cbca25e84970e8ecf5dd049e5dc29eac77f85ac75100dd9385795f5657e6
                                        • Instruction Fuzzy Hash: 792148B18003099FCB10DFAAC884AEEFBF5FF48320F548429E919A7240C7389940CBA4
                                        Function 0110D4C1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110D54F
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768828676.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_1100000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 39b7f32bc9889b2f462556e1ef2e6daee52657c2089f368c8d0653441a3ce534
                                        • Instruction ID: fa5037787fa86c24e6b700a2aa138affd305c6f7e788f57c9a63a5a70078bc9e
                                        • Opcode Fuzzy Hash: 39b7f32bc9889b2f462556e1ef2e6daee52657c2089f368c8d0653441a3ce534
                                        • Instruction Fuzzy Hash: C621E0B5D003089FDB14CFA9D984AEEBFF4EB48324F14801AE918A3350D379A944CF60
                                        Function 0110D4C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110D54F
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768828676.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_1100000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 01d149713cd960795cb7716c0d1f015eda88ebd1d9315e76fc3f27d0bda87e59
                                        • Instruction ID: 0669b06509c7a9a1976b1ea8994d4dd469be84a03d37b2afdce4ce8b9c284da4
                                        • Opcode Fuzzy Hash: 01d149713cd960795cb7716c0d1f015eda88ebd1d9315e76fc3f27d0bda87e59
                                        • Instruction Fuzzy Hash: 9021E2B5D003089FDB10CFAAD984ADEBFF8EB48320F14801AE918A3350D375A944CFA0
                                        Function 0110AD08 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0110B2B9,00000800,00000000,00000000), ref: 0110B4CA
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768828676.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_1100000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 7618ff0ef327f3784fbe85702b05e689ae65ea9296743cb908ed6df36493b471
                                        • Instruction ID: 9f2de672321a72c44ec9bfcf47a8418e1a4d50c6c450013fd58303797fbc8229
                                        • Opcode Fuzzy Hash: 7618ff0ef327f3784fbe85702b05e689ae65ea9296743cb908ed6df36493b471
                                        • Instruction Fuzzy Hash: 461103B6D043098FDB24CF9AC444A9EFBF4EB88310F11842AD52AA7340C3B5A645CFA5
                                        Function 0110B458 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0110B2B9,00000800,00000000,00000000), ref: 0110B4CA
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768828676.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_1100000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 253d68cd7938e837ed22ebd8e49b1f2df761a3244a6e006f43213153c9235e92
                                        • Instruction ID: 37c15ebaa615f5ce320649555806328c72e345eb8a0cf96936c00c464f42e5ab
                                        • Opcode Fuzzy Hash: 253d68cd7938e837ed22ebd8e49b1f2df761a3244a6e006f43213153c9235e92
                                        • Instruction Fuzzy Hash: 9611E7B6C003498FDB24CF9AD844ADEFBF4EB88320F15842ED559A7241C375A545CFA4
                                        Function 0DCC7130 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0DCC719E
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: d1e9010ccbf29b86fa0719d841f05d77e6174f31d8dd4dfdd1ef7db875346ae7
                                        • Instruction ID: 9ccfa4f67578664afe17fe2d66c99d61772ab1a2d32e773b18c32f2062aed507
                                        • Opcode Fuzzy Hash: d1e9010ccbf29b86fa0719d841f05d77e6174f31d8dd4dfdd1ef7db875346ae7
                                        • Instruction Fuzzy Hash: 211126B19002499FCB20DFAAC845ADEBFF5EB88324F148419E919A7250CB75A944CFA1
                                        Function 0DCC712A Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0DCC719E
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 45ec0f4a136cc31977acdd1cf46321901e2feda58945ff558041b8346a7e6a9a
                                        • Instruction ID: f11c46fbb7215a7b05ea3b963d9727890c94bb6b90fdf1f6b94233355b52b3b2
                                        • Opcode Fuzzy Hash: 45ec0f4a136cc31977acdd1cf46321901e2feda58945ff558041b8346a7e6a9a
                                        • Instruction Fuzzy Hash: 491167B68002098FCF10DFAAC8457EEBBF5EF48320F14841AD519A7250C7359541CFA0
                                        Function 0DCC6B68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 01874f7b636f38e6a9db8de663d74cb49538695d6617c44a8deae97302ffb346
                                        • Instruction ID: ac9006bf817d448b7515b7cb8d070cfa204bf46a311ca1cb76bf7301ce34c2ee
                                        • Opcode Fuzzy Hash: 01874f7b636f38e6a9db8de663d74cb49538695d6617c44a8deae97302ffb346
                                        • Instruction Fuzzy Hash: 54116AB5D003088FCB24DFA9C9457EEFBF4AF88324F24841AC519A7340CB34A545CB91
                                        Function 0DCC6B70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 70fd2d7ae0555fa1aedc7ea9d4bcd97424b42bcad47eaca116a76bd80cd2ad20
                                        • Instruction ID: 76fb496fec0c3d65d122fdf23514e50d4f4719bf6821911affa9c635d79fbb28
                                        • Opcode Fuzzy Hash: 70fd2d7ae0555fa1aedc7ea9d4bcd97424b42bcad47eaca116a76bd80cd2ad20
                                        • Instruction Fuzzy Hash: 9B113AB19003488FCB24DFAAC4457DEFBF5EF88324F248419D519A7240CB75A945CB95
                                        Function 0DCC8368 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0DCCACED
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 548ab12a22c5a1bfadad58d5ff96ee9309cf789f77b83425287b5325eb9651d8
                                        • Instruction ID: bea7d84051c756a30112442596c6afa42bb4eff919ee3b2fef7cae8870222279
                                        • Opcode Fuzzy Hash: 548ab12a22c5a1bfadad58d5ff96ee9309cf789f77b83425287b5325eb9651d8
                                        • Instruction Fuzzy Hash: E911F2B580034C9FDB20DF9AD989BDEBBF8FB48320F108419E919A7200D375A944CFA5
                                        Function 0110B1D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0110B23E
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768828676.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_1100000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: fe7e8207e2b9ffbdcc0a8e60d5ae1328396029702b12804c0cbbf70dadb56dfc
                                        • Instruction ID: 0136d262b7cc9f0a8dbd431ffb3504e45a7ca0836bcdfbdc290b0ca398b429f1
                                        • Opcode Fuzzy Hash: fe7e8207e2b9ffbdcc0a8e60d5ae1328396029702b12804c0cbbf70dadb56dfc
                                        • Instruction Fuzzy Hash: F71110B5C003498FDB24DF9AD844ADEFBF4EF88324F10841AD929A7240C3B9A545CFA5
                                        Function 0DCCAC88 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0DCCACED
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1778976336.000000000DCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_dcc0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: bc0fe04e004c1f7b205fbb4bf5dcdfcc9ac3e961a1d06b7d5e060ef1fe4e7797
                                        • Instruction ID: ae794090d993802c1ddbf0b0cc1d33bd87899e7250605d407f9970b957265b90
                                        • Opcode Fuzzy Hash: bc0fe04e004c1f7b205fbb4bf5dcdfcc9ac3e961a1d06b7d5e060ef1fe4e7797
                                        • Instruction Fuzzy Hash: 891103B5800308CFCB10DF99D989BDEBBF4EB48310F14840AD518A7700D375A545CFA1
                                        Function 0110B500 Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0110B2B9,00000800,00000000,00000000), ref: 0110B4CA
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768828676.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_1100000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 491077401cbc5e057bc4cf7f0821b4e54c19d8f47d62ade6873085ac6fbdb608
                                        • Instruction ID: c1499fee68d2c28536828165bb98862ba1367624bf580dd8fd2ffe826ae82af8
                                        • Opcode Fuzzy Hash: 491077401cbc5e057bc4cf7f0821b4e54c19d8f47d62ade6873085ac6fbdb608
                                        • Instruction Fuzzy Hash: A701B176C043048FDB258BACD4047EABBF4AF95324F14805AE159D3651C3B59404CB64
                                        Function 00E6D4C4 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768103928.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_e6d000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c5e281dc1a0e71e72314fc07ffee557c63ff265bb9e4ad5a7ad032a59498d4d1
                                        • Instruction ID: 57f2b47c3b7c6bd4b9668dbf1d4650254db3b33421d83e33370bbac2653d6c25
                                        • Opcode Fuzzy Hash: c5e281dc1a0e71e72314fc07ffee557c63ff265bb9e4ad5a7ad032a59498d4d1
                                        • Instruction Fuzzy Hash: EF2145B1A48340DFCB01DF14ECC0B26BF65FB98368F64C569E80A1B656C336D816CBA1
                                        Function 00E6D3D8 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768103928.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_e6d000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e4a56f98c55fd6bf5edd7c46b28fef552618df2f5255d983d0bad1c013aae42
                                        • Instruction ID: 6d7eca0f5b65b1aac5dc6f77c6bdeba57b72bd929ffce056dd7bae497158d166
                                        • Opcode Fuzzy Hash: 5e4a56f98c55fd6bf5edd7c46b28fef552618df2f5255d983d0bad1c013aae42
                                        • Instruction Fuzzy Hash: 062148B1A48244DFCB01DF04EDC0B16BF65FB98364F64C568D80A5B246C736EC16C7A1
                                        Function 00E7D1D4 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768140009.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_e7d000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8283876b197712250ecf5f1adb7665e2df8c078843be792917f0b00dce9b5ceb
                                        • Instruction ID: da078cddc29ec6f78a90a14a9be1a94fa78b394009323b7734dff96b5c43f4d8
                                        • Opcode Fuzzy Hash: 8283876b197712250ecf5f1adb7665e2df8c078843be792917f0b00dce9b5ceb
                                        • Instruction Fuzzy Hash: D9210371608240AFCB01DF14D9C0B25BBB5FF84318F24C66DD80E5B2A2C336D807CA61
                                        Function 00E7D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768140009.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_e7d000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 60e994a99f95efea022f6c3127234e03bdd32a3b9a83875172e89a5563496caf
                                        • Instruction ID: 6fda4ab7a621f543fb9c21bae6b159bae872dc6942a8ec307bd3dec4498568a6
                                        • Opcode Fuzzy Hash: 60e994a99f95efea022f6c3127234e03bdd32a3b9a83875172e89a5563496caf
                                        • Instruction Fuzzy Hash: 7921D075608200DFCB15DF14DD84B26BBB6EF94318F24D96DD80E5B286C33AD807CA61
                                        Function 00E7D005 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768140009.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_e7d000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82d2078ca6a3c5067efd91f660db315a6336008d09b41b90b142be978c12eb82
                                        • Instruction ID: eec07417229793456d1267a23744facf04f6b76b169be1bc768f6720de77c2a2
                                        • Opcode Fuzzy Hash: 82d2078ca6a3c5067efd91f660db315a6336008d09b41b90b142be978c12eb82
                                        • Instruction Fuzzy Hash: BB21507550D3808FDB12CF24D994715BF72EF46314F28C5EAD8498B6A7C33A980ACB62
                                        Function 00E6D4BF Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768103928.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_e6d000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                        • Instruction ID: a91b48f83896287b7793601367646511ba5cf77b95457b9d703aee6f634995be
                                        • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                        • Instruction Fuzzy Hash: E411E976944280CFCB15CF14D9C4B16BF71FB94328F24C5A9D8464B656C336D856CB91
                                        Function 00E6D3D3 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768103928.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_e6d000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                        • Instruction ID: d64b5292215395ea09e261129f6013b01194202bd7d9b16a9e5f3e3f3734a1a2
                                        • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                        • Instruction Fuzzy Hash: 42112676A44240CFCB12CF00D9C4B16BF72FB94324F24C2A9D8094B256C33AE85ACBA1
                                        Function 00E7D1CF Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768140009.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_e7d000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction ID: 96f3a32c455be0db4914a6bd3de91a6c23047b54c60de73055c96f113ee161fc
                                        • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction Fuzzy Hash: 9211BE75508280DFCB01CF50C9C4B15BB71FF84328F24C6ADD8494B2A6C33AD81ACB61
                                        Function 00E6D759 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768103928.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_e6d000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 784899d2b20e03ebd9e3e233da4e830740ad9b7a4587abb200c1ec660414f5d5
                                        • Instruction ID: 0f5c0a3e1c29118f6f39d99cfa8407c837639937e496f52810ad7a61d82f5edf
                                        • Opcode Fuzzy Hash: 784899d2b20e03ebd9e3e233da4e830740ad9b7a4587abb200c1ec660414f5d5
                                        • Instruction Fuzzy Hash: 5E01F771A4C3449AE7208A15EC84B66BFD8DF61369F58C81BEC091A286C739A840C672
                                        Function 00E6D758 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1768103928.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_e6d000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ef23b2c6b4af78f1aa312eb7086c1f13c26b9a90b70e70236b9028ce7cfd20db
                                        • Instruction ID: 02aeef496bfd16b552364d547130cc2e5adf76da74ee6c152a7e61d4fa151a6d
                                        • Opcode Fuzzy Hash: ef23b2c6b4af78f1aa312eb7086c1f13c26b9a90b70e70236b9028ce7cfd20db
                                        • Instruction Fuzzy Hash: CAF0C2315083449EE7208E06DC84B62FFA8EF51778F18C45AED085A286C379A840CAB1

                                        Execution Graph

                                        Execution Coverage:8.8%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:39
                                        Total number of Limit Nodes:6
                                        execution_graph 40184 d0fef8 40185 d0ff20 40184->40185 40186 d0ff90 40185->40186 40188 66bff2b 40185->40188 40190 66bff42 40188->40190 40191 66bfd09 40188->40191 40189 66bfd66 40189->40186 40190->40186 40191->40189 40195 d0e6f8 40191->40195 40199 d0e708 40191->40199 40192 66bfe3f 40192->40186 40196 d0e708 40195->40196 40202 d0eb30 40196->40202 40197 d0e716 40197->40192 40201 d0eb30 GlobalMemoryStatusEx 40199->40201 40200 d0e716 40200->40192 40201->40200 40203 d0eb4d 40202->40203 40205 d0eb75 40202->40205 40203->40197 40204 d0eb96 40204->40197 40205->40204 40206 d0ec5e GlobalMemoryStatusEx 40205->40206 40207 d0ec8e 40206->40207 40207->40197 40208 d00848 40210 d0084e 40208->40210 40209 d0091b 40210->40209 40212 d01380 40210->40212 40213 d0137a 40212->40213 40214 d0137c 40213->40214 40216 d07ea8 40213->40216 40214->40210 40217 d07eb2 40216->40217 40218 d07ecc 40217->40218 40221 66bfa88 40217->40221 40226 66bfa98 40217->40226 40218->40213 40222 66bfa9c 40221->40222 40223 66bfcc2 40222->40223 40224 66bff2b GlobalMemoryStatusEx 40222->40224 40225 66bfcd9 GlobalMemoryStatusEx 40222->40225 40223->40218 40224->40222 40225->40222 40228 66bfa9c 40226->40228 40227 66bfcc2 40227->40218 40228->40227 40229 66bff2b GlobalMemoryStatusEx 40228->40229 40230 66bfcd9 GlobalMemoryStatusEx 40228->40230 40229->40228 40230->40228

                                        Executed Functions

                                        Function 066B30E0 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 129 66b30e0-66b3101 130 66b3103-66b3106 129->130 131 66b3108-66b3127 130->131 132 66b312c-66b312f 130->132 131->132 133 66b38d0-66b38d2 132->133 134 66b3135-66b3154 132->134 135 66b38d9-66b38dc 133->135 136 66b38d4 133->136 142 66b316d-66b3177 134->142 143 66b3156-66b3159 134->143 135->130 139 66b38e2-66b38eb 135->139 136->135 147 66b317d-66b318c 142->147 143->142 144 66b315b-66b316b 143->144 144->147 255 66b318e call 66b38f8 147->255 256 66b318e call 66b3900 147->256 148 66b3193-66b3198 149 66b319a-66b31a0 148->149 150 66b31a5-66b3482 148->150 149->139 171 66b3488-66b3537 150->171 172 66b38c2-66b38cf 150->172 181 66b3539-66b355e 171->181 182 66b3560 171->182 184 66b3569-66b357c 181->184 182->184 186 66b38a9-66b38b5 184->186 187 66b3582-66b35a4 184->187 186->171 188 66b38bb 186->188 187->186 190 66b35aa-66b35b4 187->190 188->172 190->186 191 66b35ba-66b35c5 190->191 191->186 192 66b35cb-66b36a1 191->192 204 66b36af-66b36df 192->204 205 66b36a3-66b36a5 192->205 209 66b36ed-66b36f9 204->209 210 66b36e1-66b36e3 204->210 205->204 211 66b36fb-66b36ff 209->211 212 66b3759-66b375d 209->212 210->209 211->212 215 66b3701-66b372b 211->215 213 66b389a-66b38a3 212->213 214 66b3763-66b379f 212->214 213->186 213->192 225 66b37ad-66b37bb 214->225 226 66b37a1-66b37a3 214->226 222 66b3739-66b3756 215->222 223 66b372d-66b372f 215->223 222->212 223->222 229 66b37bd-66b37c8 225->229 230 66b37d2-66b37dd 225->230 226->225 229->230 233 66b37ca 229->233 234 66b37df-66b37e5 230->234 235 66b37f5-66b3806 230->235 233->230 236 66b37e9-66b37eb 234->236 237 66b37e7 234->237 239 66b3808-66b380e 235->239 240 66b381e-66b382a 235->240 236->235 237->235 241 66b3812-66b3814 239->241 242 66b3810 239->242 244 66b382c-66b3832 240->244 245 66b3842-66b3893 240->245 241->240 242->240 246 66b3836-66b3838 244->246 247 66b3834 244->247 245->213 246->245 247->245 255->148 256->148
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq$$dq$$dq
                                        • API String ID: 0-2331353128
                                        • Opcode ID: d9162c75e54b666290f6691c6ff8bd5f07f277d42cdd2f937f88d1c62d08bcea
                                        • Instruction ID: 5e37fb55f368df647ec8d889aac96c52be1b9a993e60437e1f809fadf8bd027c
                                        • Opcode Fuzzy Hash: d9162c75e54b666290f6691c6ff8bd5f07f277d42cdd2f937f88d1c62d08bcea
                                        • Instruction Fuzzy Hash: 7E321E31E10619CFCB54EF65C85459EB7B2FFC9300F219669D449A7364EB30AA85CB90
                                        Function 066B7DD8 Relevance: 3.0, Strings: 2, Instructions: 474COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 798 66b7dd8-66b7df6 799 66b7df8-66b7dfb 798->799 800 66b7dfd-66b7e17 799->800 801 66b7e1c-66b7e1f 799->801 800->801 804 66b7e2c-66b7e2f 801->804 805 66b7e20-66b7e2b 801->805 806 66b7e31-66b7e3f 804->806 807 66b7e46-66b7e49 804->807 815 66b7e7e-66b7e94 806->815 816 66b7e41 806->816 808 66b7e4b-66b7e67 807->808 809 66b7e6c-66b7e6e 807->809 808->809 811 66b7e70 809->811 812 66b7e75-66b7e78 809->812 811->812 812->799 812->815 819 66b7e9a-66b7ea3 815->819 820 66b80af-66b80b9 815->820 816->807 821 66b80ba-66b80c4 819->821 822 66b7ea9-66b7ec6 819->822 825 66b80c6-66b80cc 821->825 826 66b8115-66b811b 821->826 832 66b809c-66b80a9 822->832 833 66b7ecc-66b7ef4 822->833 828 66b80ce-66b80db 825->828 829 66b80dc 825->829 830 66b811f-66b8121 826->830 831 66b811d 826->831 828->829 834 66b80de-66b80ef 829->834 835 66b8096 829->835 836 66b812b-66b8132 830->836 831->836 832->819 832->820 833->832 840 66b7efa-66b7f03 833->840 839 66b80f1-66b80f4 834->839 835->832 835->840 837 66b8143 836->837 838 66b8134-66b8141 836->838 841 66b8148-66b814a 837->841 838->841 844 66b80fa-66b8106 839->844 845 66b81a7-66b81aa 839->845 840->821 843 66b7f09-66b7f25 840->843 848 66b814c-66b814f 841->848 849 66b8161-66b819a 841->849 858 66b7f2b-66b7f55 843->858 859 66b808a-66b8093 843->859 855 66b8111-66b8113 844->855 846 66b81b0-66b81bf 845->846 847 66b83d6-66b83d9 845->847 862 66b81de-66b8219 846->862 863 66b81c1-66b81dc 846->863 852 66b83db-66b83f7 847->852 853 66b83fc-66b83fe 847->853 850 66b840e-66b8417 848->850 849->846 884 66b819c-66b81a6 849->884 852->853 860 66b8400 853->860 861 66b8405-66b8408 853->861 855->826 855->836 879 66b7f5b-66b7f83 858->879 880 66b8080-66b8085 858->880 859->835 860->861 861->839 861->850 870 66b83aa-66b83c0 862->870 871 66b821f-66b8230 862->871 863->862 870->847 882 66b8236-66b8253 871->882 883 66b8395-66b83a4 871->883 879->880 892 66b7f89-66b7fb7 879->892 880->859 882->883 891 66b8259-66b834f call 66b65f8 882->891 883->870 883->871 937 66b835d 891->937 938 66b8351-66b835b 891->938 892->880 897 66b7fbd-66b7fc6 892->897 897->880 899 66b7fcc-66b7ffe 897->899 906 66b8009-66b8025 899->906 907 66b8000-66b8004 899->907 906->859 910 66b8027-66b807e call 66b65f8 906->910 907->880 909 66b8006 907->909 909->906 910->859 939 66b8362-66b8364 937->939 938->939 939->883 940 66b8366-66b836b 939->940 941 66b8379 940->941 942 66b836d-66b8377 940->942 943 66b837e-66b8380 941->943 942->943 943->883 944 66b8382-66b838e 943->944 944->883
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq
                                        • API String ID: 0-2340669324
                                        • Opcode ID: 39d9a9cb107ad337e5ddabfb28723b5043f81b40f4126ae2968bf2cd2377c1df
                                        • Instruction ID: e2d61cfe7ce3afec7bca4a74436412de8df1294549f3dde9b6f80ca2e52d00e7
                                        • Opcode Fuzzy Hash: 39d9a9cb107ad337e5ddabfb28723b5043f81b40f4126ae2968bf2cd2377c1df
                                        • Instruction Fuzzy Hash: 3602AD30B01215DFDB54DF68D990AAEB7E6FF84311F249929E4069B395DB31ED82CB80
                                        Function 066B2408 Relevance: 1.0, Instructions: 1012COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a632ac3de05da5c28c4414c0c3a41bbd00e30883448e036f909133f62e5231ba
                                        • Instruction ID: 49a5bb943f686bd584edc3117e6287fe41638c5946078a1d5ad4aea73b14aeac
                                        • Opcode Fuzzy Hash: a632ac3de05da5c28c4414c0c3a41bbd00e30883448e036f909133f62e5231ba
                                        • Instruction Fuzzy Hash: F3924734E00204CFDB64DB68C5A8AADB7F6FF45314F5494A9D40AAB365DB35ED82CB80
                                        Function 066B6648 Relevance: .8, Instructions: 822COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a9b2d0b5759123463d95d9c7f47825a4291f355de76f97b15a5ad0d015866283
                                        • Instruction ID: 9a433b84eb65fe7693e55c606f28e3ca414556aa004e7fd4f36572aae2c50e04
                                        • Opcode Fuzzy Hash: a9b2d0b5759123463d95d9c7f47825a4291f355de76f97b15a5ad0d015866283
                                        • Instruction Fuzzy Hash: 1762AC34A00215DFDB54DF68D594AADBBF2EF88314F249469E40ADB394DB31ED82CB80
                                        Function 066BC1E8 Relevance: .6, Instructions: 647COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7474366d36a8db5dc74fcf1affb4a356001e6bd0763f75d1765ff2d98885ed70
                                        • Instruction ID: ce12369551da65012285b9bd559369b6817f16273b7c296c7da4cdfc9ef80b54
                                        • Opcode Fuzzy Hash: 7474366d36a8db5dc74fcf1affb4a356001e6bd0763f75d1765ff2d98885ed70
                                        • Instruction Fuzzy Hash: 57326134B00215DFDB54DF68D890BAEB7B2FB88310F109529E50ADB355DB35ED828B90
                                        Function 066B5628 Relevance: .6, Instructions: 597COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 339bf0eb5f6bd763675b656cf29553fd3320f36d718162416a28d46bcae52b3d
                                        • Instruction ID: 26134a0e8a749a90da14fc3157bb5a80786c1f61c8633529d42186b11d9bed14
                                        • Opcode Fuzzy Hash: 339bf0eb5f6bd763675b656cf29553fd3320f36d718162416a28d46bcae52b3d
                                        • Instruction Fuzzy Hash: B912CE75F00215DBDB60DF64D8806EEB7A2EF85320F24953AE8569B395DB34EC81CB90
                                        Function 066BB283 Relevance: .6, Instructions: 568COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2bd7dbc2fb74dbe0a04fc49e7385d97833bba96a5cd74f1cc3001a3b17c55e55
                                        • Instruction ID: 5647fd218f6d0db4a121de006fdb2558dea3c3b2623bca3fd2c532dd67433ede
                                        • Opcode Fuzzy Hash: 2bd7dbc2fb74dbe0a04fc49e7385d97833bba96a5cd74f1cc3001a3b17c55e55
                                        • Instruction Fuzzy Hash: 87224970E10219DBDFA4DA68D4907EEB7B2EB8A310F249426E409DB395DE34DCC18B91
                                        Function 066BAD28 Relevance: 10.4, Strings: 8, Instructions: 406COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 66bad28-66bad46 1 66bad48-66bad4b 0->1 2 66bad5f-66bad62 1->2 3 66bad4d-66bad5a 1->3 4 66bad6c-66bad6f 2->4 5 66bad64-66bad69 2->5 3->2 7 66baf45-66baf4e 4->7 8 66bad75-66bad78 4->8 5->4 9 66badd0-66badd9 7->9 10 66baf54-66baf5e 7->10 11 66bad9b-66bad9e 8->11 12 66bad7a-66bad96 8->12 15 66baf5f-66baf69 9->15 16 66baddf-66bade3 9->16 13 66badae-66badb1 11->13 14 66bada0-66bada9 11->14 12->11 18 66badcb-66badce 13->18 19 66badb3-66badc6 13->19 14->13 28 66baf6b-66baf71 15->28 29 66bafce-66bafd0 15->29 20 66bade8-66badeb 16->20 18->9 18->20 19->18 23 66baded-66badf1 20->23 24 66badfc-66badfe 20->24 23->10 30 66badf7 23->30 25 66bae00 24->25 26 66bae05-66bae08 24->26 25->26 26->1 31 66bae0e-66bae32 26->31 33 66baf73-66baf96 28->33 34 66bafd6-66bafdc 28->34 29->34 30->24 51 66bae38-66bae47 31->51 52 66baf42 31->52 35 66baf98-66baf9b 33->35 36 66bb1cf-66bb1e2 34->36 37 66bafde-66bafee 34->37 38 66bafa1-66bafcd 35->38 39 66bb204-66bb207 35->39 42 66bb1e4 36->42 53 66bb00e-66bb052 37->53 54 66baff0-66bb009 37->54 38->29 43 66bb209-66bb213 39->43 44 66bb214-66bb217 39->44 42->39 47 66bb219-66bb21d 44->47 48 66bb228-66bb22b 44->48 47->38 55 66bb223 47->55 49 66bb23a-66bb23d 48->49 50 66bb22d call 66bb283 48->50 56 66bb23f-66bb25b 49->56 57 66bb260-66bb262 49->57 58 66bb233-66bb235 50->58 64 66bae49-66bae4f 51->64 65 66bae5f-66bae9a call 66b65f8 51->65 52->7 78 66bb06e-66bb0ad 53->78 79 66bb054-66bb066 53->79 54->42 55->48 56->57 60 66bb269-66bb26c 57->60 61 66bb264 57->61 58->49 60->35 66 66bb272-66bb27c 60->66 61->60 67 66bae53-66bae55 64->67 68 66bae51 64->68 84 66bae9c-66baea2 65->84 85 66baeb2-66baec9 65->85 67->65 68->65 86 66bb0b3-66bb18e call 66b65f8 78->86 87 66bb194-66bb1a9 78->87 79->78 90 66baea6-66baea8 84->90 91 66baea4 84->91 97 66baecb-66baed1 85->97 98 66baee1-66baef2 85->98 86->87 87->36 90->85 91->85 99 66baed3 97->99 100 66baed5-66baed7 97->100 104 66baf0a-66baf3b 98->104 105 66baef4-66baefa 98->105 99->98 100->98 104->52 106 66baefe-66baf00 105->106 107 66baefc 105->107 106->104 107->104
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                        • API String ID: 0-634254105
                                        • Opcode ID: 347dacd389d07b55ad1e0dc5e340c227aafe111d120a14380daa54d1d1eb91d1
                                        • Instruction ID: 4d72174f0b17ebeef72bc68ce807bde65318d1d4035048276514927d3f638c0a
                                        • Opcode Fuzzy Hash: 347dacd389d07b55ad1e0dc5e340c227aafe111d120a14380daa54d1d1eb91d1
                                        • Instruction Fuzzy Hash: D3E17F30E10219CFCF55DFA8D5906EEB7B2FF89311F109529E80AAB355DB319986CB90
                                        Function 066BB6A0 Relevance: 8.0, Strings: 6, Instructions: 472COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 257 66bb6a0-66bb6c2 258 66bb6c4-66bb6c7 257->258 259 66bb6c9-66bb6d2 258->259 260 66bb6d7-66bb6da 258->260 259->260 261 66bb6dc-66bb6e0 260->261 262 66bb701-66bb704 260->262 263 66bba4b-66bba86 261->263 264 66bb6e6-66bb6f6 261->264 265 66bb711-66bb714 262->265 266 66bb706-66bb70c 262->266 275 66bba88-66bba8b 263->275 271 66bb9c1-66bb9c2 264->271 274 66bb6fc 264->274 267 66bb71e-66bb721 265->267 268 66bb716-66bb719 265->268 266->265 267->271 272 66bb727-66bb72a 267->272 268->267 273 66bb9c7-66bb9ca 271->273 276 66bb72c-66bb731 272->276 277 66bb734-66bb737 272->277 278 66bba2e-66bba30 273->278 279 66bb9cc-66bba29 call 66b65f8 273->279 274->262 280 66bbaae-66bbab1 275->280 281 66bba8d-66bbaa9 275->281 276->277 282 66bb739-66bb73d 277->282 283 66bb74e-66bb751 277->283 288 66bba32 278->288 289 66bba37-66bba3a 278->289 279->278 284 66bbd1d-66bbd1f 280->284 285 66bbab7-66bbadf 280->285 281->280 282->263 290 66bb743-66bb749 282->290 286 66bb753-66bb75a 283->286 287 66bb765-66bb768 283->287 298 66bbd21 284->298 299 66bbd26-66bbd29 284->299 338 66bbae9-66bbb2d 285->338 339 66bbae1-66bbae4 285->339 291 66bb873-66bb87c 286->291 292 66bb760 286->292 293 66bb76a-66bb76e 287->293 294 66bb77f-66bb782 287->294 288->289 289->258 295 66bba40-66bba4a 289->295 290->283 303 66bb881-66bb884 291->303 292->287 293->263 302 66bb774-66bb77a 293->302 304 66bb7c0-66bb7c3 294->304 305 66bb784-66bb799 294->305 298->299 299->275 300 66bbd2f-66bbd38 299->300 302->294 307 66bb89b-66bb89e 303->307 308 66bb886-66bb88a 303->308 310 66bb7d3-66bb7d6 304->310 311 66bb7c5-66bb7ce 304->311 305->263 323 66bb79f-66bb7bb 305->323 316 66bb8aa-66bb8ad 307->316 317 66bb8a0-66bb8a3 307->317 308->263 314 66bb890-66bb896 308->314 318 66bb7d8-66bb7dc 310->318 319 66bb7fd-66bb800 310->319 311->310 314->307 327 66bb8af-66bb8b1 316->327 328 66bb8b4-66bb8b7 316->328 325 66bb8a5 317->325 326 66bb844-66bb847 317->326 318->263 320 66bb7e2-66bb7f2 318->320 321 66bb802-66bb80b 319->321 322 66bb810-66bb813 319->322 320->261 347 66bb7f8 320->347 321->322 322->271 330 66bb819-66bb81c 322->330 323->304 325->316 326->263 331 66bb84d-66bb854 326->331 327->328 332 66bb8ca-66bb8cd 328->332 333 66bb8b9-66bb8c5 328->333 340 66bb83f-66bb842 330->340 341 66bb81e-66bb83a 330->341 334 66bb859-66bb85c 331->334 336 66bb8cf-66bb8d3 332->336 337 66bb8f4-66bb8f7 332->337 333->332 344 66bb86e-66bb871 334->344 345 66bb85e 334->345 336->263 348 66bb8d9-66bb8e9 336->348 349 66bb8f9-66bb8fc 337->349 350 66bb901-66bb904 337->350 377 66bbb33-66bbb3c 338->377 378 66bbd12-66bbd1c 338->378 339->300 340->326 340->334 341->340 344->291 344->303 355 66bb866-66bb869 345->355 347->319 348->318 359 66bb8ef 348->359 349->350 350->271 353 66bb90a-66bb90d 350->353 357 66bb90f-66bb918 353->357 358 66bb923-66bb926 353->358 355->344 362 66bb91e 357->362 363 66bb9a1-66bb9aa 357->363 364 66bb928-66bb93d 358->364 365 66bb965-66bb968 358->365 359->337 362->358 363->263 368 66bb9b0-66bb9b7 363->368 364->263 375 66bb943-66bb960 364->375 365->317 367 66bb96e-66bb971 365->367 372 66bb993-66bb996 367->372 373 66bb973-66bb98e 367->373 369 66bb9bc-66bb9bf 368->369 369->271 369->273 372->357 376 66bb99c-66bb99f 372->376 373->372 375->365 376->363 376->369 379 66bbd08-66bbd0d 377->379 380 66bbb42-66bbbae call 66b65f8 377->380 379->378 391 66bbca8-66bbcbd 380->391 392 66bbbb4-66bbbb9 380->392 391->379 394 66bbbbb-66bbbc1 392->394 395 66bbbd5 392->395 397 66bbbc3-66bbbc5 394->397 398 66bbbc7-66bbbc9 394->398 396 66bbbd7-66bbbdd 395->396 399 66bbbdf-66bbbe5 396->399 400 66bbbf2-66bbbff 396->400 401 66bbbd3 397->401 398->401 402 66bbbeb 399->402 403 66bbc93-66bbca2 399->403 408 66bbc01-66bbc07 400->408 409 66bbc17-66bbc24 400->409 401->396 402->400 404 66bbc5a-66bbc67 402->404 405 66bbc26-66bbc33 402->405 403->391 403->392 416 66bbc69-66bbc6f 404->416 417 66bbc7f-66bbc8c 404->417 414 66bbc4b-66bbc58 405->414 415 66bbc35-66bbc3b 405->415 411 66bbc0b-66bbc0d 408->411 412 66bbc09 408->412 409->403 411->409 412->409 414->403 419 66bbc3f-66bbc41 415->419 420 66bbc3d 415->420 421 66bbc73-66bbc75 416->421 422 66bbc71 416->422 417->403 419->414 420->414 421->417 422->417
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq$$dq$$dq
                                        • API String ID: 0-2331353128
                                        • Opcode ID: aeca28dd2e1708b33c81cdc1703fa8a2ebdd0fbcb7b6af7f4c9e56d2d63db481
                                        • Instruction ID: 50655c2c6b836ecd801e962898953188b4cb9628c6161ca10b345beea538623b
                                        • Opcode Fuzzy Hash: aeca28dd2e1708b33c81cdc1703fa8a2ebdd0fbcb7b6af7f4c9e56d2d63db481
                                        • Instruction Fuzzy Hash: F5026A30E10219CFDBA4DF68D5806ADB7B2EB85310F24992AE405DB385DF74ED82CB91
                                        Function 066B91A0 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 425 66b91a0-66b91c5 426 66b91c7-66b91ca 425->426 427 66b91cc-66b91eb 426->427 428 66b91f0-66b91f3 426->428 427->428 429 66b91f9-66b920e 428->429 430 66b9ab3-66b9ab5 428->430 437 66b9210-66b9216 429->437 438 66b9226-66b923c 429->438 431 66b9abc-66b9abf 430->431 432 66b9ab7 430->432 431->426 435 66b9ac5-66b9acf 431->435 432->431 439 66b921a-66b921c 437->439 440 66b9218 437->440 442 66b9247-66b9249 438->442 439->438 440->438 443 66b924b-66b9251 442->443 444 66b9261-66b92d2 442->444 445 66b9253 443->445 446 66b9255-66b9257 443->446 455 66b92fe-66b931a 444->455 456 66b92d4-66b92f7 444->456 445->444 446->444 461 66b931c-66b933f 455->461 462 66b9346-66b9361 455->462 456->455 461->462 467 66b938c-66b93a7 462->467 468 66b9363-66b9385 462->468 473 66b93a9-66b93cb 467->473 474 66b93d2-66b93dc 467->474 468->467 473->474 475 66b93de-66b93e7 474->475 476 66b93ec-66b9466 474->476 475->435 482 66b9468-66b9486 476->482 483 66b94b3-66b94c8 476->483 487 66b9488-66b9497 482->487 488 66b94a2-66b94b1 482->488 483->430 487->488 488->482 488->483
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq
                                        • API String ID: 0-185584874
                                        • Opcode ID: 66ce97dac272f74fe22bd5c267e57eb34c63051440b727f99839b9174455b76b
                                        • Instruction ID: d09e0e28230da45642a69a345cd3552b54245d262d26de21b5410302448f7a08
                                        • Opcode Fuzzy Hash: 66ce97dac272f74fe22bd5c267e57eb34c63051440b727f99839b9174455b76b
                                        • Instruction Fuzzy Hash: C9913D30B1021A9FDB54DB65D950BAFB7F6EB85300F108569D909EB388EF70DD828B91
                                        Function 066BCFA8 Relevance: 4.6, Strings: 3, Instructions: 800COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 491 66bcfa8-66bcfc3 492 66bcfc5-66bcfc8 491->492 493 66bcfca-66bd00c 492->493 494 66bd011-66bd014 492->494 493->494 495 66bd031-66bd034 494->495 496 66bd016-66bd02c 494->496 498 66bd07d-66bd080 495->498 499 66bd036-66bd078 495->499 496->495 500 66bd08f-66bd092 498->500 501 66bd082-66bd084 498->501 499->498 505 66bd0db-66bd0de 500->505 506 66bd094-66bd0a3 500->506 503 66bd08a 501->503 504 66bd48d 501->504 503->500 514 66bd490-66bd49c 504->514 512 66bd0e8-66bd0eb 505->512 513 66bd0e0-66bd0e5 505->513 510 66bd0b2-66bd0be 506->510 511 66bd0a5-66bd0aa 506->511 515 66bd9c1-66bd9f6 510->515 516 66bd0c4-66bd0d6 510->516 511->510 519 66bd0ed-66bd12f 512->519 520 66bd134-66bd137 512->520 513->512 521 66bd18e-66bd19d 514->521 522 66bd4a2-66bd78f 514->522 537 66bd9f8-66bd9fb 515->537 516->505 519->520 525 66bd139-66bd17b 520->525 526 66bd180-66bd183 520->526 523 66bd19f-66bd1a4 521->523 524 66bd1ac-66bd1b8 521->524 703 66bd9b6-66bd9c0 522->703 704 66bd795-66bd79b 522->704 523->524 524->515 530 66bd1be-66bd1d0 524->530 525->526 526->514 528 66bd189-66bd18c 526->528 528->521 535 66bd1d5-66bd1d8 528->535 530->535 543 66bd1da-66bd21c 535->543 544 66bd221-66bd224 535->544 545 66bda0a-66bda0d 537->545 546 66bd9fd call 66bdb15 537->546 543->544 549 66bd26d-66bd270 544->549 550 66bd226-66bd268 544->550 547 66bda0f-66bda3b 545->547 548 66bda40-66bda43 545->548 553 66bda03-66bda05 546->553 547->548 556 66bda66-66bda68 548->556 557 66bda45-66bda61 548->557 558 66bd2b9-66bd2bc 549->558 559 66bd272-66bd2b4 549->559 550->549 553->545 563 66bda6a 556->563 564 66bda6f-66bda72 556->564 557->556 561 66bd2be-66bd300 558->561 562 66bd305-66bd308 558->562 559->558 561->562 573 66bd30a-66bd30c 562->573 574 66bd313-66bd316 562->574 563->564 564->537 572 66bda74-66bda83 564->572 592 66bdaea-66bdaff 572->592 593 66bda85-66bdae8 call 66b65f8 572->593 580 66bd34b-66bd354 573->580 581 66bd30e 573->581 576 66bd339-66bd33b 574->576 577 66bd318-66bd334 574->577 584 66bd33d 576->584 585 66bd342-66bd345 576->585 577->576 589 66bd363-66bd36f 580->589 590 66bd356-66bd35b 580->590 581->574 584->585 585->492 585->580 598 66bd480-66bd485 589->598 599 66bd375-66bd389 589->599 590->589 593->592 598->504 599->504 610 66bd38f-66bd3a1 599->610 621 66bd3a3-66bd3a9 610->621 622 66bd3c5-66bd3c7 610->622 626 66bd3ab 621->626 627 66bd3ad-66bd3b9 621->627 630 66bd3d1-66bd3dd 622->630 628 66bd3bb-66bd3c3 626->628 627->628 628->630 637 66bd3eb 630->637 638 66bd3df-66bd3e9 630->638 640 66bd3f0-66bd3f2 637->640 638->640 640->504 642 66bd3f8-66bd414 call 66b65f8 640->642 650 66bd423-66bd42f 642->650 651 66bd416-66bd41b 642->651 650->598 653 66bd431-66bd47e 650->653 651->650 653->504 705 66bd7aa-66bd7b3 704->705 706 66bd79d-66bd7a2 704->706 705->515 707 66bd7b9-66bd7cc 705->707 706->705 709 66bd7d2-66bd7d8 707->709 710 66bd9a6-66bd9b0 707->710 711 66bd7da-66bd7df 709->711 712 66bd7e7-66bd7f0 709->712 710->703 710->704 711->712 712->515 713 66bd7f6-66bd817 712->713 716 66bd819-66bd81e 713->716 717 66bd826-66bd82f 713->717 716->717 717->515 718 66bd835-66bd852 717->718 718->710 721 66bd858-66bd85e 718->721 721->515 722 66bd864-66bd87d 721->722 724 66bd999-66bd9a0 722->724 725 66bd883-66bd8aa 722->725 724->710 724->721 725->515 728 66bd8b0-66bd8ba 725->728 728->515 729 66bd8c0-66bd8d7 728->729 731 66bd8d9-66bd8e4 729->731 732 66bd8e6-66bd901 729->732 731->732 732->724 737 66bd907-66bd920 call 66b65f8 732->737 741 66bd92f-66bd938 737->741 742 66bd922-66bd927 737->742 741->515 743 66bd93e-66bd992 741->743 742->741 743->724
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq
                                        • API String ID: 0-2861643491
                                        • Opcode ID: dba792e0221bf4e5feefbfb5804b32573f33e54efac5eb7d1ef446caa0110b2b
                                        • Instruction ID: 51b7bddf69b40e5a3cb5a97fd3b9f7b371e4547d57fc05935cfbac733186afc5
                                        • Opcode Fuzzy Hash: dba792e0221bf4e5feefbfb5804b32573f33e54efac5eb7d1ef446caa0110b2b
                                        • Instruction Fuzzy Hash: B9625130A00216CFCB54EF68D990A9EB7F2FF85345B209969D4099F359DB71ED86CB80
                                        Function 066B4BF0 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 751 66b4bf0-66b4c14 752 66b4c16-66b4c19 751->752 753 66b52f8-66b52fb 752->753 754 66b4c1f-66b4d17 752->754 755 66b52fd-66b5317 753->755 756 66b531c-66b531e 753->756 774 66b4d9a-66b4da1 754->774 775 66b4d1d-66b4d6a call 66b5499 754->775 755->756 757 66b5320 756->757 758 66b5325-66b5328 756->758 757->758 758->752 761 66b532e-66b533b 758->761 776 66b4da7-66b4e17 774->776 777 66b4e25-66b4e2e 774->777 788 66b4d70-66b4d8c 775->788 794 66b4e19 776->794 795 66b4e22 776->795 777->761 792 66b4d8e 788->792 793 66b4d97-66b4d98 788->793 792->793 793->774 794->795 795->777
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fiq$XPiq$\Oiq
                                        • API String ID: 0-1639307521
                                        • Opcode ID: 933b9d5d77ec7b251b3fd972793c27ebddbef1a1f70a776cc1f80d3536e476ff
                                        • Instruction ID: 7c5d00a83c9a699d2a82ca3be189252f430c65ef049605da99441de95aa25e7f
                                        • Opcode Fuzzy Hash: 933b9d5d77ec7b251b3fd972793c27ebddbef1a1f70a776cc1f80d3536e476ff
                                        • Instruction Fuzzy Hash: 31616070F00219DFEB549FA5C8147AEBBF6EF89300F20852AE106AB395DF758C458B91
                                        Function 066B9193 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1608 66b9193-66b91c5 1610 66b91c7-66b91ca 1608->1610 1611 66b91cc-66b91eb 1610->1611 1612 66b91f0-66b91f3 1610->1612 1611->1612 1613 66b91f9-66b920e 1612->1613 1614 66b9ab3-66b9ab5 1612->1614 1621 66b9210-66b9216 1613->1621 1622 66b9226-66b923c 1613->1622 1615 66b9abc-66b9abf 1614->1615 1616 66b9ab7 1614->1616 1615->1610 1619 66b9ac5-66b9acf 1615->1619 1616->1615 1623 66b921a-66b921c 1621->1623 1624 66b9218 1621->1624 1626 66b9247-66b9249 1622->1626 1623->1622 1624->1622 1627 66b924b-66b9251 1626->1627 1628 66b9261-66b92d2 1626->1628 1629 66b9253 1627->1629 1630 66b9255-66b9257 1627->1630 1639 66b92fe-66b931a 1628->1639 1640 66b92d4-66b92f7 1628->1640 1629->1628 1630->1628 1645 66b931c-66b933f 1639->1645 1646 66b9346-66b9361 1639->1646 1640->1639 1645->1646 1651 66b938c-66b93a7 1646->1651 1652 66b9363-66b9385 1646->1652 1657 66b93a9-66b93cb 1651->1657 1658 66b93d2-66b93dc 1651->1658 1652->1651 1657->1658 1659 66b93de-66b93e7 1658->1659 1660 66b93ec-66b9466 1658->1660 1659->1619 1666 66b9468-66b9486 1660->1666 1667 66b94b3-66b94c8 1660->1667 1671 66b9488-66b9497 1666->1671 1672 66b94a2-66b94b1 1666->1672 1667->1614 1671->1672 1672->1666 1672->1667
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq
                                        • API String ID: 0-2340669324
                                        • Opcode ID: 2b0c77aba27e502925fc0c0a1b17758c0b1d19aae76085c83dad9c38e61493c8
                                        • Instruction ID: f57e98525a1777625ea2da6401992f5a9dc5e7943f4cafa337f216d6a4ebdd6a
                                        • Opcode Fuzzy Hash: 2b0c77aba27e502925fc0c0a1b17758c0b1d19aae76085c83dad9c38e61493c8
                                        • Instruction Fuzzy Hash: D9517130B102099FDB54DB64D990BAF77F6EBC9700F108569D90ADB388EE71DD428B91
                                        Function 00D0EB30 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2254 d0eb30-d0eb4b 2255 d0eb75-d0eb94 call d0e730 2254->2255 2256 d0eb4d-d0eb74 2254->2256 2261 d0eb96-d0eb99 2255->2261 2262 d0eb9a-d0ebf9 2255->2262 2269 d0ebfb-d0ebfe 2262->2269 2270 d0ebff-d0ec8c GlobalMemoryStatusEx 2262->2270 2274 d0ec95-d0ecbd 2270->2274 2275 d0ec8e-d0ec94 2270->2275 2275->2274
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2915778310.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_d00000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b24f87fe5a8d9db269724ed9177227b613353a3c14426576c083e2e23c1cb8df
                                        • Instruction ID: 1437a79f6eb41586ab648c5e1df4bc31084d16514903e79277fee39bad3736e4
                                        • Opcode Fuzzy Hash: b24f87fe5a8d9db269724ed9177227b613353a3c14426576c083e2e23c1cb8df
                                        • Instruction Fuzzy Hash: 5E412472D003999FCB10DFA9D8046EEBFF5EF99310F15866AD508A7281DB749845CBE0
                                        Function 00D0EC18 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2366 d0ec18-d0ec56 2367 d0ec5e-d0ec8c GlobalMemoryStatusEx 2366->2367 2368 d0ec95-d0ecbd 2367->2368 2369 d0ec8e-d0ec94 2367->2369 2369->2368
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE ref: 00D0EC7F
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2915778310.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_d00000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: 87a012559da0cb1e9925702c539c498416d3aff8d91d94e5467d33c57cc7ef99
                                        • Instruction ID: 7de4fb52dc6184fc87981d0fa57bbf398b68f481b2005952084aeb072b2ce518
                                        • Opcode Fuzzy Hash: 87a012559da0cb1e9925702c539c498416d3aff8d91d94e5467d33c57cc7ef99
                                        • Instruction Fuzzy Hash: F11120B1C006599BCB10DF9AC548BDEFBF4EF48320F15812AE818B7280D378A944CFA5
                                        Function 066B4BE0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: XPiq
                                        • API String ID: 0-3497805733
                                        • Opcode ID: f244996493349f606704038d1c7d16ed33cee3e0076e978887b91303cdffcadd
                                        • Instruction ID: c5db070423e274369dd578bce2df67af01c8b9364d59be16d63417c2cc51d09c
                                        • Opcode Fuzzy Hash: f244996493349f606704038d1c7d16ed33cee3e0076e978887b91303cdffcadd
                                        • Instruction Fuzzy Hash: 65417270F002099FDB559FA9C814BAEBBF6FF89300F20852AE106AB395DF755C458B91
                                        Function 066BDB15 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PHdq
                                        • API String ID: 0-2991842255
                                        • Opcode ID: c469a98ed69b410a08cd74ef0bc7c3313e030e6e5c0475ada22b20acd73d31ab
                                        • Instruction ID: a4d346a23dd67aacfe5c3dbcfbb077b0848db9eb069df8e290d6577817501b66
                                        • Opcode Fuzzy Hash: c469a98ed69b410a08cd74ef0bc7c3313e030e6e5c0475ada22b20acd73d31ab
                                        • Instruction Fuzzy Hash: 3E418E70E00749DFDB65DFA5C4947AEBBB6EF85300F20592AE405EB340DB70A982CB81
                                        Function 066B2290 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PHdq
                                        • API String ID: 0-2991842255
                                        • Opcode ID: 09fd820d2c412df12d4f750fc5498910789d652e92e5c2cc294b774b97e232a0
                                        • Instruction ID: f831a0ceade813279d7aebcf2a32a994e4f0e00aa284393c9433f926a50e1c3f
                                        • Opcode Fuzzy Hash: 09fd820d2c412df12d4f750fc5498910789d652e92e5c2cc294b774b97e232a0
                                        • Instruction Fuzzy Hash: 2E318F30B00205DFDB55AB74C5647AF7BEAAF89200F205429D406DB395DF75DE82CBA1
                                        Function 066B6248 Relevance: .2, Instructions: 229COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08517fe2c6cdea28bb8e39a0a920548f5f5fe09e78b59814ac8e8701895f4bf9
                                        • Instruction ID: 0ac796abf7f957d71ec9ce7c95fa54d43fc148a66e7df6097e4335fe66a2f7bb
                                        • Opcode Fuzzy Hash: 08517fe2c6cdea28bb8e39a0a920548f5f5fe09e78b59814ac8e8701895f4bf9
                                        • Instruction Fuzzy Hash: 1E618F71F001218FDF549A6DC8806AFAADBEFD5220B254439E80EDB364DE75ED8287D1
                                        Function 066B4321 Relevance: .2, Instructions: 228COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b69ede33211646b9d1c865d21412bd9b645bbdf3293b2a48dd8f3c749af11cf8
                                        • Instruction ID: 11c2a5af9a83985ae14fa7edc4eca1cdf99e4a296f04ab24e152950fc00820ca
                                        • Opcode Fuzzy Hash: b69ede33211646b9d1c865d21412bd9b645bbdf3293b2a48dd8f3c749af11cf8
                                        • Instruction Fuzzy Hash: 2A814D30B006099FDF54DFA9D59469EBBF6EB89300F108529D40ADB399EF30DC828B91
                                        Function 066B4640 Relevance: .2, Instructions: 225COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 334e8c0f2d5ad1565668241b6b044d4ebc43ce723d8f2f7b428d3667d523222d
                                        • Instruction ID: e06a82c8b7acdd9bf99a62843ea90c8da3ffe7387be33dce8df0ea343a0aa87f
                                        • Opcode Fuzzy Hash: 334e8c0f2d5ad1565668241b6b044d4ebc43ce723d8f2f7b428d3667d523222d
                                        • Instruction Fuzzy Hash: 59913E30E002599FDF60DF68C850BDDB7B1FF89310F20859AD549AB395DB70AA85CB91
                                        Function 066B4658 Relevance: .2, Instructions: 210COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf6b6a1cfba36876fdaad796206fe2dc5bca9d85d81004085fbd0bfe1fd5e490
                                        • Instruction ID: a71ca1a69713d69119e8c00e10fe4651f9830a25e0d193a4883a8b51518f1125
                                        • Opcode Fuzzy Hash: bf6b6a1cfba36876fdaad796206fe2dc5bca9d85d81004085fbd0bfe1fd5e490
                                        • Instruction Fuzzy Hash: 77912B70E102199BDF60DF68C850BDDB7B1FF89310F208599E54DAB395EB70AA858B90
                                        Function 066BEB68 Relevance: .2, Instructions: 203COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 168a97ab31a0646473781f571730d5fa7ecf30ffdc5ba143e004e93cc6d0631b
                                        • Instruction ID: 0af27946d8304cbc9dd88353d634368ac07efd6f0d6853e1a39e2e625d644ec4
                                        • Opcode Fuzzy Hash: 168a97ab31a0646473781f571730d5fa7ecf30ffdc5ba143e004e93cc6d0631b
                                        • Instruction Fuzzy Hash: 3E713C74E002089FCB54DFA8D990ADEBBF6FF88300F149429E40A9B355DB71E986CB50
                                        Function 066BEB78 Relevance: .2, Instructions: 201COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 14eb1fb76635ee8da117909f9b79544179cf9ce88dd33bdfc3368bfc54b55678
                                        • Instruction ID: 31236c9346ae7d22a4df6bb8fe833d2102fd0164316260b94cc7dfdea00711c7
                                        • Opcode Fuzzy Hash: 14eb1fb76635ee8da117909f9b79544179cf9ce88dd33bdfc3368bfc54b55678
                                        • Instruction Fuzzy Hash: 04711B70A002099FCB54DFA8D990ADEBBF6EF88340F149529E409DB355DB71ED86CB50
                                        Function 066BFCD9 Relevance: .2, Instructions: 176COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7fcd3dd392bc3540b480e83aa86721eb89b4ae949ef5d167df5acf515c1d6712
                                        • Instruction ID: 50a9405f8432eae16367299d93d98aa0bb418e24fb017d0f1ff29ca2ab387af5
                                        • Opcode Fuzzy Hash: 7fcd3dd392bc3540b480e83aa86721eb89b4ae949ef5d167df5acf515c1d6712
                                        • Instruction Fuzzy Hash: C751D231E00105DFDB64EB78EC947EDBBB2EB84315F20886AE106D7361DB318996CB81
                                        Function 066BFA88 Relevance: .2, Instructions: 170COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07a3ee334d8abafc472562286d16f5f8a05513942fb729e6b7c72d5980119050
                                        • Instruction ID: 65f013dd839b4cf8b1d7bb512db5ecda6eabefb36c0d6b2b31ab41f20c67a1e1
                                        • Opcode Fuzzy Hash: 07a3ee334d8abafc472562286d16f5f8a05513942fb729e6b7c72d5980119050
                                        • Instruction Fuzzy Hash: 6351C470B20214DBEF64666CDC907AF269AE789311F20452AE50EC73A5CF3DCCC257A2
                                        Function 066BFA98 Relevance: .2, Instructions: 163COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84f0aa4f33408b8736d5258c91a06da766741020ee890d8bb775e80343cdb9d4
                                        • Instruction ID: 9d9d9208326f1eda82b1ee97da74ebc8719af578217d45018dd3e878e90e74b0
                                        • Opcode Fuzzy Hash: 84f0aa4f33408b8736d5258c91a06da766741020ee890d8bb775e80343cdb9d4
                                        • Instruction Fuzzy Hash: AF51B470B20214DBEF64666CDC947AF269AE789351F20452AE50EC33A5CF7DCCC257A2
                                        Function 066B5499 Relevance: .1, Instructions: 135COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b119b0a68736543a08b05e0686092c1afc82f809bc56c5e24636f37285662696
                                        • Instruction ID: fb13f2084fca5e8ce1a0578368d47f3f628052c05dc50f52c6a5dcbefe4cad73
                                        • Opcode Fuzzy Hash: b119b0a68736543a08b05e0686092c1afc82f809bc56c5e24636f37285662696
                                        • Instruction Fuzzy Hash: C1416072E00609CFDF70CEA9D881AEFFBB2EB45311F10492AE156D7250D330E9958B95
                                        Function 066B5618 Relevance: .1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04280bb9bb36174ba45a723dd4816cff8a45f0209a45d6f7df66ccc33298bff8
                                        • Instruction ID: 97ec83e62da28ee11e5d1ca94b549f79c693af4b6cfe774aead96c90efaf23a9
                                        • Opcode Fuzzy Hash: 04280bb9bb36174ba45a723dd4816cff8a45f0209a45d6f7df66ccc33298bff8
                                        • Instruction Fuzzy Hash: C2419D75E00205CBDB618F69C480AFEFBB2FB45310F24D92AE55ADB391D634E981CB91
                                        Function 066B2140 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66a374de075843b741ee88a4e3061159bd69226182591ddc4d003d558307f3c1
                                        • Instruction ID: 05611360159f2a921bdd9d7360c18fd8f8a52131f629739afdcad8d68610eaaf
                                        • Opcode Fuzzy Hash: 66a374de075843b741ee88a4e3061159bd69226182591ddc4d003d558307f3c1
                                        • Instruction Fuzzy Hash: 54316E30E102059FCB55CF64C8A4AEEB7F6EF89310F148529E906EB754DB71AD82CB40
                                        Function 066B2150 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f4f47489db10dc393a9f773fc0398baa64ea1c74cc0ed4f28aa581156c0760f7
                                        • Instruction ID: aa3ab6932cd1cb340cba7a21cd54e9ff1f0e207076a0c389acdd6f56ed8b5733
                                        • Opcode Fuzzy Hash: f4f47489db10dc393a9f773fc0398baa64ea1c74cc0ed4f28aa581156c0760f7
                                        • Instruction Fuzzy Hash: 00315E30E10606DFCB55DF65C8A4AAEB7F6EF89300F148529E906EB354DB71AD82CB50
                                        Function 066B3B21 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 752bd319ea0da7d11379180fb6f9720a50148df46e93b096df3fc6c5c7b0e7a7
                                        • Instruction ID: 5103da03667aa8b83e9a4f4eb42b5e1d714a13384aa86c776d68c05b8c5b5062
                                        • Opcode Fuzzy Hash: 752bd319ea0da7d11379180fb6f9720a50148df46e93b096df3fc6c5c7b0e7a7
                                        • Instruction Fuzzy Hash: 55219C34F016149FDB40DF68E980AEEBBF5EB48710F008029E905E7358E730D8828BA0
                                        Function 066B3B30 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3097fca450992a91ab704c2bdf3d7d289ffd36804dc68fbd29c1989566eb662f
                                        • Instruction ID: 6d3ccc77ac38c238a00e79f06a627790059612198389d036faeeff6c46a1b8b9
                                        • Opcode Fuzzy Hash: 3097fca450992a91ab704c2bdf3d7d289ffd36804dc68fbd29c1989566eb662f
                                        • Instruction Fuzzy Hash: 04219A35F016159FDB40DFA9D980AEEBBF1EB88310F108529E906E7358E734D841CB90
                                        Function 00CBD005 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2915430645.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_cbd000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b42aa3d90c706331691f89a50c0d48b63acc8c339ca0d6c15d51483f5942568
                                        • Instruction ID: ab822c70bcf3b4f4d0ce501636305f202a97820af8c0a801b2abaa81aa9b0742
                                        • Opcode Fuzzy Hash: 8b42aa3d90c706331691f89a50c0d48b63acc8c339ca0d6c15d51483f5942568
                                        • Instruction Fuzzy Hash: 45314F3554E3C09FDB03DB24D9A4745BF71AB47214F19C5DBD8898F1A3C23A980ACB62
                                        Function 00CBD20C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2915430645.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_cbd000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 629b888e0340448f940ffcf1e997c4f91bd9bf2fcec9fedac615d21f06f2a369
                                        • Instruction ID: f9f7be98648d798cdc149a45c6334ce9ef7aca30d843d0d64f7b45bccc3e8b1a
                                        • Opcode Fuzzy Hash: 629b888e0340448f940ffcf1e997c4f91bd9bf2fcec9fedac615d21f06f2a369
                                        • Instruction Fuzzy Hash: 7B2123B1604384EFDB05DF14D9C4B66BBA5FB94324F24C669E80B0B241D37ADC06CB62
                                        Function 00CBD3BC Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2915430645.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_cbd000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2a7f66b545fa66f9898f123c89097007e8f86cf2ae9cf538d3211e1fd1584d2
                                        • Instruction ID: 0e6751c46b44e125458bf9d903834c3b2807a77b9034ddf8992a9024f71d1b3c
                                        • Opcode Fuzzy Hash: b2a7f66b545fa66f9898f123c89097007e8f86cf2ae9cf538d3211e1fd1584d2
                                        • Instruction Fuzzy Hash: 9C21F575604204DFCB04DF14D5C4B66BBA5FB94314F24C96DD90B4B292D376E846CE61
                                        Function 00CBD044 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2915430645.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_cbd000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 54575ec934fe138807b95fe64692ed87f50475d7f811bad752f6059776a78874
                                        • Instruction ID: 9e3d26909494def42f96686be870a856ff739b9caab6b70e88b7d0200ae293e9
                                        • Opcode Fuzzy Hash: 54575ec934fe138807b95fe64692ed87f50475d7f811bad752f6059776a78874
                                        • Instruction Fuzzy Hash: 81210771604204DFCB14EF14E9C4B66BBA5FB94314F24C96DE84B4B341D73AD846CB62
                                        Function 066B6D70 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07ded8d760558fff339d218b07b851fb2d690998c2004f02c53d4ad0dfa04f02
                                        • Instruction ID: e05896405aac6020e6326d579976a8753d4f6102b67546f614dd0a151a5ab44d
                                        • Opcode Fuzzy Hash: 07ded8d760558fff339d218b07b851fb2d690998c2004f02c53d4ad0dfa04f02
                                        • Instruction Fuzzy Hash: 4F217F30B10119DBDF94EA69E9547EEBBB6EBC4310F249429E405DB344DB31ED928BC4
                                        Function 066B4280 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c862380cf3266f7bcd34cd65c8e22be8553eecca9e002f0506c2743f757d9a0
                                        • Instruction ID: 10b79229c2c7810fbb66fcb1ab687ad1481d317805b7466b77daf7a12ad59e94
                                        • Opcode Fuzzy Hash: 1c862380cf3266f7bcd34cd65c8e22be8553eecca9e002f0506c2743f757d9a0
                                        • Instruction Fuzzy Hash: 4911F530B041104FDB619ABDC454B6FBBD6DBC6710F18887AF10ACB34ADD21DC824391
                                        Function 066B3C40 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 383b5006179dc2bb21835693cce4a64d42fa320492caa24fa05d06de5f614499
                                        • Instruction ID: e2600e795aa62607854c5d5b2c0684f8f78b9228a0bcb418919ac75db7d8538a
                                        • Opcode Fuzzy Hash: 383b5006179dc2bb21835693cce4a64d42fa320492caa24fa05d06de5f614499
                                        • Instruction Fuzzy Hash: 8A118E31B040289FDB849AA8D8106EF77EBEBC8610F108139C90AE7354EF74DC128BD1
                                        Function 066B38F8 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d0fed3332a5abf974de64f6bd4bd19f5205cfd9e23334d81f391aefb42e98fa
                                        • Instruction ID: 35ebdd5aa8fdc9e6f45eb93492c2e3fe3a8bedb65fa2e2a04fee327e989abad0
                                        • Opcode Fuzzy Hash: 1d0fed3332a5abf974de64f6bd4bd19f5205cfd9e23334d81f391aefb42e98fa
                                        • Instruction Fuzzy Hash: 3E21D0B5901659ABCB10DF9AD885ACEFFB8FB49310F10822AE918B3340D774A554CBA5
                                        Function 066BA357 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b702130b3662121c5319d91f5c807d3e30afe59fa785e94bc848720396e6f1fe
                                        • Instruction ID: e0ff2c5cd0aa4a9de70f738c7cbe7706758f82fc86d0428802ceceabf9de83a2
                                        • Opcode Fuzzy Hash: b702130b3662121c5319d91f5c807d3e30afe59fa785e94bc848720396e6f1fe
                                        • Instruction Fuzzy Hash: 07012430B002108FC761AA78D968B9F77E6EB8A710F10882AF10ACB354EE21DC428391
                                        Function 066BEDE9 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e954183f0640e725b1652a088f9ad1b582505595f79d23eb89987ff1afad7167
                                        • Instruction ID: 537f1c2ec641e34b864174100bea1ca025ecf95e60f110a63897e4a828663599
                                        • Opcode Fuzzy Hash: e954183f0640e725b1652a088f9ad1b582505595f79d23eb89987ff1afad7167
                                        • Instruction Fuzzy Hash: 3601F231F141504FCBA19A7DD864BAFB7E6DBC9620F14882AF60ACB342DA62DD4243D5
                                        Function 00CBD207 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2915430645.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_cbd000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
                                        • Instruction ID: 23a19dc15253aface27461c4e54e6c2ab344166efa1feced8e7dca4c2f0828da
                                        • Opcode Fuzzy Hash: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
                                        • Instruction Fuzzy Hash: 73119D76504284DFDB12CF14D5C4B56BB61FB84324F24C6AAD84A4B656C33AD90ACBA2
                                        Function 00CBD3B7 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2915430645.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_cbd000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction ID: b15c80abd521a4a973ae49cce5b5111d580eda646896a17042faa243c94a4eca
                                        • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                        • Instruction Fuzzy Hash: 2C118B75504280DFDB05CF14D5C4B55BBA2FB84324F24C6AAD84A4B696C33AE94ACFA1
                                        Function 066B3C2F Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 34667e3a79d6df5a4a5588bb9cfb4f5cdffaa5e1394c123c3440961272a63b1a
                                        • Instruction ID: 4fc3d6f1ba10bf13c1c04bedda3766cbf78b11aad9ac89664a9665fc8f9e9cc8
                                        • Opcode Fuzzy Hash: 34667e3a79d6df5a4a5588bb9cfb4f5cdffaa5e1394c123c3440961272a63b1a
                                        • Instruction Fuzzy Hash: EC01B131B140286BDB949AA9D8106EF7AABDBC9610F10413AD50AE7344EF60CC0247D1
                                        Function 066B3900 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 38b047484745467f1b6b1c35a2e6e80963f4541ee7584c2f0d423da5781d4c74
                                        • Instruction ID: 4df9d91c4bee6f242fd1695784663e0b70a66ce93d0a691c4f753dcc986c0232
                                        • Opcode Fuzzy Hash: 38b047484745467f1b6b1c35a2e6e80963f4541ee7584c2f0d423da5781d4c74
                                        • Instruction Fuzzy Hash: E411CEB1D01259ABCB00DF9AD884ACEFBB4FB48310F10822AE918B7340D374A954CBA5
                                        Function 066B4290 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 62ca99896a949e3ee9ea49ba8efffb3f27cdb3befb2db79364c4c57e08273a42
                                        • Instruction ID: 4cd10f011e268abda683151be59d30f4dbba947066621cd48e9de0088ec2bfd6
                                        • Opcode Fuzzy Hash: 62ca99896a949e3ee9ea49ba8efffb3f27cdb3befb2db79364c4c57e08273a42
                                        • Instruction Fuzzy Hash: F9018135B101204BDBA49AADD454B6FB7DADBC9B20F14883AF10AC734ADD61DC824395
                                        Function 066BFF2B Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec548876ac7543544d567eb50fb20fe86bd234b6bc26b2654cf5ae86bf5e1b06
                                        • Instruction ID: 9899de533e6ca42ad70a68983d89505ccc35f8d2bc2cde79fe6e982c23754bac
                                        • Opcode Fuzzy Hash: ec548876ac7543544d567eb50fb20fe86bd234b6bc26b2654cf5ae86bf5e1b06
                                        • Instruction Fuzzy Hash: 28010470A083448FDB91DB78EC107EEBBF5EB86204F1041AAD448D7296EB309941CB92
                                        Function 066BEDF8 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1ff44ad266aa01d59088eec69a07239619bbca0a4f4e7930d364244e5e7c121
                                        • Instruction ID: 138def2d2423d2459005347104469210fa3a0f5ddf0c39c02101bf7340be1d13
                                        • Opcode Fuzzy Hash: a1ff44ad266aa01d59088eec69a07239619bbca0a4f4e7930d364244e5e7c121
                                        • Instruction Fuzzy Hash: A1018C31F100118BCBA49A7DD464BAF63D6DBC9A61F10882AF20AC7345DE62DC434395
                                        Function 066BA368 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a64b8aedfec4f09b9435ca0f693a80684b8ac1a0f53860fd09d083ed9ba762a2
                                        • Instruction ID: c948d4b6042406a2835b9ce2aa2997f40ecdcf32d60c03bb12da36f6f2a162fa
                                        • Opcode Fuzzy Hash: a64b8aedfec4f09b9435ca0f693a80684b8ac1a0f53860fd09d083ed9ba762a2
                                        • Instruction Fuzzy Hash: 30014431F105148FDB90EA6DD564B6F73D6E78A711F108829F50BCB354EE21DD428790
                                        Function 066BFF48 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d16256ec47113961e946c863027caac288dfbe6e0a958ad042ffe2c4041970b2
                                        • Instruction ID: d804a7ff101cbba785042da8f72eeb5e89afb310ddfdd0db9cf29398e718e54c
                                        • Opcode Fuzzy Hash: d16256ec47113961e946c863027caac288dfbe6e0a958ad042ffe2c4041970b2
                                        • Instruction Fuzzy Hash: 19F05EB4A002058FD780EB7888512AEBBF6EB89201F1041799409D3259EB709942CBE1
                                        Function 066B64C9 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7bc548ce4dfac49bafa4dfaf8abeeb24d5265c2290165c95048ea7281aa0004c
                                        • Instruction ID: a1c7297413e9c82994f75a073aaf7ebc7b3551071e675dc481b3f88ead526d72
                                        • Opcode Fuzzy Hash: 7bc548ce4dfac49bafa4dfaf8abeeb24d5265c2290165c95048ea7281aa0004c
                                        • Instruction Fuzzy Hash: 4FE09B71E15285E7DB61DE74D95578A7BB9D701204F20C8B6D404C7242E576DA818391

                                        Non-executed Functions

                                        Function 066B76F8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                        • API String ID: 0-3623093008
                                        • Opcode ID: af776a4618215e7f2a80b7e974515b3e96ac866420c46390e36c796a55b27a53
                                        • Instruction ID: b40de5886aced54e037fbb342a7b0f3234560c22bdf5985c67150d22ca0ee415
                                        • Opcode Fuzzy Hash: af776a4618215e7f2a80b7e974515b3e96ac866420c46390e36c796a55b27a53
                                        • Instruction Fuzzy Hash: 7012F970E01219CFDB64DF65D954AAEBBB2FF88301F209569D40AAB365DB309D81CF90
                                        Function 066BA990 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                        • API String ID: 0-634254105
                                        • Opcode ID: 7768890bd12d036244f12f0d62c26f27f075f0bbacfbe065cdaabca47e2a7e47
                                        • Instruction ID: 7246299ea7a7e7fcb83a4e7e827f81301bb3d83d3a2f33e9342ee40159d2dc94
                                        • Opcode Fuzzy Hash: 7768890bd12d036244f12f0d62c26f27f075f0bbacfbe065cdaabca47e2a7e47
                                        • Instruction Fuzzy Hash: 17917030A10309DFDB64EFA4D995BAE7BB2EF44301F209529E4069B395DB359D82CB90
                                        Function 066B70F8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .5|q$$dq$$dq$$dq$$dq$$dq$$dq
                                        • API String ID: 0-3447281907
                                        • Opcode ID: 72c8b9fb770dbb35f7b8727a0e80312bd0d429496e677f35fef0705753067e8b
                                        • Instruction ID: 03f026d87e8e46481c46dada3c8f6753d35836c50aa457f63c02e4959976105c
                                        • Opcode Fuzzy Hash: 72c8b9fb770dbb35f7b8727a0e80312bd0d429496e677f35fef0705753067e8b
                                        • Instruction Fuzzy Hash: 40F11D30A01209DFDB54EF69D594BAEBBB2FF84301F248569D40A9B399DB35DC82CB50
                                        Function 066B8428 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq
                                        • API String ID: 0-185584874
                                        • Opcode ID: e19ed3803bcb3ffb22c577b328e892e0f9cbbe08b3249a7c55d63387262e3311
                                        • Instruction ID: 9a8fd6279cae7043e11846002b6a1ca2fa9471447da82b2d598ed0c8832a42d9
                                        • Opcode Fuzzy Hash: e19ed3803bcb3ffb22c577b328e892e0f9cbbe08b3249a7c55d63387262e3311
                                        • Instruction Fuzzy Hash: A3B15B30A10218CFDB54EF69C59079EBBB6EF84305F24982DE40A9B395DB74DC82CB90
                                        Function 066B8840 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LRdq$LRdq$$dq$$dq
                                        • API String ID: 0-340319088
                                        • Opcode ID: 6a88ea5356cb61b5524d2c6c7dc94314f34d85a67eda198a88e741d7f172f292
                                        • Instruction ID: 9cd54427e5cd25939638de7dee61dd2dfd4dc790e63d5b7efc7bcd0a02f5a327
                                        • Opcode Fuzzy Hash: 6a88ea5356cb61b5524d2c6c7dc94314f34d85a67eda198a88e741d7f172f292
                                        • Instruction Fuzzy Hash: 7151A430B00205DFDB54EB28D990AAA77E6FF85314F14996DE4169B395DB30EC81CB91
                                        Function 066BAD18 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2934787894.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_66b0000_aBYKwaZ.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $dq$$dq$$dq$$dq
                                        • API String ID: 0-185584874
                                        • Opcode ID: 6f037d03ea351a441707467942e1b9a6bfcbb6b648d60c8faeaaae1ee6a9a608
                                        • Instruction ID: c68353a6e24a3fa961dbf12b05f6cb2d49ce57b5886eab152dc4a7d0bb86e92f
                                        • Opcode Fuzzy Hash: 6f037d03ea351a441707467942e1b9a6bfcbb6b648d60c8faeaaae1ee6a9a608
                                        • Instruction Fuzzy Hash: EC51A530E11204DFDFA5EBA4E5906EE77B6EB89311F109529E806DB345DB31DC82CB91